Re: [sniffer] false positives which catagories?
If the test fails, but the message does not hit the hold or delete weight. Not a perfect measurement, as it does not capture all ham (ham that hits the hold or delete weight), and misses some spam (spam that does not hit the hold or delete weight), but it is the most accurate and least subjective measurement. Darin. - Original Message - From: Keith Johnson [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, August 11, 2005 8:13 AM Subject: RE: [sniffer] false positives which catagories? Scott, HS = Test says ham, final result was spam. This is an inaccurate ham result. 'False negative' How are you auto determining that an email that was ham was really spam? Are you keying in this info into your stats based on your viewing of the email or by user complaint? Obviously, if Declude triggers and email to have action on it based on spam settings it was spam and if it didn't take action on it and it went through to your users it was ham. Thanks again for the aid. Keith From: [EMAIL PROTECTED] on behalf of Scott Fisher Sent: Thu 8/4/2005 10:02 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] false positives which catagories? I have my sniffer result histories by category posted at: http://it.farmprogress.com/declude/Testsbymonth.html Look about 90% down the page. - Original Message - From: Bonno Bloksma mailto:[EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, August 04, 2005 1:40 AM Subject: [sniffer] false positives which catagories? Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer Resources
What do the logs say? What's the average time to process a message? Darin. - Original Message - From: Richard Farris [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, September 06, 2005 11:07 AM Subject: [sniffer] Sniffer Resources When I turn off sniffer my server acts normally on rescources..but when I turn it on it goes to 100% and stays there most of the time...I have tried updating the sniffer and rebooting the server but does not help...it has been doing this for about a month...has anyone else seen this..if not what can I do to resolve it..right now I have sniffer turned off so I can just send mail thru the server.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Andy Schmidt sniffer@SortMonster.com Sent: Monday, September 05, 2005 9:43 AM Subject: Re: [sniffer] Integration with today's new ORF version: On Monday, September 5, 2005, 9:26:38 AM, Andy wrote: AS http://www.vamsoft.com/orf/agentdefs.asp AS AS It says to contact vendor. Here I am G. Yes indeed. How may I help you? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Damn viagra spam
We just reported one to Sniffer support for analysis as well. Darin. - Original Message - From: Heimir Eidskrem [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Wednesday, September 14, 2005 3:34 PM Subject: [sniffer] Damn viagra spam We are getting tons of spam for viagra and other drugs. Not being stopped by sniffer. From - Wed Sep 14 14:23:59 2005 X-Account-Key: account2 X-UIDL: 397213080 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from chartcourse.com [200.152.123.222] by deepspace.i360.net (SMTPD-8.20) id A7660304; Wed, 14 Sep 2005 14:17:58 -0500 Received: from [192.168.232.240] (helo=elevator) by chartcourse.com with smtp (Paradisaic kw 5.29 (Jactation)) id lBCMAK-xJNrNU-Ty for [EMAIL PROTECTED]; Wed, 14 Sep 2005 14:17:22 -0500 Message-ID: [EMAIL PROTECTED] Reply-To: Shayna Riffe [EMAIL PROTECTED] From: Shayna Riffe [EMAIL PROTECTED] To: Ealdgyth Rancourt [EMAIL PROTECTED] Subject: Re: Really Works Very Good Pharmaceu tical Date: Wed, 14 Sep 2005 14:17:20 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0047_01C5B937.04839800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=200.152.123.222; X-RBL-Warning: IPNOTINMX: X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 29, weight 20) X-Declude-Sender: [EMAIL PROTECTED] [200.152.123.222] X-Declude-Spoolname: D776501961CDF.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CBL, IPNOTINMX, COUNTRYFILTER, CATCHALLMAILS [50] X-Country-Chain: BRAZIL-destination X-Note: This E-mail was sent from recreio.speednetrj.com ([200.152.123.222]). X-IMAIL-SPAM-STATISTICS: (776501961cdf, 0.9721) X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 397213080 X-IMail-ThreadID: 776501961cdf This is a multi-part message in MIME format. --=_NextPart_000_0047_01C5B937.04839800 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable LeViAmCiXaVa viagbi= alnali trraenisxum a = nbsp; $3$1$3 .33.21.75 Our Website FaBeToEa st st talsy DeliPricnbs= p;ConOrde veryesfide= ring nti ality= ball go? writing represented an incoherent chain of certain utterances, = certain --=_NextPart_000_0047_01C5B937.04839800 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; charset=3Dus-ascii META content=3DMSHTML 6.00.2800.1106 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIV style=3DFLOAT: leftFONT face=3DCourierLeBRBVi/BBRAmB= RBCi/BBRXaBRBVa/B/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCourierviBRBag/BBRbi= BRBal/BBRnaBRBli/B/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCouriertrBRBra/BBRen= BRBis/BBRxBRBum/B/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCourieraBRnbsp;BRnbsp;BR= nbsp;BRnbsp;BRnbsp;/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCourierBRB$3/BBRBRB= $1/BBRBRB$3/B/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCourierBRB.33/BBRB= RB.21/BBRBRB.75/B/FONT/DIV DIV style=3DCLEAR: bothnbsp;/DIV DIVA href=3Dhttp://www.amyslate.com;Our Website/A/DIV DIVnbsp;/DIV DIV style=3DFLOAT: leftFONT face=3DCourierFaBRBeBRToBREa/FON= T/DIV DIV style=3DFLOAT: leftFONT face=3DCourierstnbsp;BRstnbsp;= BRtalBRsynbsp;/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCourierDeliBRPricBRnbs= p;ConBROrde/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCourierveryBResBRfideBR= ring/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCourierBRBRntiBR/FONT/DIV DIV style=3DFLOAT: leftFONT face=3DCourierBRBRalityBR/FONT= /DIVDIV style=3DCLEAR: bothnbsp;/DIV/BODY/HTML --=_NextPart_000_0047_01C5B937.04839800-- -- Cordially, Heimir Eidskrem i360, Inc. 2825 Wilcrest, Suite 675 Houston, TX 77042 Ph: 713-981-4900 Fax: 832-242-6632 [EMAIL PROTECTED] www.i360.net www.i360hosting.com www.realister.com Houston's Leading Internet Consulting Company This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Damn viagra spam
Yeah, and whoever is on this list from Poynerlaw.com needs to stop postmaster replies for messages failing their spam tests. I got a nice little automated reply from them when I replied to Hiemir's message. Since most spam and virus content is forging these days, postmaster replies just add to the spam problem. Darin. - Original Message - From: Russ Lists [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Wednesday, September 14, 2005 3:53 PM Subject: Re: [sniffer] Damn viagra spam Heimir Eidskrem wrote: We are getting tons of spam for viagra and other drugs. Not being stopped by sniffer. Snipped spam Man, SpamAssassin didn't like that message: X-Spam-Status: Yes, hits=12.024 tagged_above=2 required=5 tests=[DRUGS_ERECTILE=0.026, FORGED_RCVD_HELO=0.05, RAZOR2_CF_RANGE_51_100=1.485, RAZOR2_CHECK=0.15, SARE_HTML_A_HIDE=0.622, SUBJECT_DRUG_GAP_VIA=1.77, UPPERCASE_25_50=0.207, URIBL_AB_SURBL=2.007, URIBL_BLACK=3, URIBL_JP_SURBL=1.539, URIBL_SBL=0.629, URIBL_WS_SURBL=0.539] X-Spam-Level: X-Spam-Flag: YES -Russ --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Declude Actions
Deleting on any one test is not a good idea. However, we do hold on some single tests, and review for false positives. Our hold weight is 100 and delete is 300. We rarely see a false positive above 200 though. Darin. - Original Message - From: Timothy C. Bohen [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, September 15, 2005 11:54 AM Subject: [sniffer] Declude Actions I thought I used to have declude delete everything that sniffer found, now when I went into my $default$.junkmail file I find its set to LOG. I assume one of my network admins changed this at some time. Am I relatively safe in setting it to delete or is this a bad idea? Timothy C. Bohen CMSInter.Net LLC / Crystal MicroSystems LLC === web : www.cmsinter.net email: [EMAIL PROTECTED] phone: 989.235.5100 x222 fax : 989.400.4980 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New virus...
That's only in Virus Pro, right? I don't think BANZIPEXTS is available in Standard or Lite. Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, October 06, 2005 3:01 AM Subject: RE: [sniffer] New virus... No need to block zips, with Declude just add BANZIPEXTS ON to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 05, 2005 8:41 PM To: sniffer@sortmonster.com Subject: [sniffer] New virus... Importance: High Hello sniffer, Hello folks... watch out for a new virus email with an attachment named pword _ change . zip - extra spaces added to skip filters ;-) We're adding some SNF rules to catch it. No word about it on virus lists or scanner services yet (that I can see). You may want to temporarily block .zip files - or at least this particular zip file until the new rules can be pushed out and the virus scanners catch up. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Declude.Virus] Possible new virus
Another possible variant overnight at 4:30AM ET. Same routing as the new Sober variant from yesterday, but different attachment: screen_photo.zip Darin. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject: [Declude.Virus] Possible new virus We're seeing a lot of emails with pword_change.zip attached. May want to block it in your virus.cfg. Subject is"Your new Password" All so far were routed through gmx.net or web.de just before delivery, but are originating from a variety of dial-up or broadband ISP accounts. Darin.
Re: [sniffer] Spam keeps getting through...
I believe Pete is moving to a POP account approach. You would set up a POP account for spam and another for false positives, and send them the login info to it. Then have your users forward messages to the POP accounts as attachments (that's the hardest part, which is why we still have them sent to us, to make sure the original headers are in it). Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, October 11, 2005 7:44 AM Subject: Re: [sniffer] Spam keeps getting through... Sorry - I was talking about false positives. I assume we need to send false positives to the false@ address. Can my users send you these messages directly? Or do they need to forward them to me first (as the registered user)? And if they do need to forward false positives to me first, is it OK to simply forward them on to you? It says on your site to create a new email from scratch and send the false positive email as an attachment. Does that mean I should right-click on the message, Save As... an .eml file, and then attach that .eml file to the message I'm sending to you? And is this true for spam as well - do they need to forward them to me and then me to you? Just making sure I'm doing this right. Thanks Pete McNeil wrote: It is helpful to get the full headers, however it is simpler and more reliable in most cases to simply forward the message. _M On Tuesday, October 11, 2005, 4:46:48 AM, Kevin wrote: KR Can we just forward them regularly or do we need to change anything KR about how the headers display when we forward them? KR Pete McNeil wrote: On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] KR --- KR [This E-mail was scanned for viruses.] KR This E-Mail came from the Message Sniffer mailing list. For information and KR (un)subscription instructions go to KR http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] POP Approach
Hi Pete, Do you send out notices to licensees to let them know to renew ahead of time? I think we're getting close to renewal, and want to make sure we don't lapse. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Rick Hogue sniffer@SortMonster.com Cc: [EMAIL PROTECTED] Sent: Friday, October 14, 2005 11:03 AM Subject: Re[4]: [sniffer] POP Approach On Friday, October 14, 2005, 9:39:33 AM, Rick wrote: RH What is going on with the sniffer not catching any of the spam that is now RH coming through? We are getting slammed with medication, mortgage and other RH junk email? Your license has expired. Please send a note to [EMAIL PROTECTED] to renew. We will send you an invoice you can pay online. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Message Sniffer is not detecting some really bad email
Title: Message Yep... send them to spam (at), from the email that you have on record with them. Sending as an attachment so they get complete headers is usually best, but they can also work with just the body of the message. Darin. - Original Message - From: Gary Schick To: sniffer@SortMonster.com Sent: Wednesday, November 02, 2005 4:48 PM Subject: [sniffer] Message Sniffer is not detecting some really bad email We havehad excellent resultsfrom Message Sniffer for severals years now. However, in the past few days items that I feel should have been caught, were not. Can I submit some samples to you? I would be glad to zip a couple of raw message files and email those to you. Please advise. Regards, Gary Schick Manager, Enterprise Applications Iroquois Gas Transmission System Shelton, CT 06484 [EMAIL PROTECTED] 203 944 7024
[sniffer] Rash of false positives
Hi Pete, What's going on over there? We had somewhere between 5 and 10 times the usual number of Sniffer false positives this morning. They are across the board, so it's not just one rule that's catching them, or a particular set of senders or receivers. Hopefully you can get it under control soon. It would also be extremely helpful if you could speed up the false positive processing. Lately it seems to take 2-4 days for the rules to be adjusted, which usually means more of the same are caught and submitted over that time. I believe speeding up that process would result in fewer to process all around. Thanks, Darin.
Re: [sniffer] Rash of false positives
We're seeing a continual stream of false positives. It's taking all of our time just to keep up with it at the moment. If something isn't done soon, we're going to have to disable sniffer. Darin. - Original Message - From: Computer House Support To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 9:34 AM Subject: Re: [sniffer] Rash of false positives Dear Darin, Thanks for the heads up. It's going to take me about 45 minutes to check the 9000 messages that were blocked by Sniffer last night, but I'll let you know if we experienced the same thing. Michael SteinComputer House www.computerhouse.com - Original Message - From: Darin Cox To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 8:45 AM Subject: [sniffer] Rash of false positives Hi Pete, What's going on over there? We had somewhere between 5 and 10 times the usual number of Sniffer false positives this morning. They are across the board, so it's not just one rule that's catching them, or a particular set of senders or receivers. Hopefully you can get it under control soon. It would also be extremely helpful if you could speed up the false positive processing. Lately it seems to take 2-4 days for the rules to be adjusted, which usually means more of the same are caught and submitted over that time. I believe speeding up that process would result in fewer to process all around. Thanks, Darin.
