[sniffer] Re: What is your oldest production CPU?
A modern Xeon dual core, also within VMware: PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 1, GenuineIntel The oldest virtualized CPU is: PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 7, GenuineIntel Both identify as Xeon E5xxx models which are about two years old. Despite the long service of the name Xeon these are modern Core2 based CPUs. I don't have any servers or lab machines that are so old they'd need a Pentium Pro era compatible i686 build. Thanks for asking! Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Friday, December 27, 2013 6:44 AM To: Message Sniffer Community Subject: [sniffer] What is your oldest production CPU? Hello Sniffer Folks, We would like to know what your oldest production CPU is. When building new binaries of SNF or it's utilities we would like to select the newest CPU we can without leaving anybody behind. We're also evaluating whether we should split binaries into a compatible version base on Intel i686 (or equivalent AMD), and a current version based on Intel Core2 (or equivalent AMD). Please respond here. Thanks for your time!! _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l’information confidentielle ou exclusive. L’accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] How fast is *my* MessageSniffer? (was: IP Change on rulebase delivery system)
Answer: pretty darn fast for a system that I think is slow anyway I think my MTA is a busy system, and I know that it's not MessageSniffer that keeps the server busy. A glance with Task Manager or Process Explorer shows very little CPU time is spent by MessageSniffer. I threw some grepping etc and then Excel at the xml file for one average business day and came up with... 25% of messages are scanned within 100ms 50% of messages are scanned within 140ms 99% of messages are scanned within 330ms I also looked at the setup time. I'll spare you the graph; my results are: 80% of messages are loaded so quickly that the time is recorded as zero ms 85% of messages are loaded in 15ms or fewer 95% of messages are loaded in 30ms or fewer 99% of messages are loaded 125ms or fewer Actually, everything above 98% of my volume takes longer to load but for ridiculously smaller volume of messages. A spot check shows that those are indeed rodents messages of unusual size. Thanks for the nudge, Pete. I knew MessageSniffer was fast, I just hadn't bothered to quantify it before. Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Wednesday, March 27, 2013 2:43 PM To: Message Sniffer Community Subject: [sniffer] Re: IP Change on rulebase delivery system On 2013-03-27 17:16, Richard Stupek wrote: The spikes aren't as prolonged at the present. Interesting. A short spike like that might be expected if the message was longer than usual, but on average SNF should be very light-weight. One thing you can check is the performance data in your logs. That will show how much time in cpu milleseconds it is taking for each scan and how long the scans are in bytes. This might shed some light. http://www.armresearch.com/support/articles/software/snfServer/logFiles/ activityLogs.jsp http://www.armresearch.com/support/articles/software/snfServer/logFiles /activityLogs.jsp Look for something like p s='10' t='8' l='3294' d='84'/ in each scan. From the documentation: sp//s - Scan Performance Monitoring (performance='yes') p:s = Setup time in milliseconds p:t = Scan time in milliseconds p:l = Scan length in bytes p:d = Scan depth (peak evaluator count) Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com http://www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com mailto:sniffer@sortmonster.com . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com mailto:sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com mailto:sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com mailto:sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com mailto:sniffer-requ...@sortmonster.com image001.png
[sniffer] Creeping higher on those rule numbers
Via the GnuWin32 tools on my Windows server: C:\MessageSniffergrep -P Match\t munged.2012062?.log | cut -f7 | usort | uniq -c | usort -k2 -n -r 2nul | head 2 4991501 8 4991483 8 4991462 8 4991459 8 4991457 8 4991456 8 4991446 6 4991286 3 4991284 11 4991231 From the top down, this is the top ten highest rule numbers (column 2) that I've seen today and yesterday, and their volume (column 1). So, the highest rule number I've seen in the last two days is 4,991,501 and I've seen it twice. That was the list of rules I've seen. Here's the list of rules that were matched as the winning rule for the message scanned: C:\MessageSniffergrep -P Final\t munged.2012062?.log | cut -f7 | usort | uniq -c | usort -k2 -n -r 2nul | head 2 4991501 8 4991446 6 4991286 3 4991284 3 4991231 6 4991221 1 4991178 1 4991130 1 4991120 5 4991105 (Oh, and I replaced my License ID with the text munged before I pasted the command line into this email.) Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Ok, I'm the 3rd person to ever report the Bad Matrix error on this mailing list