Re: [sniffer] Rash of false positives
No, we automatically update with every notification of a new rulebase. Looking further, they started just before 5pm ET yesterday. So far, it's about 10 times the usual number of Sniffer false positives. We've sent quite a few this morning to false (at) for processing. Darin. - Original Message - From: Paul Lushinsky To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 10:10 AM Subject: Re: [sniffer] Rash of false positives After reviewing all the blocked messages for the past 2 days on 2 different servers, I found no false positives. Do you happen to have an old rule base from several days again ? If so, try that to see if it temporarily resolves the false positives. -Original Message-From: "Darin Cox" [EMAIL PROTECTED]To: sniffer@SortMonster.comDate: Tue, 8 Nov 2005 08:45:39 -0500Subject: [sniffer] Rash of false positives Hi Pete, What's going on over there? We had somewhere between 5 and 10 times the usual number of Sniffer false positives this morning. They are across the board, so it's not just one rule that's catching them, or a particular set of senders or receivers. Hopefully you can get it under control soon. It would also be extremely helpful if you could speed up the false positive processing. Lately it seems to take 2-4 days for the rules to be adjusted, which usually means more of the same are caught and submitted over that time. I believe speeding up that process would result in fewer to process all around. Thanks, Darin.
Re: [sniffer] Rash of false positives
I've submitted about 45 so far this morning. I normally submit at most a half dozen each morning. Darin. - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 10:19 AM Subject: Re: [sniffer] Rash of false positives I too have had to submit a lot more false positives lately. I also second that false positive processing seems to be a lot slower than previously. Darrell Check out http://www.invariantsystems.com for utilities for Declude, mxGuard, And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher writes: I don't know if I would call it a rash, but over the last week, I've submitted about 30 false positives. That's far more than average. I've developed a feeling that Message Sniffer has become too tight. - Original Message - From: Darin Cox To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 8:54 AM Subject: Re: [sniffer] Rash of false positives We're seeing a continual stream of false positives. It's taking all of our time just to keep up with it at the moment. If something isn't done soon, we're going to have to disable sniffer. Darin. - Original Message - From: Computer House Support To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 9:34 AM Subject: Re: [sniffer] Rash of false positives Dear Darin, Thanks for the heads up. It's going to take me about 45 minutes to check the 9000 messages that were blocked by Sniffer last night, but I'll let you know if we experienced the same thing. Michael Stein Computer House www.computerhouse.com - Original Message - From: Darin Cox To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 8:45 AM Subject: [sniffer] Rash of false positives Hi Pete, What's going on over there? We had somewhere between 5 and 10 times the usual number of Sniffer false positives this morning. They are across the board, so it's not just one rule that's catching them, or a particular set of senders or receivers. Hopefully you can get it under control soon. It would also be extremely helpful if you could speed up the false positive processing. Lately it seems to take 2-4 days for the rules to be adjusted, which usually means more of the same are caught and submitted over that time. I believe speeding up that process would result in fewer to process all around. Thanks, Darin. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rash of false positives
Hi Pete, The rash of false positivesseems to have stopped with the last sniffer rulebase update at 10am ET. It had started with a rulebase update at 4:30pm ET yesterday, and continued through the updates at 8:40pm, 12am, 3am, and 6:20am today. I'd still like to know what happened, and how we can avoid it in the future. Thanks, Darin. - Original Message - From: Darin Cox To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 8:45 AM Subject: [sniffer] Rash of false positives Hi Pete, What's going on over there? We had somewhere between 5 and 10 times the usual number of Sniffer false positives this morning. They are across the board, so it's not just one rule that's catching them, or a particular set of senders or receivers. Hopefully you can get it under control soon. It would also be extremely helpful if you could speed up the false positive processing. Lately it seems to take 2-4 days for the rules to be adjusted, which usually means more of the same are caught and submitted over that time. I believe speeding up that process would result in fewer to process all around. Thanks, Darin.
Re: Re[4]: [sniffer] Rash of false positives
Arecorrupted rulebase files the culprit? How do you update... and do you run snf2check on the updates? Just wondering if the rulebase file is theproblem, if the problemoccurs during the update, or if you are running into obscure errors with the EXE itself Darin. - Original Message - From: John Moore To: sniffer@SortMonster.com Sent: Wednesday, November 09, 2005 12:42 PM Subject: RE: Re[4]: [sniffer] Rash of false positives We had this same thing happen. It has been happening more frequently recently and we are looking into disabling sniffer as it seems to be the culprit each time. John Moore305 Spin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard FarrisSent: Wednesday, November 09, 2005 11:38 AMTo: sniffer@SortMonster.comSubject: Re: Re[4]: [sniffer] Rash of false positives This morning my server quit sending mail and my tech said the Dr. Watson error on the server was my Sniffer file...I rebooted and thought it was OK but quit again..I had a lot of mail back logged...so I updated a new rule base but it did not seem to helpI reinstalled Imail and things seem OK but slow since there is such a back log of mailIf things don't get back to normal I will be back.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support"Crossroads to a Cleaner Internet" - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 3:03 PM Subject: Re[4]: [sniffer] Rash of false positives On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote: Hi Pete, There was a consistent stream of false positives over the mentioned time period, not just a blast at a particular time. They suddenly started at 5pm (shortly after a 4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today (not many legitimate emails came in between 11pm and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am. There were a number of different rules involved, and over 45 false positives in that time period. This is highly unusual -- I didn't remove many rules, and normally only one or two would be responsible. If you found that a large number of rules were responsible then something else happend and we need to look at that... I'd need to see your SNF logs from that period since the changes (removals anyway) in the rulebase were very small and unrelated - that just doesn't line up with your description. One thing does-- in the past if snf2check was not used to check a new download then a corrupted rulebase could cause SNF to produce erratic results... since snf2check has been in place we have not seen this. Is it possible that a bad rulebase file got pressed into service on your system? -- probably a look at the logs would help there too since this kind of failure is accompanied by very specific oddities in the logs. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Last chance to renew at the old price!
Hi Michael, How about false positive processing? That's our biggest headache, but it would be drastically reduced by faster processing than the 3-5 days we currently see. Darin. - Original Message - From: Michael Murdoch [EMAIL PROTECTED] To: sniffer@SortMonster.com Cc: Pete McNeil [EMAIL PROTECTED] Sent: Tuesday, December 27, 2005 2:13 PM Subject: RE: [sniffer] Last chance to renew at the old price! Hi Folks, Actually, here is some more detail as to the reasons for the price increase. In addition, please bear in mind that that prices haven't been raised in approximately 2 years and even with this increase we are priced very competitively. The new feature/benefits and more to come are as follows: * In the past 6 months we have more than doubled the number of updates per day and we will continue to increase our bandwidth and the speed of our updates. * We have more than tripled our staff to improve our monitoring, support, and rule generation capabilities. Come January, we are again doubling this staff as the black-hats have gotten much more sophisticated and this has become a 24x7 battle. Even Pete needs to sleep sometimes. :-) * We are adding new RD programs for AFF/419 spam and Malware mitigation (many of the results from these projects have already been implemented). * During this next year as part of our continuous improvement policy we will continue to roll out new features and enhancements such as fully automated reporting, in-band real-time updates, an optimized message processing pipeline, image and file attachment tagging, advanced header structure analysis, enhanced adaptive heuristics, improved machine learning systems, real-time wave-front threat detection, and many more... It's important to recognize that many of our improvements don't require new software to be installed on the client side since they are delivered through rulebase enhancements. Though this often causes our work to go unnoticed, it is actually a design feature since it means that your installation requires very little maintenance. This translates to lowered administration costs and higher reliability. As a result of this reliability-first design strategy, it may not always be obvious that our service is constantly being improved and enhanced - we never stand still ;-) We'd hate to see any of you go, but please do compare us with other services. I'm sure that you'll find we're well worth the money, but it's always good to keep your options open. In fact, best practice these days for spam filtering is to use a blended approach that leverages many services. We personally encourage that for best results. Please let me know if you have any questions. Thank you for your feedback and business! Sincerely Michael Murdoch The Sniffer Team ARM Research Labs, LLC Tel. 850-932-5338 x303 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 1:03 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! I said the same thing, and the response was, basically, We haven't raised the price in a long time, we need the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to
Re: [sniffer] Last chance to renew at the old price!
Wow... last minute notice. It's difficult to budgets for these things with so little notice. Please consider a couple month's notice the next time. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Tuesday, December 27, 2005 12:42 PM Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Last chance to renew at the old price!
Great. I've tracked ours and it is almost always 3 days, and sometimes up to 5 days when it goes over a weekend. This usually results in multiple reports for false positives for a given rule. Appreciate anything you can do to speed that up. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Tuesday, December 27, 2005 5:08 PM Subject: Re[2]: [sniffer] Last chance to renew at the old price! Part of the purpose for additional staff is to reach a goal of FP processing measured in minutes to hours, never days as it is sometimes now. We also have some automated tools on the drawing board that will help to mitigate many FP cases on a self-serve basis. These will be coming in this next year. _M On Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote: DC Hi Michael, DC How about false positive processing? That's our biggest headache, but it DC would be drastically reduced by faster processing than the 3-5 days we DC currently see. DC Darin. DC - Original Message - DC From: Michael Murdoch [EMAIL PROTECTED] DC To: sniffer@SortMonster.com DC Cc: Pete McNeil [EMAIL PROTECTED] DC Sent: Tuesday, December 27, 2005 2:13 PM DC Subject: RE: [sniffer] Last chance to renew at the old price! DC Hi Folks, DC Actually, here is some more detail as to the reasons for the price DC increase. In addition, please bear in mind that that prices haven't DC been raised in approximately 2 years and even with this increase we are DC priced very competitively. DC The new feature/benefits and more to come are as follows: DC * In the past 6 months we have more than doubled the number of updates DC per day and we will continue to increase our bandwidth and the speed of DC our updates. DC * We have more than tripled our staff to improve our monitoring, DC support, and rule generation capabilities. Come January, we are again DC doubling this staff as the black-hats have gotten much more DC sophisticated and this has become a 24x7 battle. Even Pete needs to DC sleep sometimes. :-) DC * We are adding new RD programs for AFF/419 spam and Malware mitigation DC (many of the results from these projects have already been implemented). DC * During this next year as part of our continuous improvement policy we DC will continue to roll out new features and enhancements such as fully DC automated reporting, in-band real-time updates, an optimized message DC processing pipeline, image and file attachment tagging, advanced header DC structure analysis, enhanced adaptive heuristics, improved machine DC learning systems, real-time wave-front threat detection, and many DC more... DC It's important to recognize that many of our improvements don't require DC new software to be installed on the client side since they are delivered DC through rulebase enhancements. Though this often causes our work to go DC unnoticed, it is actually a design feature since it means that your DC installation requires very little maintenance. This translates to DC lowered administration costs and higher reliability. DC As a result of this reliability-first design strategy, it may not DC always be obvious that our service is constantly being improved and DC enhanced - we never stand still ;-) DC We'd hate to see any of you go, but please do compare us with other DC services. DC I'm sure that you'll find we're well worth the money, but it's always DC good to keep your options open. In fact, best practice these days for DC spam filtering is to use a blended approach that leverages many DC services. We personally encourage that for best results. DC Please let me know if you have any questions. Thank you for your DC feedback and business! DC Sincerely DC Michael Murdoch DC The Sniffer Team DC ARM Research Labs, LLC DC Tel. 850-932-5338 x303 DC -Original Message- DC From: [EMAIL PROTECTED] DC [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas DC Sent: Tuesday, December 27, 2005 1:03 PM DC To: sniffer@SortMonster.com DC Subject: RE: [sniffer] Last chance to renew at the old price! DC I said the same thing, and the response was, basically, DC We haven't raised the price in a long time, we need DC the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details
Re: [sniffer] False Positives
Agreed. We counted 100 false positives yesterday, compared to our normal rate of less than 5. No false positives since 6pm ET yesterday, though. Thank goodness. Darin. - Original Message - From: Frederick Samarelli [EMAIL PROTECTED] To: sniffer@SortMonster.com Cc: [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:42 AM Subject: Re: [sniffer] False Positives Same with me. Last night there was a rules update and it fixed the problem. Check the date of your rules update. - Original Message - From: Ali Resting [EMAIL PROTECTED] To: sniffer@sortmonster.com Cc: [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:57 AM Subject: [sniffer] False Positives Hi, Over the last 2 days I have seen a major increase in false positives. Literally all hotmail and yahoo address are being caught by sniffer inclusive of other legit domains. Please confirm what may be causing this and what I can do to resolve the issue. Regards, Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] problems!!!!
I have an idea. These problems seem to stem mostly from changes in the methods of handling rulebase updates. We were lucky enough not to be affected with the latest rule issue, but the previous one made for a very long day andsomedisgruntled customers. Would it be feasible to announce in advance when such changes are to be implemented? With advance notice of a date and time for the switch we could choose to freeze our rulebases just before that for a day to make sure the kinks were worked out before updating. A few spam messages that slip through are better than a slough of false positives that require review and are delayed in reaching the customer. Thoughts? Darin. - Original Message - From: Harry Vanderzand To: sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 10:02 AM Subject: [sniffer] problems With the recent issues at sniffer it has caused tremendous problems with the entire client base here. Sniffer has been so reliable for so lond and al of a sudden recently I cannot rely on it any more What is going on with sniffer Will these issues get resolved or is it going to be more unstable than what we have come to rely on? I need my spam trap software to work without spend hours everyday and without getting a large group of my customers questioning the reliability of what I am doing. Hope there will be some indication of improvement. The following is my sniffer code SNIFFERexternal nonzero "D:\IMail\Declude\sniffer\umzqbs4l.exe dky4t444qqpk69j6" 10 0 Should I be doing something different? This has worked very well for a year now. Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 07, 2006 9:42 PMTo: sniffer@SortMonster.comSubject: RE: Re[4]: [sniffer] Bad Rule - 828931 Goran, this is pretty much what I did to get to re-queuing:gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.I then used a batch file I had previously created called qm.cmd (for queue and move). Note that the folders I specify are for Declude 1.x, which has an overflow folder. I use the overflow folder so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held messages. I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder. If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).I hope that helps,Andrew 8) p.s. Another re-posting in HTML so as to preserve the line breaks. Sorry for the duplication, folks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 7:47 PM To: Landry, William (MED US) Subject: Re[4]: [sniffer] Bad Rule - 828931 Hello William, Tuesday, February 7, 2006, 7:39:05 PM, you wrote: LWMU grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log That's what I tried. Just figured out I forgot to capitalize the "F". It works. Confirmed - 22,055 I'm writing a program now to parse the sniffer log file, extract the file ID, lookup the id in sql server, determine quarantine location, extract q/d pair from quarantine and send to user. -- Best regards, David mailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to
Re: Re[2]: [sniffer] problems!!!!
There was no error in my comment. I completely understand that some issues will not be foreseeable... I did say mostly, not entirely. The switch to the automated bots caused a rash of false positives in our system. I'm not pointing fingers, but instead want to make sure I have the ability to decide what risks to take on my end. While mistakes are always possible... we are human after all... the more controls we have available to minimize possible impact, the better. What I would be looking for is an announcement of a specific date/time for a cutover so we could freeze just before that, and unfreeze once it was clear that no glut of false positives would result. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 11:13 AM Subject: Re[2]: [sniffer] problems On Wednesday, February 8, 2006, 10:59:09 AM, Darin wrote: DC I have an idea. These problems seem to stem mostly from changes DC in the methods of handling rulebase updates. snip/ DC Would it be feasible to announce in advance when such changes DC are to be implemented? With advance notice of a date and time DC for the switch we could choose to freeze our rulebases just before DC that for a day to make sure the kinks were worked out before DC updating. A few spam messages that slip through are better than DC a slough of false positives that require review and are delayed in reaching the customer. That's a good idea, and we do, in fact, follow that procedure. Whenever we make any large scale changes we always announce them here on this list,... we usually also put them on our web site. There is an error in your comment however... the previous event (with the rule-bots) was completely unforeseeable. There was no way to announce that known good software would suddenly fail so spectacularly when no changes within our control were made. Thankfully, that kind of event is extremely unlikely also. It is unfortunate that these two events would happen so closely together. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] problems!!!!
Perhaps I used the wrong terminology about what changed, since I do not know what your system architecture is, but I remember you mentioning a significant change at the time. Immediately afterwards we saw a rash of false positives. That is what I would like to have controls in place to avoid. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 11:46 AM Subject: Re[4]: [sniffer] problems On Wednesday, February 8, 2006, 11:26:46 AM, Darin wrote: DC There was no error in my comment. I completely understand that some issues DC will not be foreseeable... I did say mostly, not entirely. The switch to DC the automated bots caused a rash of false positives in our system. snip/ Actually, there is the error I was talking about -- (I'm not pointing fingers either, just trying to set the record straight.) The automated bots had been online and part of the system for several years when the error occurred. There was no cut-over to announce. DC What I would be looking for is an announcement of a specific date/time for a DC cutover so we could freeze just before that, and unfreeze once it was clear DC that no glut of false positives would result. I completely agree, and that is our policy. Before we turn on anything important, we will announce it, as we have in the past. Even if for no other reason than we want you to know we've done something cool... but certainly so that we can have everyone aware and watching out for any un-expected results (good or bad). _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positive - no reaction?
On average it takes 2 or three days to hear back on false positives. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 9:40 AM Subject: [sniffer] False Positive - no reaction? Hi, I filed this false positive report a day ago and never heard back. Just trying to see if my emails are blocked again. Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, February 20, 2006 10:41 AM To: '[EMAIL PROTECTED]' Subject: License ID nwb655oh This message was a GIF image from one individual to another. Log Entries: nwb655oh 20060219172434 DA9CC319600AA9394.SMD 31 360 Match 836625 61 2245 2388 71 nwb655oh 20060219172434 DA9CC319600AA9394.SMD 31 360 Final 836625 61 0 32767 71 Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCmy vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEaZ EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5ud Epwb2QL MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1nf ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tfo swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+o j+uVYwvZz yvahEwG3Nw2FWDeVazW2UBqjRCGqZCaIU0iTW3aPc0mVZXe4WUuuYVqtaHrGOAf/AAD+N QPUSgjB XizbZg33ShP4Tyb0chHMZFPHcHD1aEmTbISudYzCdoGahgaaky2ZoCesjwq6jD6upSmKi FCIknCF p3Svmk+I0QyBySaa7AvCngvOhzrQqw7OuyL9kQT2iinzrA70rDDflkHQjGb2l07pk3X2r p3Svmk+lL1sWf5 zQ7+30H1xGn841L8622MjIyMkKeJvIiPor2vgZyxjamrqJigoKCTl8aBneGXq9KMq+e2t9Otu+yS wpKlzZ+zxail/7WJ0PazxNO5zPOs4f/akIPXp4vzmIjsuYT6tqjBzLX2zJHz1bX8+JXn/ wpKlzZ+6nT0tnY 2OTZ5NTX5Pjq1ND9/dTo6OgAAACgoKSAgID//wD//wAAAP//AP8A//9YqUYI/ wALCRTo RAqggwcNKTSEqKHDhw0XSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjy pxJs6bN mzhz6tzJs6fPnx4RCpXiZGChJQcHNZFSyJFTR9miSp1KtarVq1izat3KtavXr2DDih1Lt qzZs2jT ql3Ltq3bt3Djyp1Lt67du3jz6t3Lt6/fv4DnPi0kpckgQFEONgHUFKrVbZAjS55MubLly 5gza97M ubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7ZtyYFz697Nu7dvudvUOmWklEoUKosFP nX6u7nz 59CjS59Ovbr169iza9/OvXv15eDDX/8bf40RceRLokQZZHTg8qrh48ufT7++/fv48+vfz This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription
Re: Re[2]: [sniffer] False Positive - no reaction?
That queue concept would be wonderful! Hopefully it would have some simple info extracted to show recipient, sender, subject, header info, and info on the rule(s) it failed. One of my ongoing challenges is matching responses to reports and following up to see what additional actions are required. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 11:16 AM Subject: RE: Re[2]: [sniffer] False Positive - no reaction? Hi Pete, I agree that the email notification is tricky - because you might respond to spam - and, you may NOT respond to someone who did not use an authorized address. On the other hand, if I KNEW there was an auto-response and I did NOT get a response, it would be an indication to me, the user, that I must have done something wrong. So - in a sense - no response is also a message I can act on. The only other suggestion I have is to create a 24 hour 'queue' display on the web site. All you need to show is a column of the sender domain names of the email (not the entire sender email address). If I submit a false positive I can confirm that it made it into your queue by checking the web page. This way, you don't need to send automated emails. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 11:04 AM To: Andy Schmidt Subject: Re[2]: [sniffer] False Positive - no reaction? On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false AS positives are worse than missed spam, so I had assumed that they AS would always be at the top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email AS was received. The web site makes it sound as if there's a million AS reasons why a false positive might not be accepted - so an automatic AS confirmation might be a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False positive processing
Pete, Thanks for the quicker turnaround in the last few days for false positive processing. We're seeing abouthalf day now. Much appreciated! Darin.
Re: [sniffer] New Rulebot F001
We just reviewed this morning's logs and had a few false positives. Not sure if these are due to the new rulebot, but it's more than we've had for the entire day for the past month. Rules -- 873261 866398 856734 284831 865663 Darin. - Original Message - From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Monday, March 06, 2006 3:13 PM Subject: RE: [sniffer] New Rulebot F001 There's been at least one FP ;) -- Rule - 861038 NameF001 for Message 2888327: [216.239.56.131] Created 2006-03-02 Source 216.239.56.131 Hidden false Blocked false Origin Automated-SpamTrap TypeReceivedIP Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength2.08287379496965 False Reports 0 From Users 0 [FPR:B] The rule is below threshold, and/or badly or broadly coded so it will be removed from the core rulebase. My concern with automated IP rule coding is that we use Sniffer because it's extremely accurate. Coding rules linked to IPs, particularly IPs that are used by google or any large ISP to send large amounts of (mostly legitimate) email is contrary to what Sniffer is great at, which is tagging spam that no one else is. Is response code 63 going to be utilized for any other purposes? If not, I will let Declude know to weight these responses lower than normal Sniffer. - Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, March 06, 2006 3:00 PM To: sniffer@sortmonster.com Subject: [sniffer] New Rulebot F001 Hello Sniffer folks, The first of the new rulebots is coming online. Rulebot F001 creates IP rules for sources that consistently fail many tests while also reaching the cleanest of our spamtraps. The rules will appear in group 63. The bot is playing catchup a bit (since there have been few IP rules at all since we disabled the old bots). The algorithms used in this bot have been tested manually for 2 weeks with no false positives. Expect an increase in your rulebase size while F001 catches up with current spamtrap data. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] New Rulebot F001
Thanks, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Monday, March 06, 2006 6:17 PM Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's logs and had a few false positives. Not DC sure if these are due to the new rulebot, but it's more than we've had for DC the entire day for the past month. DC Rules DC -- DC 873261 DC 866398 DC 856734 DC 284831 DC 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] F001 Rule Bot Change
Good job, Pete. Through these changes we saw a minimal increase in false positives on one day, and detection seems to have improved as well. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Thursday, March 09, 2006 3:08 AM Subject: [sniffer] F001 Rule Bot Change Hello Sniffer Folks, The F001 Rule Bot has been adjusted. The number of repeat offenses required for an IP to be listed has been increased. It's important to note also: Messages that are filtered out by other rules are excluded from this evaluation. Consequently, for an IP to be added to the F001 bot rules it must not only be seen quite a few times, but it must also be generating messages that are not filtered using other active rules. As part of this adjustment we removed approximately 2 IP rules that had shown either weak or no activity since they were created. This may cause rulebase file sizes to change noticeably. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New RuleBot F002 Online
Totally agree. I'd like to see some separation between rules created by newer rulebots and preexisting rules. That way if there becomes an issue with a bot, we can turn off one group quickly and easily. Darin. - Original Message - From: Matt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Friday, March 10, 2006 3:37 PM Subject: Re: [sniffer] New RuleBot F002 Online Pete, In light of current and prolonged issues, this seems like a good and safe tactic. I would appreciate it however if maybe you could place the rules in another result code since this result code is not as accurate as some others are and some of us weight it lower than others. Thanks, Matt Pete McNeil wrote: Hello Sniffer Folks, Rulebot F002 has been placed online. This rulebot captures and creates geocities web links from the chatty campaigns. This is largely a time saver for us humans... we will focus our attention more on abstracts for these campaigns now that F002 will be capturing the raw links. Rules from F002 will produce a 60 result code (Ungrouped). The engine is following a standard protocol that we have used for months. I expect no false positives from this one. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] New RuleBot F002 Online
Hi Pete, Don't worry about customizing our local rulebase for this. Just take this as a simple suggestion for future segregation to make it easy for new rulesets to be addressed differently in weighting schemes. Thanks for all of your efforts! Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Monday, March 13, 2006 10:23 AM Subject: Re[2]: [sniffer] New RuleBot F002 Online On Friday, March 10, 2006, 3:41:00 PM, Darin wrote: DC Totally agree. I'd like to see some separation between rules created by DC newer rulebots and preexisting rules. That way if there becomes an issue DC with a bot, we can turn off one group quickly and easily. There is no way to do this without completely reorganizing the result codes or defeating the competitive ranking mechanisms. If you feel strongly about it I can move these rule groups to lower numbers on your local rulebase or make some other numbering scheme - but I don't recommend it. Moving these rule groups to lower numbers would cause them to win competitions with other rules where they would normally not win. At some point in the future we might renumber the rule groups again, but I like to avoid this since there are so many folks that just don't get the message (no matter what we do to publish it) when we make changes like this and so any large scale changes tend to cause confusion for very long periods. For example: I still, on occasion, have questions about the gray-hosting group which has not existed for quite a long time. So far there has not been one FP reported on bot F002 and extremely few on F001 - the vast majority of those associated with the very first group of listings prior to the last two upgrades for the bot. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False positive processing
Nope. None of them. I haven't heard back from the replies to a couple of false positives on the 10th, and we haven't heard anything from our submissions on the 16th (6) and 17th (2). I don't remember if we've heard anything from those on the 15th (4). Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Tuesday, March 21, 2006 11:21 AM Subject: Re: [sniffer] False positive processing On Tuesday, March 21, 2006, 9:38:46 AM, Darin wrote: DC DC DC Hi Pete, DC DC DC DC Are you getting behind on false positive processing? We have DC gotten a response in a few days, and are still forwarding false DC positives for an FP report that we asked for a while rule on the 10th. I'm not behind. Did the message get tagged on it's way out of your system? Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer]Numeric spam
They do, but you have to both specify that email for your domains only comes from your mail servers AND use a test in your spam filtering that checks SPF and pushes fails over your hold limit. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:07 PM Subject: Re: [sniffer]Numeric spam I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]SPF
What's your hold weight? If spam is only failing SPF and nothing else, then the message doesn't get held, so you don't see it. Also, I do not recommend negative weighting SPFPASS. Spammers have SPF records, too, so you're giving them an opportunity to exploit it. Lastly, I think you may be confused on your SPF records. They should not have the "name" portion. There is only one SPF record per domain. So, for computerhouse.com, your SPF record should simply be v=spf1 mx -all which tells it your MX is allowed to send mail for your domain (the "mx" part) , but all others should fail ( the "-all" part). Please keeprelated communication on the list for others' benefit as well. Darin. - Original Message - From: Computer House Support To: [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 9:40 PM Subject: SPF Hi Darin, Thanks for your offer to help. I am E-mailing you off-list. We do use Declude. The entry in our $default$.junkmail filelooks like this: SPFFAILWARNSPFPASSWARNSPFUNKNOWNWARN However, I have never seen an "SPF Failure"in the header of a spam mail. Global.cfg: SPFFAILspffailx30SPFPASSspfpassx-10 Our SPF Record looks like this: computerhouse.com. IN TXT "v=spf1 mx mx:mail.computerhouse.com"mail.computerhouse.com. IN TXT "v=spf1 a -all" Your insight is appreciated. Michael SteinComputer House - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 9:30 PM Subject: Re: [sniffer]Numeric spam What do you use for spam filtering? Declude has the ability to test SPF, for example. Also, what is your SPF record for the domain in question? Darin.