awards self a blue ribbon for 3rd place From SNFclient.exe.err I saw these errors repeated for every message processed: 20120107155711, arg1=C:\IMail\spool\proc\work\D016759002.smd : Could Not Connect! The srvany.exe was running, but the SNFserver.exe wasn't, or wasn't healthy. Each SNFclient.exe had to read the .gbx file itself and process mail (I think) as they could not connect to the local server. There was no logging to the licence.date.log file. There was no update to the .gbx file, because SNFserver.exe does this work, and either wasn't running or wasn't listening on port 9001/TCP. Stopping the MessageSniffer Windows service, making sure that srvany.exe and SNFserver.exe weren't running and deleting the .state file then restarting the service: same result. Stopping the MessageSniffer Windows service, making sure that srvany.exe and SNFserver.exe weren't running and deleting the .state file then starting manually with: SNFServer.exe C:\MessageSniffer\snf_engine.xml resulted in the error message: SNF Server Version 3.0 Build: Jun 26 2008 13:25:19 SNFMulti Engine Version 3.0 Build: Jun 26 2008 13:25:06 Launching with C:\MessageSniffer\snf_engine.xml Unhandled Exception: _snf_LoadNewRulebase() TokenMatrix::BadMatrix Thrown! at this point I didn't even look at the rulebase size or date, I made sure SNFserver.exe wasn't running, then ran my old UpdateSniffer.cmd script, which still worked. I started the Windows service, and sniffing was back to normal. The lesson here for me is to put the update script back into service, but to only try downloading if the rulebase is old enough to be suspicious. If there's here for the SortMonsters, it's to make sure that a bad matrix error doesn't interfere with downloading a fresh rulebase so that SNFserver.exe can get itself out of that jam. Andrew from Vancouver
[sniffer] Re: Training GBUdb on the client IP for telus.net
(Whups, I forgot the other important bit) Replying to my own email, here's the snf_engine.xml snippet header name='X-Telus-Outbound-IP:' received='.telus.net [' ordinal='0' / Which is in the GBUDB/Training/Source section as per: http://www.armresearch.com/support/articles/software/snfServer/config/no de/gbudb/training/source-header.jsp Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Colbeck, Andrew Sent: Monday, October 24, 2011 11:47 AM To: Message Sniffer Community Subject: [sniffer] Training GBUdb on the client IP for telus.net Given the attached header text, would this snippet in snf_engine.xml help me to train GBUdb on the email clients' IP address from this specific ISP? I tested by querying: SNFClient.exe -test 216.218.29.230 And then re-testing the spam, and then querying GBUdb again. The second test showed that good count had moved from zero to one and the whole email email scan status was clean. That tells me the test is good, but I'm not sure it's right. Thanks, Andrew. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Training GBUdb on the client IP for aol.com
Another test, this time to update the X-AOL-IP: header, which in my last few false-negatives have the standard X-Originating-IP: header ... I don't know if AOL has deprecated the X-AOL-IP: header or whether it is used under different client circumstances. header name='X-Originating-IP:' received='.aol.com [' ordinal='0' / Thanks, Andrew. Received: from ims-d13.mx.aol.com [205.188.249.150] by mail.bentallkennedy.com (Alligate(TM) SMTP Gateway v3.11.1.27) with ESMPT id b2422ac5b51ee835.91caf27363339...@mail.bentallkennedy.com for mun...@bentall.com; Mon, 24 Oct 2011 07:57:29 -0700 Received: from oms-ma01.r1000.mx.aol.com (oms-ma01.r1000.mx.aol.com [64.12.140.129]) by ims-d13.mx.aol.com (8.14.1/8.14.1) with ESMTP id p9OEsXBo016219; Mon, 24 Oct 2011 10:54:37 -0400 Received: from mtaomg-da05.r1000.mx.aol.com (mtaomg-da05.r1000.mx.aol.com [172.29.51.141]) by oms-ma01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 737A43883; Mon, 24 Oct 2011 10:54:37 -0400 (EDT) Received: from core-dnc002b.r1000.mail.aol.com (core-dnc002.r1000.mail.aol.com [172.29.176.5]) by mtaomg-da05.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id E6EA2E9B; Mon, 24 Oct 2011 10:54:36 -0400 (EDT) To: g...@lawkessler.com, ga...@coastalnet.com, gaum...@uniserve.com, gayanboral...@yahoo.com, gaye@usbank.com, mun...@bentall.com, gcr...@jfbb.com, gcr...@macquarie.com, geanne_blaz...@hodgsonruss.com Content-Transfer-Encoding: quoted-printable Subject: X-MB-Message-Source: WebUI X-MB-Message-Type: User MIME-Version: 1.0 From: ghang...