Re: [sniffer]FP suggestions
The one issue with this I have is 1) Forward full original source to Sniffer with license code. If we could do it without the license code, it would be much easier to automate on our end. I already have a process in place to copy and reroute false positives by rewriting the Q file. I'm hesitant to alter the message itself to add the license code. If we could authenticate the FP report via some other means it would help greatly. How about connecting IP instead? Darin. - Original Message - From: Matt To: Message Sniffer Community Sent: Wednesday, June 07, 2006 12:59 AM Subject: Re: [sniffer]FP suggestions Pete,Regarding suggestions for easing the reporting process, I would recommend the following possible modifications: 1) An E-mail submission tool similar to the one now, but replies would be automated2) Send back links or rather an HTML form with checkboxes in an E-mail auto-response allowing one to block rules.3) Make blocked rules automatic for the submitter, but throw them into a queue for manual review by Sniffer folk in order to determine whether the blocks should become applied to all rulebases.4) Have automatic triggers that lower rule strengths based on users blocking rules regardless of direct Sniffer action.The gist of this is to make it more point and click. The fact that you need full source is cumbersome, so the above recommendations seek ways to make the process easier for both the customer and for Sniffer while dealing with the need to send the full source. No direct customer interaction would be necessary in most cases, and you would have a queue full of items to review and make a determination about that customers have preened for you. To the customer, the process would look like the following: 1) Forward full original source to Sniffer with license code.2) Seconds later there would be an automated reply received in HTML format with a check box for every rule failed (or note that no active rules were found), a text box for optional comments, and submit button.3) Customer checks the boxes for the rules he wants to block, adds notes in a text field if they feel like it, and they press submit. End of story.You could also add a Web interface for this if you wanted to, but E-mail seems the most appropriate for most.I don't think it would be beneficial to rehash a lot of things involving how FP's occur, at least on this list. I know from my system where my customers have single-click reprocessing capability, that they miss about 97% of all FP's either because they don't bother to do review, or they don't bother to reprocess anything but personal E-mail that may get blocked. I would imagine that Sniffer sees a similar rate of customer reported FP's due in part to the difficulty, and in part for the same reasons that relate to my own users.The three biggest sources of false positives are obscure foreign domains/IP's, rules generated from bulk mailings that are too broadly targeted, and things reported to Sniffer that are advertising, but not spam. All three of these things are difficult and time consuming to deal with, particularly the last two. Here's some stats for Sniffer FP's on my system going back about 15 months: SNIFFER-GENERAL 283SNIFFER-EXPERIMENTAL 167 * Excluded 79 FP's from bad rule event on 1/17 - 1/18/2006SNIFFER-IP 61SNIFFER-PHISHING 52SNIFFER-GETRICH 29 * Excluded 115 FP's from bad rule event on 4/18 - 4/19/2006SNIFFER-PHARMACY 25SNIFFER-PORN 24SNIFFER-TRAVEL 13SNIFFER-INSURANCE 7SNIFFER-OBFUSCATION 6SNIFFER-DEBT 6SNIFFER-MALWARE 4SNIFFER-AVSOFT 3SNIFFER-CASINO 2SNIFFER-INK 1SNIFFER-MEDIA 1SNIFFER-SPAMWARE 0It is quite notable how high the FP's are with SNIFFER-GENERAL which is where most bulk-mailers and customer reported spam rules are tagged. This is also what my numbers show even though my customers are much less likely to reprocess bulk mail, and of course they only reprocess a small fraction of my overall FP's. This is almost all customer reported stuff. I score SNIFFER-GENERAL at 53% of my Hold weight. SNIFFER-IP is another standout. I only score SNIFFER-IP at 38% of my Hold weight and it hits less than 2% of all Sniffer hits, yet it scored comparably high so that is worth noting. The FP rate on SNIFFER-IP hasn't really changed since you made adjustments. SNIFFER-EXPERIMENTAL is a top category that caught a lot of zombie spam which is important to many systems, but it did seem to have a high FP rate. SNIFFER-PHISHING was worse for me until around January or February. It seemed to have a lot of FP's on security related newsletters and chain letters. I have mixed feelings about those things. Maybe more efforts on white rules would help with that stuff, and I'm not totally sure if it is appropriate to block chain letters even though I detest this stuff myself.Most FP's do
Re: [sniffer]Re[2]: [sniffer]FP suggestions
Hi Pete, Can I interpret this as email address and matching source IP are sufficient if the correct email address is used to submit? If not, do you have any suggestions on how you would like to see us inserting the license ID in the D file? Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, June 07, 2006 8:25 AM Subject: [sniffer]Re[2]: [sniffer]FP suggestions Hello Darin, Wednesday, June 7, 2006, 7:31:29 AM, you wrote: The one issue with this I have is 1) Forward full original source to Sniffer with license code. If we could do it without the license code, it would be much easier to automate on our end. I already have a process in place to copy and reroute false positives by rewriting the Q file. I'm hesitant to alter the message itself to add the license code. If we could authenticate the FP report via some other means it would help greatly. How about connecting IP instead? At the moment that is how it's done: a combination of email address and source IP are matched with the license ID. The reason we ask for the license ID is because folks submitting false positives occasionally forget that we authenticate on their registered email address and use some other address. -- The rule is that if the system can't match the email address it should/may drop the message rather than evaluating it. We get a lot of spam and attempts to game the system at our false@ address... so when it's heavy we do drop messages that can't be properly identified. However, in an effort to provide the best service possible, if the license ID is present and we have the time we will look to see if it could be a legit FP submission by researching the source and domain - and if we think it is likely to be legitimate we will process the FP and respond with an additional code reminding the submitter that they must use their registered email address or an authorized alias. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]FP suggestions
Oh, I assumed the rule had been removed. Are you saying there was a rule in place, but the FP processing somehow failed to find it? If so, I'd say that is a major failing on the part of the FP processing. There's no way thatwe can find time to go through the Sniffer logs after this bounces back with "no rule found". This would have to be automated to have any chance of occurring, but again I would say the FP processing needs to be corrected to identify the rule the message failed since the complete message, headers and body, are included in the report. Darin. - Original Message - From: Scott Fisher To: Message Sniffer Community Sent: Wednesday, June 07, 2006 10:08 AM Subject: Re: [sniffer]FP suggestions For me the pain of false positives submissions is the research that happens when I get a "no rule found" return. I then need to find the queue-id of the original message and then find the appropriate Sniffer log and pull out the log lines from there and then submit it. Almost always in these cases, a rule is removed. If this process could be improved that would really be a time saver.
Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Awesome. Great job, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, June 07, 2006 6:49 PM Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited. I don't want to mix delimiters... everything so far is using spaces, so it makes sense to continue that way IMO. Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight. I haven't seen any bugs with %WEIGHT% since shortly after it was introduced, but you never know. I have seen some issues with other Declude inserted variables though. Well, errors are always a possibility, but in this case it _should_ be reasonably safe. For example, if this is used to gate SNF, then a missing %WEIGHT% would result in trying to launch a program with the same name as the authentication string, and it is highly unlikely that would be found, so the result would be the program not found error code. That's not perfect because it's a nonzero result, but it is safe in that it is not likely to launch another program. One other thing that I came across with the way that Declude calls external apps...you can't delimit the data with things like quotes. There is no mechanism for escaping a functional quote from a quote that should appear in the data that you pass to it...so don't use quotes as delimiters :) Not a problem... I just whipped together a utility called WeightGate.exe that can be downloaded here (for now): http://www.messagesniffer.com/Tools/WeightGate.exe Suppose you wanted to use it in Declude to skip running SNF if your weight was already ridiculously low (perhaps white listed) or already so high that you want to save the extra cycles. Then you might do something like this: SNF external nonzero c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 (hopefully that didn't wrap, and if it did you will know what I meant ;-) To test this concept out you might first create a copy of WeightGate.exe callled ShowMe.exe (case matters!) and then do something like this: SNF external nonzero c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 The result of that would be the creation of a file c:\ShowMe.log that contained all of the parameters ShowMe.exe was called with -- that way you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS returns zero, so this _should_ be safe ;-) If you run WeightGate on the command line without parameters it will tell you all about itself and it's alter ego ShowMe.exe. That description goes like this (I may fix the typo(s) later): WeightGate.exe (C) 2006 ARM Research Labs, LLC. This program is distributed AS-IS, with no warranty of any kind. You are welcome to use this program on your own systems or those that you directly support. Please do not redistribute this program except as noted above, however feel free to recommend this program to others if you wish and direct them to our web site where they can download it for themselves. Thanks! www.armresearch.com. This program is most commonly used to control the activation of external test programs from within Declude (www.declude.com) based on the weigth that has been calculated thus far for a given message. As an added feature, if you rename this program to ShowMe.exe then it will emit all of the command line arguments as it sees them to a file called c:\ShowMe.log so that you can use it as a debugging aid. If you are seeing this message, you have used this program incorrectly. The correct invocation for this program is: WeightGate low weight hight program arg 1, arg 2,... arg n Where: low = a number representing the lowest weight to run progra. weight = a number representing the actual weight to evaluate. high = a number representing the highest weight to run program. program = the program to be activated if weight is in range. arg 1, arg 2, ... arg n = arguments for program. If weight is in the range [low,high] then WeightGate will run program and pass all of arg 1, arg 2,... arg n to it. Then WeightGate will collect the exit code of program and return it as WeightGate's exit code. If WeightGate gets the wrong number of parameters it will display this message and return FAIL_SAFE (zero) as it's exit code. If weight is not in range (less than low or greater than high) then WeightGate will NOT launch program and will return FAIL_SAFE (zero) as it's exit code. As a deubgging aid, I was called with the following arguments: arg[0] me = WeightGate -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed
Re: [sniffer]Re[2]: [sniffer]FP suggestions
Unfortunately, by the time the message gets to us it is sometimes just different enough that the original pattern cannot be found. There are some folks who consistently have success, and some who occasionally have problems, and a few who always have a problem. Different in what way? Is the mail client encoding differently in the forwarding process? If so, do you know what clients are altering the messages and how? If there's one that's better for this, we could always use it for forwarding since we currently send it to ourselves first, then forward. If we rewrite the Q file and queue directly from IMail, encoding shouldn't change, correct? If that avoids this issue, we could do that instead. The best solution is to include the headers during the scan since they will travel with the message. What do you mean? The XHDR? We would love that for more several reasons, but Declude is not the same company anymore. The next best is to automate matching the log entries with the message so they can be included with the submission (some do this to prevent the second trip). Yeah, we'd have to automate it. I can't imagine taking the time to manually match for each occurrence of no rule found. Another item for the automation list. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]FP suggestions
Of course I'm sending the full message as an attachment. You can do that with Outlook byattaching and item, then browsing your mail folders for the message to attach. And yes, that's how you do it with Outlook Express as well. I don't use Thunderbird or Netscape mail, but I would assume you still need to attach the original message to avoid the headers being lost. What I was referring to was a little more involved than that... namely the possibility of it not matching a rule because the attachment was encoded differently. For example, I've seen mail go throughthat baes64 encoded an attached email that was not originally base64 encoded. From Pete's responses, it sounded like "no rule found" really did mean no rule was matched. Especially since he has a separate code for "rule already removed". FPs we send are always from same day, or, at the very least, within 24 hours. Darin. - Original Message - From: Matt To: Message Sniffer Community Sent: Wednesday, June 07, 2006 11:46 PM Subject: Re: [sniffer]FP suggestions Darin,Outlook will strip many of the headers when forwarding. Outlook Express needs to forward the messages using "Forward As Attachment" in order to insert the full original headers. Thunderbird/Netscape Mail will work just by forwarding. If you paste the full source in a message, you should send as plain text.I have many FP's that come back as having no rules found, but these are more likely to be from rules that were already removed. So I wouldn't jump to a conclusion that the rule was not found because of formatting unless you are not sending the full unadulterated original message source. I would imagine that it would mostly be IP rules that aren't found when not forwarding the full original source.MattDarin Cox wrote: It is unclear - we receive FPs that have traveled through all sorts of clients, quarantine systems, changed hands various numbers of times, or not (to all of those)... Right now I don't want to make that research project a high priority. Understood. That's true it wouldn't change, but submitting the message directly would not be correct - the dialogue is with you, and in any case, additional trips through the mail server also modify parts of the header and sometimes parts of the message (tag lines, disclaimers, etc)... Hmmm... with attaching the original message, I guess it still makes more sense to deliver to us first for now. Just looking for an alternative that gets you the message as close as possible to the original form as possible. Maybe we'll write a script to copy and forward the D*.SMD file as an attachment to you for FPs at some point in the future. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
Thunderbird and Netscape just takes the full original source and attaches it as a message/rfc822 attachment. I forwarded this message back to the list by just pressing Forward. Interesting that they include the headers with a simple forward, without specifying forward as attachment. I haven't ever seen that behaviour before in a mail client. Seems like a few forwards would create a very bloated message with all of the old headers. I'm pretty sure that Outlook Express works simply by just pressing Forward As Attachment, or at least it gives me enough of the original, including the full headers, to determine how to block the spam. Yes it does. However you've missed the point. The issue is not how to get the headers. It is how to keep an email client from encoding the message and headers differently, so that Sniffer can properly identify the rule that caught the message. Please excuse me for wanting more detail about the Outlook attachment trick, but would you mind attaching this message to a response so that I could look at the headers and such? Sorry, I don't use Outlook. But I can tell you the steps to take in Outlook 2003 (other versions are almost exactly the same). I have my Outlook users follow these with no problem. 1. Create a new email message 2. Click the arrow beside the paperclip icon, select item instead of file from the dropdown 3. Browse mailboxes from the popup dialog to select the message to attach. 4. Viola, original message and headers attached. There was a discussion about Outlook's behavior with Scott some time ago. Apparently Microsoft was pressured by customers to remove headers when forwarding because they felt that they were a security/privacy risk. No one told them that Outlook was a security/privacy risk on it's own :) ...but that's another story. I would probably feel different if I had the need for groupware though, but digs at Microsoft are irresistible sometimes. I don't remember that discussion, and am not sure we're talking about the same thing. If you attach the original message via the steps above, you get the full original message, headers and body. We have a number of customers who send spam reports this way, mostly on Outlook 2002 and 2003. Darin # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New purchase question
We zip ours nightly and save for 30 days just to make sure we don't miss anything in reviewing the hold queue. In practice, a week may be enough, but two is probably preferable. Darin. - Original Message - From: Phillip Cohen [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, June 15, 2006 5:00 PM Subject: [sniffer] Re: New purchase question Roger, Thanks for the info, that is a good way to deal with the mass spam storage. Do you ever have the requirement to go back through the SPAM that you have saved? How long do you save it and do you just delete it after a certain date? How do your clients ask you or what do you do to retrieve a possible real message that might have been considered spam? If sniffer never makes a false positive I guess it is no big deal just to delete the spam, but on the rare chance there are false positives I would sure hate to delete an important message. This mail server supports about 60 domains so having all of the spam in one folder is a bit of a mess. VOPMAIL allows for individual mailbox agents so I guess somehow I could have a bat file for each user or pass parameters to a bat file, but I hate to think about that one. Going through each mailbox on the server to enter the agent commands will be a real pain timewise. Wondering what other VOPMAIL users do out there if there are any of us left. Phil At 12:14 PM 6/15/2006, you wrote: This is how I do it, although there may be better ways. I create a scheduled task to run a batch file called spam.cmd that runs from within the spam folder. This copies the spam caught that day into a dated folder. That way I can delete old spam, and keep the folder organized. This seems to work well, with imail, but if there are probably better ways out there. Here is my batch file REM This portion gets the date FOR /F TOKENS=2-4 DELIMS=/ %%F IN ('DATE /T') DO ( SET MM=%%F SET DD=%%G SET =%%H ) REM This portion creates a folder with todays date MM-DD- mkdir %MM%-%DD%-%% REM moves the current files into the dated folder. move *.smd .\%MM%-%DD%-%%\ move *.GSE .\%MM%-%DD%-%%\ Hope thats of help. Roger # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Lot of stock spam getting through....
Great job, Pete! And thanks for all of your efforts to simultaneously increase the catch rate and decrease the FP rate. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, July 07, 2006 11:11 AM Subject: [sniffer] Re: Lot of stock spam getting through Hello Chuck, Friday, July 7, 2006, 10:48:28 AM, you wrote: We are seeing a lot of stock spam that is only a picture image getting through sniffer. I had a big fight with one like that all last night -- there are some unusual characters in the message that made it hard to filter and it took some time to do the analysis (picking through them with a hex editor). I think these are handled now (as of about 0400e this morning) as I don't have any getting through spamtraps at the moment. I will look into it again. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Paypal failing SNIFFER-GENERAL
FYI... I just reported one of these, so watch out. Darin.
[sniffer] Re: Paypal failing SNIFFER-GENERAL
Hi Pete, I'm not sure which column is which, but here are the log lines for the message (minus the authorization code) 20060823163449 D83a20d3001502962.SMD 0 32 Match 1100444 60 1502 1551 98 20060823163449 D83a20d3001502962.SMD 0 32 Final 1100444 60 0 3798 98 The FP was submitted at 1:34pm ET. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, August 23, 2006 2:22 PM Subject: [sniffer] Re: Paypal failing SNIFFER-GENERAL Hello Darin, I may be behind... but I don't see an FP report on this. Do you have the rule id? _M Wednesday, August 23, 2006, 1:36:08 PM, you wrote: FYI... I just reported one of these, so watch out. Darin. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Significant increase in false positives
Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Darin.
[sniffer] Re: Significant increase in false positives
We see this occasionallywith Declude 1.82. What version are you running? Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:35 PM Subject: [sniffer] Re: Significant increase in false positives Hi Darin;Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue?HerbDarin Cox wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Darin. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Declude header not modified correctly
Ping them on the Declude list for the lack of response, and CC David Barker for a response. He seem tobe the best means ot getting results these days. What version are you running? Understandably you'll only get a response if you're running the latest 3.x or 4.x, as older versions are no longer supported. Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:58 PM Subject: [sniffer] Re: Declude header not modified correctly It is frustrating because sniffer is catching them and they are not getting marked so they still end up in the ol inbox. Have opened some tickets at declude a few times and never got a response. So no one has a magic bullet on this one?HerbKami Razvan wrote: We see that a lot too.. we run 2.14 Kami From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Darin CoxSent: Monday, October 16, 2006 5:44 PMTo: Message Sniffer CommunitySubject: [sniffer] Re: Significant increase in false positives We see this occasionallywith Declude 1.82. What version are you running? Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:35 PM Subject: [sniffer] Re: Significant increase in false positives Hi Darin;Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue?Herb-- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Significant increase in false positives
Ahh... good. The first thing they'll probably tell you is to update to the latest 4.x version, see if the problem persists, then re-report it. Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:51 PM Subject: [sniffer] Re: Significant increase in false positives Not sure, this is what my declude diags.txt saysDeclude 4.1.0 DiagnosticsCompilation Platform: SmarterMailCopyright (c) 2000-2005 Declude, Inc.HerbDarin Cox wrote: We see this occasionallywith Declude 1.82. What version are you running? Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:35 PM Subject: [sniffer] Re: Significant increase in false positives Hi Darin;Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue?HerbDarin Cox wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Darin. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.-- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Significant increase in false positives
For us, it doesn't calculate the proper weight when this happens, and only acts on the weight seen in the topmost headers. One of these years I'll finally exercise the right to use our 4.x license, I just don't have time for new problems at this point. Darin. - Original Message - From: Robert Grosshandler To: Message Sniffer Community Sent: Monday, October 16, 2006 5:57 PM Subject: [sniffer] Re: Significant increase in false positives That's been a problem for a long time, but for us, it still treats that e-mail as spam, with the appropriate weight. 100% of the time if Declude does that, the e-mail is beyond our delete weight. Rob From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Herb GuentherSent: Monday, October 16, 2006 4:35 PMTo: Message Sniffer CommunitySubject: [sniffer] Re: Significant increase in false positives Hi Darin;Not seeing a lot of false pos messages, but there are lots of spam messages sneaking through our system because declude is not modifying the header correctly. It is adding a header stub to the bottom of the message so that users mail client filters which look for the modified subject line is not working. Anyone else having that issue?HerbDarin Cox wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Darin. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Significant increase in false positives
Hi Pete, I haven't looked at the Sniffer logs, as cross referencing from the Declude logs is a bit of a pain, but many of the FPs did have images, so that probably accounts for most of them if it was an Experimental rule. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Monday, October 16, 2006 8:46 PM Subject: [sniffer] Re: Significant increase in false positives Hello Darin, Monday, October 16, 2006, 5:17:26 PM, you wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Not sure if this is it, but there was an image segment rule that went in over the weekend and resulted in an unusual number of false positives today. The rule was removed. IIRC the rule id was: 1174356 Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Significant increase in false positives
Hi Matt, I know Pete has requested this in the past, but Declude hasn't been willing to make the change necessary for this to make it in the headers. But I totally agree with you, I'd love to see this in the headers so tracking down the rule isn't such a pain. Darin. - Original Message - From: Matt To: Message Sniffer Community Sent: Monday, October 16, 2006 10:03 PM Subject: [sniffer] Re: Significant increase in false positives Pete,Would you please clarify this a bit. Declude of course doesn't record the rule in the headers, so this is difficult to figure out. Knowing the pattern may help identify the problematic messages. Also knowing the start time and end time of the rule would also help.I would be nice too if you talked with Declude about allowing for the insertion of headers, or even if you did this on your own. I believe the D* file may be editable when the external app is launched. That would make recovery of this so much easier for me (minutes instead of hours of work).Thanks,MattPete McNeil wrote: Hello Darin, Monday, October 16, 2006, 5:17:26 PM, you wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Not sure if this is it, but there was an image segment rule that went in over the weekend and resulted in an unusual number of false positives today. The rule was removed. IIRC the rule id was: 1174356 Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC.# This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Significant increase in false positives
Hi Pete, Can you clarify what this .xhdr option is and how we can enable it? I don't remember anything inthe documentationthat describes it. I think there were references to the config file previously, but there was never anything about it in mine. If you could give an example of how to enable and use the info it would be greatly appreciated. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Monday, October 16, 2006 11:13 PM Subject: [sniffer] Re: Significant increase in false positives Hello Matt, Monday, October 16, 2006, 10:03:04 PM, you wrote: Pete, Would you please clarify this a bit. Declude of course doesn't record the rule in the headers, so this is difficult to figure out. Knowing the pattern may help identify the problematic messages. Also knowing the start time and end time of the rule would also help. The rule was coded for a binary segment in an image file. Here is the rule information: Rule - 1174356 Name image spam binary segment as text !1AQaq"2 Created 2006-10-14 Source !1AQaq"2 Hidden false Blocked false Origin Spam Trap Type Simple Text Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength 3.20638481603822 False Reports 11 From Users 7 Rule belongs to following groups [252] Problematic I removed the rule as soon as we began receiving reports - about mid-day today. I would be nice too if you talked with Declude about allowing for the insertion of headers, or even if you did this on your own. I believe the D* file may be editable when the external app is launched. That would make recovery of this so much easier for me (minutes instead of hours of work). I have discussed this with Declude and I am hopeful that we will have better integration w/ Declude some time in the future. In the mean time, our next version will include a feature to inject headers into message files. Understand, however, that this is an expensive feature that will substantially increase the I/O requirements on any mail server. Injecting headers requires that the entire message file must be written to disk an additional time. This is not a small consideration-- Where once most spam were tiny text/html files (often less than 5K) today's image spam variants are frequently 5 to 10 times the size of the old spam we used to know. Also- note that this kind of thing can be very buggy on Winx systems -- sometimes changes to files are not reflected immediately between processes. For example, rename operations are not atomic - so when the old message file is deleted and the new version is renamed from it's temp file to the original message file name, other Winx processes that depend on that file may not respond reliably. For all of these reasons and more I've probably not thought of - this feature will be a "use at your own risk / YMMV" option. All that said, there is an existing option in the current version of SNF to produce a .xhdr file for each message. This option is frequently used in *nix systems that use SNF. It would be possible to write a short utility (perhaps even a script) that would modify quarantined messages out-of-band to include the contents of the .xhdr file as X- headers. Such a utility is not currently on our development list, however, and I hallucinate that such a device would tend to evolve into something somewhat system specific. The best option would be for Declude to add a feature that picks up x-headers created by external programs (perhaps in files named message-file-name.xhdr) so that they can be added in a single message rewrite along with the headers that Declude already adds. This would solve the I/O problems and standardize the mechanism for any other external programs that might wish to add headers. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To
[sniffer] Re: Significant increase in false positives