@aol.com Content-Type: text/plain; charset=us-ascii; format=flowed X-Mailer: AOL Webmail 34290-PHONE Received: from 92.231.217.255 by webmail-d011.sysops.aol.com (205.188.180.146) with HTTP (WebMailUI); Mon, 24 Oct 2011 10:54:36 -0400 Message-Id: 8ce6073fbc96840-1fb8-40...@webmail-d011.sysops.aol.com X-Originating-IP: [92.231.217.255] Date: Mon, 24 Oct 2011 10:54:36 -0400 (EDT) x-aol-global-disposition: S X-SPAM-FLAG:YES X-AOL-SCOLL-SCORE: 0:2:173591936:93952408 X-AOL-SCOLL-URL_COUNT: 0 X-AOL-REROUTE: YES x-aol-sid: 3039ac1d338d4ea57c2c1502 Return-Path: ghang...@aol.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Training GBUdb on the client IP for telus.net
That's a very interesting question, Pete. Are you saying that the source section is used to override the normal hop 0 / ordinal 0 IP address? If so, I didn't realize it, I thought this was an an additional IP address for GBU to examine. I think the answer is yes, I don't want to inspect the ISP's outbound gateway, and I do want to inspect the client IP that originated the email. Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, October 24, 2011 12:28 PM To: Message Sniffer Community Subject: [sniffer] Re: Training GBUdb on the client IP for telus.net On 10/24/2011 3:20 PM, Colbeck, Andrew wrote: header name='X-Telus-Outbound-IP: Hrmm... Do you want the source to be the outbound IP? _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Nice job, sortmonsters!
Time to thwart a spam run from a fresh IP address: less than 18 minutes. The first three emails from: 216.223.207.0/25 were allowed past MessageSniffer but fewer than 18 minutes into the spam run, the content triggers rule group 60, rule id 4224795. (It is coupon spam, but probably fake affiliate marketing. Sent with lots of word salad). Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Change in default settings
Pete, for sample on-off='on' I wrote myself this note... !-- We can sample during a peek if passthrough = yes -- ... Is it still valid? Your sample and my own configuration have: passthrough=no On the balance of it, I suspect my own note is wrong, so it would be nice if you could verify it one way or the other. Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, May 09, 2011 11:56 AM To: Message Sniffer Community Subject: [sniffer] Change in default settings Hello Message Sniffer Folks, We're recommending a change in the default settings for message sniffer in order to improve our response times for new campaigns. The change is small and enhances our virtual spamtrap technology so that we see new spams sooner and with greater sampling coverage. If you locate this block of code in your snf_engine.xml file: black on-off='on' symbol='63' edge probability='0.8' confidence='0.2'/ edge probability='0.8' confidence='1.0'/ truncate on-off='on' probability='0.9' peek-one-in='3' symbol='20'/ sample on-off='on' probability='0.8' grab-one-in='3' passthrough='no' passthrough-symbol='0'/ /black You will notice that your settings are probably slightly different. The changes we would like you to make are: peek-one-in='3' grab-one-in='3' Your current settings most likely use higher numbers for these settings. Once you make the change and save your file then Message Sniffer should pick up the changes right away - you do not need to restart Message Sniffer when making adjustments to your configuration. Please let us know if you have any questions. Thanks! _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Change in default settings
Great. I'll remove the erroneous comment I made in my configuration files. FWIW, I've set both peek-one-in='3' and grab-one-in='3' as the new recommended default. Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, May 09, 2011 3:05 PM To: Message Sniffer Community Subject: [sniffer] Re: Change in default settings On 5/9/2011 4:53 PM, Colbeck, Andrew wrote: Pete, for sample on-off='on' I wrote myself this note... !-- We can sample during a peek if passthrough = yes -- ... Is it still valid? Your sample and my own configuration have: passthrough=no On the balance of it, I suspect my own note is wrong, so it would be nice if you could verify it one way or the other. The passthrough option is for local sampling. We have used it occasionally on our spamtrap processors, but not for some time. Passthrough takes any messages that would have been samples and instead of sending them to the virtual spamtrap network it lets them go through with a specific result code. Presumably the local system would see the special result code and treat the message differently. Please leave passthrough='no' Thanks! _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] So, another botnet bites the dust.