Hi Pete, You're exactly right, but we often get spoiled by the high quality of your detection rate. It's easy to expect perfection when it means less work for us g. Thanks for all you do to keep the quality so high. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Tuesday, October 17, 2006 8:42 AM Subject: [sniffer] Re: Significant increase in false positives Hello Computer, Monday, October 16, 2006, 11:09:03 PM, you wrote: Dear Pete, Sniffer blocked 35,000 messages today, and roughly 7200 of them were blocked by the1174356rule. Do you think many of these were false positives? Do you know a way of searching through 35,000 Imail messages to find the FP's ? What would you suggest in this situation. This was not a bad-rule alert or rule-panic situation. Most of these messages were probably NOT false positives. The rule does have a higher rate than is acceptable (so it was dropped), but it doesn't catch every message with an image, and it does catch primarily image spam. If I felt strongly about researching this there would be 7200 to look through (not 35000) and I would probably only look through those that failed no other tests or were below some very low weight threshold otherwise - that would probably bring the number down into a range 100 messages (based on what I've seen reported). [ Educated guess items: 80% of content is usually spam. On weekends this number is higher. This weekend there were some new, aggressive image spam campaigns - so the number of spam captured by a rule like this would be higher than normal rather than lower. The rule was essentially in place only during the weekend and only received FP reports late Sun through early Mon and some systems have reported no discernable increase in false positives during this period. 20% of 7200 is close to 150, so the conservative number likely not to be spam in that group is less than that (due to the weekend) so approximately 100 seems reasonable. If there are FPs then it is likely they failed no other tests. ] Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Increase in spam
We saw a sudden ~50% increase on July 16th, but only fluctuations and moderate growth since then. On weekdays we're now at 80% spam, 95% or better on weekends. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, October 18, 2006 9:23 AM Subject: [sniffer] Re: Increase in spam Hello K, Wednesday, October 18, 2006, 8:52:17 AM, you wrote: I've been seeing a massive increase in spam over the last 2 days getting through with minimal scores. Could this be due to the drawback of the filter involved with false positives, or something else? It's hard to pin down, but not likely to be the pulled rule. We have seen a relative increase in new spam campaigns over the past 2 days preceded by a lull. That may be what you're noticing. I've attached a graph to illustrate. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Declude header not modified correctly
I have an active SA. I've sent support requests twice in the past few months to support@ and have gotten no response. Darin. - Original Message - From: Computer House Support [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, October 25, 2006 9:11 AM Subject: [sniffer] Re: Declude header not modified correctly David Waller wrote: they don't respond to support emails from this registered user... Dear David, I am curious to know if you have an active Service Agreement with Declude? Among the hundreds of vendors that I deal with, I found their support to be one of the best. I seldom wait more than an hour for a response. Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Declude header not modified correctly
David Barkerhas also been good about responding, but that's not the issue. We should be able to go through standard support channels instead of having to remember to redirect support requests to alternative personnel. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Wednesday, October 25, 2006 11:15 AM Subject: [sniffer] Re: Declude header not modified correctly Dear Sniffer Folks, As I mentioned in a previous post, we have been very happy with the response from Declude Tech Support. Feel free to use this E-mail address if you need help: [EMAIL PROTECTED] Linda has been very good at responding, and she has given permission for me to post her address here. Michael SteinComputer House - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Wednesday, October 25, 2006 10:06 AM Subject: [sniffer] Re: Declude header not modified correctly I have an active SA, I sent in some service requests and got a ticket number by return email, never a follow up. Then called in and a chap named Chris Asaro fixed the settings on our account so that I could download the correct version and was quite helpful with that. However, that does not solve the problem and all emails of examples and requests for status since 10/18/06 have gone unanswered.So, basically their answer was install the latest version, and beyond that nothing, not even a reply or a we are working on it and will have something to try on X. Out users are seeing hundreds of spam messages unmarked in their email boxes a day, and of course want to know why when it is identified as spam they are still getting it. I personally know that this has been an issue for at least a year. If I were a spammer I would sure code my emails to exploit this.Anyway, have used Declude for about 5 years as I recall and getting kind of to the end of the line.I also spent some time yet again on their web site, and do not see a discussion board or anything to discuss this issue there vs here.HerbDarin Cox wrote: I have an active SA. I've sent support requests twice in the past few months to support@ and have gotten no response. Darin. - Original Message - From: "Computer House Support" [EMAIL PROTECTED] To: "Message Sniffer Community" sniffer@sortmonster.com Sent: Wednesday, October 25, 2006 9:11 AM Subject: [sniffer] Re: Declude header not modified correctly David Waller wrote: they don't respond to support emails from this registered user... Dear David, I am curious to know if you have an active Service Agreement with Declude? Among the hundreds of vendors that I deal with, I found their support to be one of the best. I seldom wait more than an hour for a response. Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Declude List
Nope... list is still active. If you're having trouble, I would suggest calling Declude Darin. - Original Message - From: Steve Oren [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, November 03, 2006 1:48 PM Subject: [sniffer] Re: Declude List This is list seems broken? Anyone still getting mail from the Declude Junkmail list? When you send mail to [EMAIL PROTECTED], you get this: Unknown user: [EMAIL PROTECTED] RCPT TO generated following response: 550 Recipient not in route list. Herb Guenther wrote: Thanks Andy; I appreciate the info. Herb Andy Schmidt wrote: Hi, for discussions on Declude, you need to subscribe to Declude.Junkmail or Declude.Virus at [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Here's their standard trailer line: This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at _http://www.mail-archive.com_ http://www.mail-archive.com/. Best Regards */Andy Schmidt/*/ / Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On Behalf Of *Herb Guenther *Sent:* Wednesday, October 25, 2006 10:06 AM *To:* Message Sniffer Community *Subject:* [sniffer] Re: Declude header not modified correctly I have an active SA, I sent in some service requests and got a ticket number by return email, never a follow up. Then called in and a chap named Chris Asaro fixed the settings on our account so that I could download the correct version and was quite helpful with that. However, that does not solve the problem and all emails of examples and requests for status since 10/18/06 have gone unanswered. So, basically their answer was install the latest version, and beyond that nothing, not even a reply or a we are working on it and will have something to try on X. Out users are seeing hundreds of spam messages unmarked in their email boxes a day, and of course want to know why when it is identified as spam they are still getting it. I personally know that this has been an issue for at least a year. If I were a spammer I would sure code my emails to exploit this. Anyway, have used Declude for about 5 years as I recall and getting kind of to the end of the line. I also spent some time yet again on their web site, and do not see a discussion board or anything to discuss this issue there vs here. Herb -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Best Regards, Steve Oren President ServerSide, Inc. 317-596-5000 voice 317-596-5010 fax 888-682-2544 toll free www.serverside.net # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FTP server / firewall issues - Resolved.
Hi Pete, Why the change? FTP is more efficient for transferring files than HTTP. Can we request longer support for FTP to allow adequate time for everyone to schedule, test, and make the change? I remember trying dHTTP initially when this was set up, but it wasn't working reliably, plus FTP is more efficient, so we went that way. wget may work better when we have time to try it. Also, what's this about gzip? Is the rulebase being changed to a .gz file? Compression is a good move to reduce bandwidth, but can we put in a plug for a standard zipfile? Do you have scripts already written to handle downloads the way you want them now? If so, how about a link? Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, January 05, 2007 4:39 PM Subject: [sniffer] FTP server / firewall issues - Resolved. Hello Sniffer Folks, The firewall issues we were having with our new delivery server appear to have been resolved. I am showing good traffic via FTP at this time. Normal ftp access for log uploads and SNF rulebase downloads via www.sortmonster.net / ftp.sortmonster.net should work correctly now. Note that FTP downloads of SNF rulebases is deprecated. If you are using FTP to download your rulebase files you should switch to using http w/ gzip as soon as practical. FTP access to SNF rulebase files will continue for a time but support may be removed without notice in the future. It's a safe bet that FTP access for SNF rulebase files will remain functional through the end of this month however. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FTP server / firewall issues - Resolved.
Hi Matt, Hmmm you're right. I have heard of FTP configuration issues through some firewalls, though I haven't seen the problem myself. Good point. Thanks for commenting. And yes, the compression (though it's not being used now) would obviously be of significant benefit. Darin. - Original Message - From: Matt To: Message Sniffer Community Sent: Friday, January 05, 2007 11:48 PM Subject: [sniffer] Re: FTP server / firewall issues - Resolved. Darin, There are many people with firewall or client configuration issues that cause problems with FTP, however HTTP rarely experiences issues and is definitely easier to support. As far as efficiency goes, since the rulebases will all be zipped, there is little to be gained from on-the-fly improvements to FTP (and there are some for HTTP as well). In such a case, I would consider it to be effectively a wash, nothing gained, nothing lost (measurably). Matt Darin Cox wrote: Thanks, Pete. Appreciate you taking the time to explain what's happening in more detail. I'm curious as to why FTP is more difficult than HTTP to debug, deploy, secure, and scale, though. I tend to think of them on equal footing, with the exception of FTP being faster and more efficient to transfer files in my experience. Thanks for the link to save some time. Much appreciated. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, January 05, 2007 9:47 PM Subject: [sniffer] Re: FTP server / firewall issues - Resolved. Hello Darin, Friday, January 5, 2007, 6:23:22 PM, you wrote: Hi Pete, Why the change? Many reasons. HTTP is simpler to deploy and debug, simpler to scale, less of a security problem, etc... Also, the vast majority of folks get their rulebase files from us with HTTP - probably for many of the reasons I mentioned above. FTP is more efficient for transferring files than HTTP. Not necessarily ;-) Can we request longer support for FTP to allow adequate time for everyone to schedule, test, and make the change? I'm not in a hurry to turn it off at this point, but I do want to put it out there that it will be turned off. I remember trying dHTTP initially when this was set up, but it wasn't working reliably, plus FTP is more efficient, so we went that way. wget may work better when we have time to try it. Also, what's this about gzip? Is the rulebase being changed to a .gz file? Compression is a good move to reduce bandwidth, but can we put in a plug for a standard zipfile? Gzip is widely deployed and an open standard on all of the platforms we support. We're not moving to a compressed file -- the plan is to change the scanning engine and the rulebase binary format to allow for incremental updates before too long - so for now we will keep the file format as it is. Apache easily compresses files on the fly when the connecting client can support a compressed format. The combination of wget and gzip handle this task nicely. As a result, most achieve the benefits of compression during transit almost automatically. Do you have scripts already written to handle downloads the way you want them now? If so, how about a link? We have many scripts on our web site: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.AutoUpdates My personal favorite is: http://www.sortmonster.com/MessageSniffer/Help/UserScripts/ImailSnifferUpdateTools.zip I like it because it's complete as it is, deploys in minutes with with little effort, generally folks have no trouble achieving the same results, and an analog of the same script is usable on *nix systems where wget and gzip are generally already installed. There are others of course. Hope this helps, _M
[sniffer] Re: Spam
Fortunately with Outlook Express we have the Ctrl-W function to initiate the forwarding process. Then we can just type in the first few characters of the address and hit Alt-S to send. Not as quick as a single button, but much quicker than Outlook without this toolbar. Takes me about 4 seconds per message. Darin. - Original Message - From: Bonno Bloksma To: Message Sniffer Community Sent: Wednesday, May 30, 2007 2:09 AM Subject: [sniffer] Re: Spam Hi, I recommend SpamSource, if you are an Outlook user. It's a little toolbar applet that you can configure any recipient of the forwarded spam and it will include all the original mail headers - just the way Sniffer, [] It is a wonderful tools! Thanks Andy Nobody pays us for our work of reporting not cached messages. The Sniffer staff should offer for free to our community this tools ;-) Hmmm, if they do I would love to have it for Outlook Express as well. It seems a great tool, especialy now that we see a lot of missed spam. It would be great if I had a tool to deploy on all staf PC's where we use Outlook Express mostly (ca. 90%). One other thing that would be nice if IMail webinterface had a way to forward spam with all information intact. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] Re: July 18
There have been a lot reported today. It started for us about 8:30am. We use Declude and added a filter to catch messages with subjects starting with Emailing:, ending with .pdf and having a body containing The message is ready to be sent with the following file or link. This combination may result in false positives, but has not for us today. The headers appear too varied to identify anything in them for use in the filtering process. Darin. - Original Message - From: [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, July 18, 2007 3:38 PM Subject: [sniffer] July 18 Not sure what is up but I'm seeing lots of messages getting through to my primary folder since yesterday. Lots of .pdf attachments - Just checked and 10/11 were spam messages in my inbox. Thanks, Greg CoffeyNet/AllureTech v 307-473-2323 1546 E. Burlington cell 307-259-7962 Casper, WY 82601 fax 307-237-3709 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New campaign not caught
Just got one a short while ago. Look at these headers: Received: from p4248-ipbfp02matuyama.ehime.ocn.ne.jp [124.96.113.248] by mail.4cweb.com with ESMTP (SMTPD-8.22) id A0D001A0; Tue, 07 Aug 2007 12:41:52 -0400 Received: from [126.147.120.198] by p4248-ipbfp02matuyama.ehime.ocn.ne.jp with HTTP; Wed, 8 Aug 2007 01:42:17 +0900 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Wire instructions-Moi Date: Wed, 8 Aug 2007 01:42:01 +0900 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_000C_01C7D95D.50E32D80 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Note the with HTTP;. This looks detectable to me, since it also has OE headers. Not sure if there is more to work with in the Message-ID and MIME boundaries. Darin. - Original Message - From: Scott Fisher To: Message Sniffer Community Sent: Tuesday, August 07, 2007 12:46 PM Subject: [sniffer] New campaign not caught Last night I started getting spam with numbers in the subject and a hex code in the body. This morning that switched over to stock spam PDFs. Hopefully rules can be targeted towards them! Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
[sniffer] FPs on 1573590
Hi Pete, We're getting a number of FPs on SNIFFER-PORN rule 1573590. The emails are clean, NOT porn-related, and no obvious pattern was in the emails that we could see that Sniffer might be FPing on.. Darin.