Pete, now that Microsoft has taken down the Rustock botnet, what's your telemetry say about spam volumes? Any significant change? http://blogs.technet.com/b/microsoft_blog/archive/2011/03/18/taking-down -botnets-microsoft-and-the-rustock-botnet.aspx http://krebsonsecurity.com/2011/03/rustock-botnet-flatlined-spam-volumes -plummet/ But CommTouch doesn't think it made much of a dent: http://blog.commtouch.com/cafe/anti-spam/has-the-reported-disruption-of- rustock-affected-spam-levels/ Andrew from Vancouver
[sniffer] Re: Rule Panic on 3364665
I have seen one hit, and it looks like a false positive to me. Sent as a sample to the false@ address. Thanks for the heads-up, Darin. Andrew. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, August 17, 2010 12:11 PM To: Message Sniffer Community Subject: [sniffer] Rule Panic on 3364665 Hi, We've had a lot of FPs on this rule, and wanted to alert everyone on it. Pete, can you look into it? Thanks, Darin.
[sniffer] Re: Volume spike Mon 9AM EST
I'm not seeing any spike in inbound connections or accepted message counts. Actually, it's lower than Friday's volume and about the same as Thursday. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Peer-to-Peer (Support) Sent: Monday, May 10, 2010 6:21 AM To: Message Sniffer Community Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Opening truncate.gbudb.net
I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. So if you don't trust the global truncate test alone, it's a good test to combine with other weighted tests. P.s. I'm also finding that truncate is triggering on email from some ISP users when I check multiple hops in the header. That probably means that I'm finding users with zombie infected computers, but I'm letting that mail in, so checking which IP addresses were hit is a small problem if I want to contact those people. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 2:08 PM To: Message Sniffer Community Subject: [sniffer] Opening truncate.gbudb.net Hi Sniffer Folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Opening truncate.gbudb.net
Hey, Pete. I contacted one of the recipients and ran down one of those intermediate hops which triggered on truncate.gbudb.net ... It was an intermediate hop at AOL (rly presumably means relay) Received: from smtprly-dd03.mx.aol.com (smtprly-dd03.mx.aol.com [205.188.84.131]) by cia-mb07.mx.aol.com (v128.3) with ESMTP id MAILCIAMB071-d4074be4e089be; Fri, 07 May 2010 23:54:50 -0400 This IP address seems to bridge the gap between AOL webmail and SMTP delivery. In this case, the user used the AOL webmail and then forwarded the message to the mailbox on our system. The GBU list is emitting TXT records as well as the A record, perhaps it would be useful to actually state the IP as well in that text. C:\tempdig @8.8.8.8 131.84.188.205.truncate.gbudb.net any ; DiG 9.7.0rc1 @8.8.8.8 131.84.188.205.truncate.gbudb.net any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 55101 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;131.84.188.205.truncate.gbudb.net. IN ANY ;; ANSWER SECTION: 131.84.188.205.truncate.gbudb.net. 3600 IN A127.0.0.2 131.84.188.205.truncate.gbudb.net. 3600 IN TXT GBUdb Cloud Truncate c 0.2, p 0.9 ;; Query time: 812 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon May 10 13:08:17 2010 ;; MSG SIZE rcvd: 117 I suggest that if others find this valuable as well, and you find it reasonable, that the text could look like this: GBUdb Cloud Truncate c 0.2, p 0.9 for [205.188.84.131] I'll send the whole header to support@ in case you are interested in this particular IP. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Colbeck, Andrew Sent: Monday, May 10, 2010 9:03 AM To: Message Sniffer Community Subject: [sniffer] Re: Opening truncate.gbudb.net I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. So if you don't trust the global truncate test alone, it's a good test to combine with other weighted tests. P.s. I'm also finding that truncate is triggering on email from some ISP users when I check multiple hops in the header. That probably means that I'm finding users with zombie infected computers, but I'm letting that mail in, so checking which IP addresses were hit is a small problem if I want to contact those people. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 2:08 PM To: Message Sniffer Community Subject: [sniffer] Opening truncate.gbudb.net Hi Sniffer Folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer
[sniffer] Re: RulePanic on 3059196
For what it is worth, there are zero hits on my two servers for this Rule. I looked back through the last 7 days. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, April 06, 2010 9:48 AM To: Message Sniffer Community Subject: [sniffer] Re: RulePanic on 3059196 Hi Pete, We've put a RulePanic in for 3059196, as we're getting a lot of FPs on it. Can you look at this rule, and/or let me know what it is? Thanks, Darin. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Bad rule alert: 2784910
All clear here, Pete. Thanks for both of the notices, Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, November 26, 2009 8:45 AM To: Message Sniffer Community Subject: [sniffer] Bad rule alert: 2784910 This bad rule was created 2009-11-26 07:38:32 The bad rule was detected and removed at 11:40:00 The rule matches a binary sequence in some image file attachments. Sorry for the inconvenience. Best, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: RulePanic on 2654821
The scores over here for the messages that trigger on rule 2654821 today: spam that hit the rule: 4 ... and were porn: 0 ham that was held by my weight system: 5 ham that was allowed by my weight system: 3 subsequent panic log lines: 139 Thanks for the heads up, Darin. I was able to re-queue those 5 good messages without the users ever having to call the Helpdesk. Andrew 8) From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, September 08, 2009 1:49 PM To: Message Sniffer Community Subject: [sniffer] Re: RulePanic on 2654821 Neglected to mention it is a Sniffer-Porn rule. Darin. - Original Message - From: Darin Cox mailto:dc...@4cweb.com To: Message Sniffer Community mailto:sniffer@sortmonster.com Sent: Tuesday, September 08, 2009 4:47 PM Subject: [sniffer] RulePanic on 2654821 We had to put a RulePanic on 2654821. We were getting a ton of FPs on it. Pete, let us know what's going on with this rule, please. Darin.
[sniffer] Re: SNFMilter released and a few other updates...
Niiice, Pete. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Wednesday, July 29, 2009 2:51 PM To: Message Sniffer Community Subject: [sniffer] SNFMilter released and a few other updates... Hello Sniffer Folks, Today we've officially released SNFMilter - a version of Message Sniffer that integrates directly with sendmail and postfix servers. Here are some links: https://www.milter.org/milter/75 http://www.armresearch.com/products/index.jsp We've also posted a new version of our Client/Server distribution for Linux, BSD, other *nix systems. You can find snf-server-3.0.9.tar.gz on our products page: http://www.armresearch.com/products/index.jsp * This update contains a fix for a minor bug in the CodeDweller/Networking code: Under some (rare) circumstances SNFServer would exit with SIGPIPE. The new code includes an appropriate use of MSG_NOSIGNAL or SO_NOSIGPIPE depending on the platform used to build the software. The SIGPIPE bug does not affect Windows systems... However a new update to the windows installer is due relatively soon just to keep all of the versions up to date and to update some documentation for some of the integrated platforms. * This update includes improved control scripts that provide for a special debug mode. The debug mode runs SNFServer with a number of debugging options enabled to capture detailed information about how SNFServer is running. Most folks will never need this ;-) Other improvements to the source code have also been included. That's all for now. Please let us know if there's more we can do. Thanks! _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Bad rule: 2524136
Thanks for the heads-up, Pete. For what it's worth, I had a hit on only one message on each of my gateways, from different senders. The Sniffer General result code wasn't weighted high enough on my Declude system to hold either message because they came from senders with clean implementations. I put the rule-panic into each of my snf_engine.xml files and after a several rulebase updates, I've taken it out again. While the rule-panic was in place, I had several more hits, which were of course passed. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, June 18, 2009 1:13 PM To: Message Sniffer Community Subject: [sniffer] Bad rule: 2524136 Hello Sniffer Folks, Rule ID 2524136 was coded for an image binary segment and was pulled shortly after it was created when false positives were detected. If you use a quarantine system and you are able to re-scan quarantined messages then you may be able for avoid further FP reports and even prevent the detection of these false positives. If you are using the latest version of SNF then your rulebase is most likely already up to date. If you are using a scheduled task and the previous version of SNF then you may need to trigger an update manually first. Please upgrade as soon as possible. What we have done: * As with all false positives, this rule is retained to prevent any future events of the same kind. * We have researched the process that created this rule and adapted the process to prevent similar cases in the future. We are sorry for any inconvenience. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Message Sniffer question