[sniffer] Re: Address
Probably not, but if you have the finder service exposed outside of your firewall (not recommended), then yes, this will help. It has nothing to do with SPF. Darin. - Original Message - From: [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, September 25, 2007 12:52 PM Subject: [sniffer] Re: Address I have SPF's set up for all the domains I host. There is a setting in Imail that says Hide From Information Services. That was off but I just enabled it. Is that a good thing [for me] or not? At 06:38 PM 9/24/2007, you wrote: Hello Greg, Monday, September 24, 2007, 8:10:23 PM, you wrote: Some of the spammers are apparently using my email address as the sender. Any way to defeat that or capitalize on it? I get several bounces a week from all over the world. One little thing you can do if it's not done already is to set up proper SPF records for your domains. That will at least help others skip the malware using your addresses more easily. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] Thanks, Greg CoffeyNet/AllureTech v 307-473-2323 1546 E. Burlington cell 307-259-7962 Casper, WY 82601 fax 307-237-3709 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Backscatter Spam
SPF does help, and we've used it for about three years here, but only when the domain being forged has an SPF policy. So, it's most useful when the recipient domain is being forged as the sender as well. We've seen some joe job attacks with bounces around 25k to a single address. We filtered about 85% of those, but that still meant the customer received a bit under 4k. We've since tweaked our NULL sender filter to catch more, but at the risk of catching some read receipts, automated replies, etc. With volumes this high, even 99% filtering results in a huge hit (250 bounces) from the customer's perspective. We're working to get to the 99.9% level consistent with the rest of our filtering. Darin. - Original Message - From: E. H. (Eric) Fletcher To: Message Sniffer Community Sent: Saturday, June 28, 2008 11:56 PM Subject: [sniffer] Re: Backscatter Spam Matt: We also found SPF records did the trick on the high volume returns to several domains especially from some of the appliances. Eric - Original Message - From: Mxuptime.com To: Message Sniffer Community Sent: Saturday, June 28, 2008 8:50 PM Subject: [sniffer] Re: Backscatter Spam Intersting idea but the BATV appears to be something that you would need to run on the MTA level (i.e the MailServer would need to support the functionality) because it rewrites the return address on outgoing emails. On a side note, I have noticed a significant drop in backscatter when SPF is implemented for the particular domain. Most of the backscatter appears to come from valid antispam appliances like the Barracuda boxes which would normally use SPF. These devices perform the SPF test during the SMTP connection and rejects it immediately as opposed to bouncing the message back. So the SPF does help. -Matt From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Matthew J. Grim Sent: Sunday, June 29, 2008 1:25 AM To: Message Sniffer Community Subject: [sniffer] Re: Backscatter Spam As an aside, Mdaemon has an excellent backscatter prevention system. They appear to be using BATV, an internet draft at the moment. Matt in Tampa
[sniffer] Problem with Sniffer-Porn rule this morning
Pete, There appears to be a problem with rule 1984485 this morning. I'm getting a number of FP hits on it from AOL users. Darin.
[sniffer] Re: Problem with Sniffer-Porn rule this morning
Any word on this? Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Friday, July 18, 2008 9:37 AM Subject: [sniffer] Problem with Sniffer-Porn rule this morning Pete, There appears to be a problem with rule 1984485 this morning. I'm getting a number of FP hits on it from AOL users. Darin.
[sniffer] Re: Problem with Sniffer-Porn rule this morning
We had 18 hits on it from ~6:40-9:30am EDT before putting in the rule panic, 5 of which reached our hold weight. We've had 27 more hits since adding the rule panic. Darin. - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Friday, July 18, 2008 11:30 AM Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning I also have hit this. A single hit, also from AOL. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, July 18, 2008 6:37 AM To: Message Sniffer Community Subject: [sniffer] Problem with Sniffer-Porn rule this morning Pete, There appears to be a problem with rule 1984485 this morning. I'm getting a number of FP hits on it from AOL users. Darin.
[sniffer] Re: Problem with Sniffer-Porn rule this morning
Yes. The rule is inert. However, according to the logs the rule would have been hit 27 more times had we not added the rule panic. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Friday, July 18, 2008 12:16 PM Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning Hello Darin, Friday, July 18, 2008, 11:39:47 AM, you wrote: We had 18 hits on it from ~6:40-9:30am EDT before putting in the rule panic, 5 of which reached our hold weight. We've had 27 more hits since adding the rule panic. When a rule panic is in place the rule should be inert. Please check your snf_engine_cfg.log to see if the rule panic was picked up in your configuration. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Problem with Sniffer-Porn rule this morning
Hmmm... I don't think the rule was already pulled. We update our rulebase upon receipt of the notification of a new rulebase being available, and according to our logs the rule was in until at least 11:24am EDT. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Friday, July 18, 2008 12:12 PM Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning Hello Darin, Friday, July 18, 2008, 9:37:18 AM, you wrote: Pete, There appears to be a problem with rule 1984485 this morning. I'm getting a number of FP hits on it from AOL users. The rule has been pulled already. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: RulePanic on 2654821
We had a lot... 534 hits between 3:26 and 4:41pm ET, which is when we added the rule panic. It appears the rule was added in a rulebase that was automatically updated at 3:26pm ET. Pete? Status? Darin. - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, September 08, 2009 5:19 PM Subject: [sniffer] Re: RulePanic on 2654821 The scores over here for the messages that trigger on rule 2654821 today: spam that hit the rule: 4 ... and were porn: 0 ham that was held by my weight system: 5 ham that was allowed by my weight system: 3 subsequent panic log lines: 139 Thanks for the heads up, Darin. I was able to re-queue those 5 good messages without the users ever having to call the Helpdesk. Andrew 8) From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, September 08, 2009 1:49 PM To: Message Sniffer Community Subject: [sniffer] Re: RulePanic on 2654821 Neglected to mention it is a Sniffer-Porn rule. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, September 08, 2009 4:47 PM Subject: [sniffer] RulePanic on 2654821 We had to put a RulePanic on 2654821. We were getting a ton of FPs on it. Pete, let us know what's going on with this rule, please. Darin.
[sniffer] Re: Testing a black-list,.. want to help?
Hi Pete, We would be interested in testing the DNSBL. Darin. - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, January 22, 2010 12:48 PM Subject: [sniffer] Testing a black-list,.. want to help? Hello sniffer folks, I'm testing a dns based blocking list for a future product release. The list works in the usual way and is derived from GBUdb IP reputation data. The list I want to test contains IPs that are statistically in the Truncate range from the perspective of the larger cloud. If you are interested in testing this for a time please email support@ and we will give you the domain for the list. This might be particularly helpful for you if you are using a system that takes connections first and filters later. We only have a few slots open for testing. Thanks! _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] RulePanic on 2908567
We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? Darin.
[sniffer] Re: RulePanic on 2908567
Update on this rule. Hits started at ~9:20am ET. We saw 365 hits in 40 minutes before we added the rule panic, of which ~5% were FPs. We pulled it since that is a large number of FPs for a single rule. In the next 20 minutes there were another 158 hits logged, but with the rule panic in place. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Wednesday, February 03, 2010 9:02 AM Subject: [sniffer] RulePanic on 2908567 We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? Darin.
[sniffer] Re: RulePanic on 2908567
We're still seeing hits. I assume the rule removal hasn't propagated to our rulebase yet? BTW, we were seeing hits on the rule across a broad range of emails that related to passport.com. Darin. - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, February 03, 2010 9:41 AM Subject: [sniffer] Re: RulePanic on 2908567 Darin Cox wrote: We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? The rule was for passport.com -- it has already been removed. _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: RulePanic on 3059196
Hi Pete, We've put a RulePanic in for 3059196, as we're getting a lot of FPs on it. Can you look at this rule, and/or let me know what it is? Thanks, Darin. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
I'm seeing it, too. Darin. - Original Message - From: Peer-to-Peer (Support) suppor...@peertopeer.net To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 9:21 AM Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. Darin. - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 11:46 AM Subject: [sniffer] Re: Volume spike Mon 9AM EST On 5/10/2010 11:12 AM, NetEase Operations Manager wrote: I am getting a lot of complaints from my customers concerning the huge spikes too. Do you mean huge spikes in leakage? Hope not-- because we're not seeing that in our instrumentation. If anything is leaking please be sure to get it to us so we can filter it. We did see a few short spikes for new campaigns that have a lot of bandwidth behind them but those are well captured now and were captured very quickly. We would love to get our eyes on anything new that we're not already seeing. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Rule Panic on 3364665
We had 231 hits on that rule from 12:15pm to 3:03pm ET. At least 90% of them were FPs. Since there was a broad spectrum of customers and content affected, I'm guessing there was an error or over-generalization in the rule. Darin. - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, August 17, 2010 3:31 PM Subject: [sniffer] Re: Rule Panic on 3364665 I have seen one hit, and it looks like a false positive to me. Sent as a sample to the false@ address. Thanks for the heads-up, Darin. Andrew. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, August 17, 2010 12:11 PM To: Message Sniffer Community Subject: [sniffer] Rule Panic on 3364665 Hi, We've had a lot of FPs on this rule, and wanted to alert everyone on it. Pete, can you look into it? Thanks, Darin.
[sniffer] Re: Rule Panic on 3364665
Thanks, Pete. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Tuesday, August 17, 2010 3:37 PM Subject: [sniffer] Re: Rule Panic on 3364665 On 8/17/2010 3:10 PM, Darin Cox wrote: Hi, We've had a lot of FPs on this rule, and wanted to alert everyone on it. Pete, can you look into it? It's already dead. It was a binary rule for an image spam. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] RulePanic on 3741490
Hi guys, We're seeing a lot of FPs on 3741490 this morning. I've added a RulePanic for it in our systems. Roughly 150 FPs from 6:55am until a few minutes ago... Darin.
[sniffer] Re: RulePanic on 3741490
Hmmm... so 70 minutes after the rule was released we were notified of the rule update for auto-update of rulebase, but at 10:11ET we still hadn't gotten the update for the 8:53am removal. Anything we can do to speed up the rulebase update notifications? Also, for rules identified as problematic and removed, what about an automated email so we can remove it immediately via RulePanic. For peak times like beginning of the business day, that would be very helpful. An hour could save a lot of headaches for both us and our customers. Or are there so many of those that we would be swamped with notifications? Just trying to figure out a way to avoid this as much as possible in the future. It cost me a half hour this morning, and, more importantly, delayed over 150 legitimate messages to our customers. Thanks in advance for anything you can do. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Friday, January 07, 2011 11:27 AM Subject: [sniffer] Re: RulePanic on 3741490 On 1/7/2011 10:19 AM, Darin Cox wrote: Hi guys, We're seeing a lot of FPs on 3741490 this morning. I've added a RulePanic for it in our systems. The rule was created at 0539 and removed at 0853 when it was detected by our early warning system. It codes for a binary segment found in some image files. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: RulePanic on 3741490
H Update notifications happen as soon as the rulebase compilers have created a new rulebase. I don't know what your internal processes are, but if I understand this correctly the rule was created at 5:39am ET, and was compiled into the rulebase somewhere just before 8:53am ET, at which point update notifications were sent. From the customer point of view, when the rule was created or removed doesn't really matter, and those times are meaningless to us. What matters is when the rulebases that include them are published/updated, as that is what we key off of for updates. We have features on the short list to automatically render removed rules inert in near real-time (within seconds) Sounds good. That would definitely be better than notifications for us to be able to put in RulePanics, assuming there's no negative effect to overall performance from checking each rule for active/inactive state. I assume some sort of push mechanism to all subscribers, to notify their systems that a rule is no longer valid, is what you're planning here. Best. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Friday, January 07, 2011 1:43 PM Subject: [sniffer] Re: RulePanic on 3741490 On 1/7/2011 12:33 PM, Darin Cox wrote: Hmmm... so 70 minutes after the rule was released we were notified of the rule update for auto-update of rulebase, but at 10:11ET we still hadn't gotten the update for the 8:53am removal. Anything we can do to speed up the rulebase update notifications? Update notifications happen as soon as the rulebase compilers have created a new rulebase. We are in the process of reworking our compiler cluster to improve it's performance and further shorten update times. Also, for rules identified as problematic and removed, what about an automated email so we can remove it immediately via RulePanic. For peak times like beginning of the business day, that would be very helpful. An hour could save a lot of headaches for both us and our customers. Or are there so many of those that we would be swamped with notifications? We have features on the short list to automatically render removed rules inert in near real-time (within seconds). Just trying to figure out a way to avoid this as much as possible in the future. It cost me a half hour this morning, and, more importantly, delayed over 150 legitimate messages to our customers. We are constantly improving our process to minimize these cases, increase the speed with which we can detect and correct these, and add features to automate and expedite the process. Thanks in advance for anything you can do. Thanks very much for your feedback! _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] FPs on Sniffer-Schemes
Hi Pete, We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784. Darin.
[sniffer] Re: FPs on Sniffer-Schemes
More info... Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). Not sure if the rule has been pulled or corrected yet. Had 383 hits, and a very high percentage of those were FPs. Don't have an exact number, due to having to release the messages quickly for delivery, but I expect at least 30% were FPs for us. Most were referencing PO #s or orders for various customers. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Monday, March 12, 2012 5:17 PM Subject: [sniffer] FPs on Sniffer-Schemes Hi Pete, We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784. Darin.
[sniffer] Re: FPs on Sniffer-Schemes
HI Pete, We are running the older version, and get our updates about every 50-60 minutes. We're using GBUdb as a test in Declude, separately from Message Sniffer. I'll look up the info on upgrading gracefully. Hadn't had much time to do that previously. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Monday, March 12, 2012 6:22 PM Subject: [sniffer] Re: FPs on Sniffer-Schemes On 3/12/2012 5:41 PM, Darin Cox wrote: Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). I think I can see part of the problem (possibly). I do not have telemetry from your system (based on looking up your Id from your domain). I suspect this means that you are running an older version of SNF. By extension, that would mean a couple of things: * Your rulebase update would not come as quickly as for most systems. * Your SNF engine won't match on many of the newer rules. * Your SNF engine will not have GBUdb and also will not be able to auto-panic new rules that conflict with IP reputation data. Am I right about these assumptions? If not, then we should figure out why I don't see your telemetry. Thanks, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: GBUdb Tool
Hi Pete, Would you mind sharing your calculations of confidence and probability? I'm looking at the stats for p=1.0 and curious about the low confidence values. I would have expected high confidence where there were no good samples and a lot of bad... or do I have something backwards? Also, while it's easy to parse, it might be nice if the output had one delimiter between fields instead of being both tab and comma delimited. Makes importing into a database for analysis much easier. Appreciate it, Darin. -Original Message- From: Pete McNeil Sent: Friday, November 23, 2012 3:43 PM To: Message Sniffer Community Subject: [sniffer] GBUdb Tool Hello Sniffer Folks, We have been playing with a new utility that some of you may enjoy. http://www.armresearch.com/message-sniffer/download/GBUDBTool-V0.1.zip GBUDB Tool allows you to create a list of IP addresses from your GBUdb snapshots (.gbx files). You can select IPs that are blacker or whiter than a provided probability figure and confidence figure. It outputs one IP per line, optionally with details about the statistics for the IP. This can be useful for feeding-forward blacklists to block at your firewall or for other research purposes. Run GBUDBTool without any parameters and it will tell you about it's command line options. Please let us know if there is more we can do. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: IP Change on rulebase delivery system
Probably unrelated... and due to a significant increase in spam over the past few days. Darin. From: Richard Stupek Sent: Wednesday, March 27, 2013 2:18 PM To: Message Sniffer Community Subject: [sniffer] Re: IP Change on rulebase delivery system Not sure if its related but since yesterday SNFserver CPU utilization has been inordinately high (50%) for the middle of the day with not any additional volume in mail being received. On Mon, Mar 25, 2013 at 9:13 AM, Pete McNeil madscient...@armresearch.com wrote: Hi Sniffer Folks, We are about to change the IP of the rulebase delivery system. This change should be completely transparent and you should not need to take any action; however if you do notice anything unusual please let us know. Thanks, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: IP Change on rulebase delivery system
Richard, Do you have any directories with a large number of files (4k)? We had a similar problem a few months back with sniffer scans taking much longer to complete and sniffer temporary files being left over. We finally traced the performance issues to a frequently accessed directory with thousands of files. We’ve also seen issues in the past with directories with a large number of files being very poor performing. Darin. From: Richard Stupek Sent: Thursday, March 28, 2013 12:10 PM To: Message Sniffer Community Subject: [sniffer] Re: IP Change on rulebase delivery system Ok looking at the log I see quite a few messages taking over a second to process (samples below): s u='20130328155503' m=\temp\1332407477322.msg' s='0' r='0' p s='1172' t='1109' l='72697' d='127'/ g o='0' i='12.130.136.172' t='u' c='0.486243' p='-0.625' r='Normal'/ /s s u='20130328155506' m='\temp\1332407477336.msg' s='60' r='5113015' m s='60' r='5113015' i='235' e='280' f='m'/ m s='60' r='4346940' i='16722' e='16812' f='m'/ p s='1141' t='937' l='16658' d='129'/ g o='0' i='192.210.233.215' t='u' c='0.360316' p='0.575758' r='Normal'/ /s s u='20130328155513' m='\temp\1332407477360.msg' s='52' r='5470216' m s='52' r='5470216' i='235' e='295' f='m'/ m s='52' r='5471910' i='949' e='1009' f='m'/ m s='52' r='5431546' i='1074' e='1200' f='m'/ m s='52' r='5479780' i='1857' e='1933' f='m'/ m s='62' r='5303955' i='82' e='2688' f='m'/ m s='52' r='5400681' i='1818' e='9143' f='m'/ p s='1031' t='750' l='8538' d='130'/ g o='0' i='192.210.134.21' t='u' c='0.545993' p='0.82' r='Black'/ /s s u='20130328155622' m=\temp\1332407477655.msg' s='60' r='5538969' m s='60' r='5538969' i='221' e='236' f='m'/ m s='61' r='5448415' i='2283' e='2297' f='m'/ m s='61' r='5438936' i='2247' e='2337' f='m'/ m s='60' r='5404555' i='15832' e='15850' f='m'/ m s='60' r='5539002' i='16033' e='16074' f='m'/ m s='62' r='5437246' i='30967' e='30985' f='m'/ p s='1219' t='1312' l='17171' d='135'/ g o='0' i='205.234.138.240' t='u' c='0.634697' p='0.763214' r='Normal'/ /s On Wed, Mar 27, 2013 at 4:42 PM, Pete McNeil madscient...@armresearch.com wrote: On 2013-03-27 17:16, Richard Stupek wrote: The spikes aren't as prolonged at the present. Interesting. A short spike like that might be expected if the message was longer than usual, but on average SNF should be very light-weight. One thing you can check is the performance data in your logs. That will show how much time in cpu milleseconds it is taking for each scan and how long the scans are in bytes. This might shed some light. http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp Look for something like p s='10' t='8' l='3294' d='84'/ in each scan. From the documentation: sp//s - Scan Performance Monitoring (performance='yes') p:s = Setup time in milliseconds p:t = Scan time in milliseconds p:l = Scan length in bytes p:d = Scan depth (peak evaluator count) Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: How fast is *my* MessageSniffer? (was: IP Change on rulebase delivery system)
Nice stats, Andrew! And Pete, thanks for spending so much time and effort to make it work so well, despite us beating on you because it doesn’t catch every spam campaign from the very first message! Sniffer has always been our number one tool in this battle. Darin. From: Colbeck, Andrew Sent: Thursday, March 28, 2013 7:50 PM To: Message Sniffer Community Subject: [sniffer] How fast is *my* MessageSniffer? (was: IP Change on rulebase delivery system) Answer: pretty darn fast for a system that I think is slow anyway I think my MTA is a busy system, and I know that it’s not MessageSniffer that keeps the server busy. A glance with Task Manager or Process Explorer shows very little CPU time is spent by MessageSniffer. I threw some grepping etc and then Excel at the xml file for one average business day and came up with… 25% of messages are scanned within 100ms 50% of messages are scanned within 140ms 99% of messages are scanned within 330ms I also looked at the “setup time”. I’ll spare you the graph; my results are: 80% of messages are loaded so quickly that the time is recorded as zero ms 85% of messages are loaded in 15ms or fewer 95% of messages are loaded in 30ms or fewer 99% of messages are loaded 125ms or fewer Actually, everything above 98% of my volume takes longer to load but for ridiculously smaller volume of messages. A spot check shows that those are indeed rodents messages of unusual size. Thanks for the nudge, Pete. I knew MessageSniffer was fast, I just hadn’t bothered to quantify it before. Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Wednesday, March 27, 2013 2:43 PM To: Message Sniffer Community Subject: [sniffer] Re: IP Change on rulebase delivery system On 2013-03-27 17:16, Richard Stupek wrote: The spikes aren't as prolonged at the present. Interesting. A short spike like that might be expected if the message was longer than usual, but on average SNF should be very light-weight. One thing you can check is the performance data in your logs. That will show how much time in cpu milleseconds it is taking for each scan and how long the scans are in bytes. This might shed some light. http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp Look for something like p s='10' t='8' l='3294' d='84'/ in each scan. From the documentation: sp//s - Scan Performance Monitoring (performance='yes') p:s = Setup time in milliseconds p:t = Scan time in milliseconds p:l = Scan length in bytes p:d = Scan depth (peak evaluator count) Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com image001.png
[sniffer] Re: Slow processing times, errors
When we had sluggish performance similar that yours, resulting in numerous sniffer .tmp files in the spool, the cause was eventually traced to a proliferation of files in the sniffer directory. Clearing them out brought performance back up to normal. Darin. From: e...@protologic.com Sent: Thursday, June 27, 2013 5:17 PM To: Message Sniffer Community Subject: [sniffer] Re: Slow processing times, errors We were experiencing this several days ago and couldn't find a fix that worked or worked for long. We uninstalled SNF and reinstalled and have not detected a problem since. I will check the logs and report back if I see anything intermittent. Sent using SmarterSync Over-The-Air sync for iPad, iPhone, BlackBerry and other SmartPhones. May use speech to text. If something seems odd please don't hesitate to ask for clarification. E.O.E. On 2013-06-27, at 2:06 PM, Matt wrote: Pete, I've had many recent incidences where, as it turns out, SNFclient.exe takes 30 to 90 seconds to respond to every message with a result code (normally less than a second), and as a result backs up processing. Restarting the Sniffer service seems to do the trick, but I only tested that for the first time today after figuring this out. I believe the events are triggered by updates, but I'm not sure as of yet. Updates subsequent to the slow down do not appear to fix the situation, so it seems to be resident in the service. When this happens, my SNFclient.exe.err log fill up with lines like this: 20130627155608, arg1=F:\\proc\work\D6063018a2550.smd : Could Not Connect! At the same time, my Sniffer logs start showing frequent ERROR_MSG_FILE results on about 1/8th of the messages. I'm currently using the service version 3.0.2-E3.0.17. It's not entirely clear to me what the most current one is. Any suggestions as to the cause or solution? Thanks, Matt # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Slow processing times, errors
HI Matt, We started having that problem coincidentally right after we upgraded to 3.x. For us the .tmp file creation in the spool was indicative of sniffer processing delays. We do have Sniffer modifying headers. Darin. From: Matt Sent: Thursday, June 27, 2013 5:32 PM To: Message Sniffer Community Subject: [sniffer] Re: Slow processing times, errors Darin, I'm not seeing that sort of thing. With 3.x, there doesn't appear to be any extraneous file creation in the Sniffer program directory, and never any TMP files in my spool. I do not have Sniffer modifying headers, so that may be different on our systems. Matt On 6/27/2013 5:25 PM, Darin Cox wrote: When we had sluggish performance similar that yours, resulting in numerous sniffer .tmp files in the spool, the cause was eventually traced to a proliferation of files in the sniffer directory. Clearing them out brought performance back up to normal. Darin. From: e...@protologic.com Sent: Thursday, June 27, 2013 5:17 PM To: Message Sniffer Community Subject: [sniffer] Re: Slow processing times, errors We were experiencing this several days ago and couldn't find a fix that worked or worked for long. We uninstalled SNF and reinstalled and have not detected a problem since. I will check the logs and report back if I see anything intermittent. Sent using SmarterSync Over-The-Air sync for iPad, iPhone, BlackBerry and other SmartPhones. May use speech to text. If something seems odd please don't hesitate to ask for clarification. E.O.E. On 2013-06-27, at 2:06 PM, Matt wrote: Pete, I've had many recent incidences where, as it turns out, SNFclient.exe takes 30 to 90 seconds to respond to every message with a result code (normally less than a second), and as a result backs up processing. Restarting the Sniffer service seems to do the trick, but I only tested that for the first time today after figuring this out. I believe the events are triggered by updates, but I'm not sure as of yet. Updates subsequent to the slow down do not appear to fix the situation, so it seems to be resident in the service. When this happens, my SNFclient.exe.err log fill up with lines like this: 20130627155608, arg1=F:\\proc\work\D6063018a2550.smd : Could Not Connect! At the same time, my Sniffer logs start showing frequent ERROR_MSG_FILE results on about 1/8th of the messages. I'm currently using the service version 3.0.2-E3.0.17. It's not entirely clear to me what the most current one is. Any suggestions as to the cause or solution? Thanks, Matt # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: What is your oldest production CPU?
Hi Pete, Our oldest production servers still have 1.1 - 1.4 GHz P3's in them. However, for mail our oldest are quad core 3Ghz Xeons. Darin. -Original Message- From: Pete McNeil Sent: Friday, December 27, 2013 9:43 AM To: Message Sniffer Community Subject: [sniffer] What is your oldest production CPU? Hello Sniffer Folks, We would like to know what your oldest production CPU is. When building new binaries of SNF or it's utilities we would like to select the newest CPU we can without leaving anybody behind. We're also evaluating whether we should split binaries into a compatible version base on Intel i686 (or equivalent AMD), and a current version based on Intel Core2 (or equivalent AMD). Please respond here. Thanks for your time!! _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com