It works for me. Thanks, Pete! I used the documentation here: http://www.armresearch.com/support/articles/software/snfServer/config/au toUpdates.jsp I wanted a simplified system that more closely reflected what the vendor ships, so I've stopped using my home-grown wget based script which was run hourly from the Windows Task Scheduler with a dedicated local user account. Andrew. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Tuesday, April 21, 2009 3:25 PM To: Message Sniffer Community Subject: [sniffer] Re: Message Sniffer question Scott Fisher wrote: If I remember correctly... I have an email account with a Imail program alias, that when it gets a mail from Message Sniffer triggers an update. It's still getting mail and triggering updates. I'm thinking this isn't need with Sniffer v3 anymore? That's correct. Version 3 has an update script launcher that fires when SNF detects a newer rulebase is ready. If you have that configured properly then no other update mechanism is needed. If you want to disable update notifications then send a note to support@ and we will turn them off for you. Best, _M
[sniffer] overriding the GBUdb
I recently used snfclient.exe to whitelist the IP address (actually a whole /24) of a mailing list manager that my users deem to be trustworthy. snfclient.exe -set 64.62.197.53 good - - You might argue the merits of this IP address, but that's not why I'm writing... I deliberately left alone the last two parameters, so as to not disturb the counts, given that I'm whitelisting by forcing the good flag. I assume that this does not affect the GBU community at all, because it's the good and bad counts that are shared, not the flag. Is this correct? Does the ARMResearch support notice when an administrator does this, and research whether the findings are good? The Bad count and Good count I see when I do a: snfclient.exe -test 64.62.197.53 are results only on my own server, and not the GBU community. Is this correct? I assume that condensation affects the counts, and not the flag. So I will only lose this good flag if the GBUdb is dumped (or I build a new server). Is this correct? Andrew 8)
[sniffer] Re: overriding the GBUdb
That will do! I've created a batch file in which I'll put my snfclient commands and my dated documentation/rationale for those, but I'll keep using the standard GBUdbIgnoreList.txt for documenting my gateways. I'll also suggest that in the online documentation, that a link in the GBU section goes back to the SNFClient section so that it's easier for an admin to find the right syntax for using the client to manipulate the GBUdb, e.g. http://www.armresearch.com/support/articles/technology/GBUdb/index.jsp perhaps directly here on on the Maintenance page that shows how to use the ignore parameter, a link would go back to: http://www.armresearch.com/support/articles/software/snfClient/commandLi ne.jsp which is where the detailed command line documentation is listed. And although it rarely comes up as a support issue, I'll also suggest that the quick help for SNFclient could be clarified. It currently is this: To update GBUdb records use: SNFClient.exe -set IP4Address flag bad good and my suggested easier-to-read version is this: To update GBUdb records use: SNFClient.exe -set IP4Address good|bad|ignore|ugly|- badcount|- goodcount|- Andrew. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 30, 2009 1:14 PM To: Message Sniffer Community Subject: [sniffer] Re: overriding the GBUdb Colbeck, Andrew wrote: I recently used snfclient.exe to whitelist the IP address (actually a whole /24) of a mailing list manager that my users deem to be trustworthy. snfclient.exe -set 64.62.197.53 good - - You might argue the merits of this IP address, but that's not why I'm writing... I deliberately left alone the last two parameters, so as to not disturb the counts, given that I'm whitelisting by forcing the good flag. I assume that this does not affect the GBU community at all, because it's the good and bad counts that are shared, not the flag. Is this correct? That is correct. Does the ARMResearch support notice when an administrator does this, and research whether the findings are good? No. We wouldn't know how to evaluate that anyway-- each system has it's own policies. GBUdb traffic consists only of good/bad counts at specific intervals. If the IP is not ugly it doesn't get evaluated in this way so we stop seeing data about that IP from that system. The Bad count and Good count I see when I do a: snfclient.exe -test 64.62.197.53 are results only on my own server, and not the GBU community. Is this correct? They were built up using primarily data from your server with some hinting from the cloud. The cloud's influence is diminished significantly as your system gains experience with a particular IP. I assume that condensation affects the counts, and not the flag. So I will only lose this good flag if the GBUdb is dumped (or I build a new server). Is this correct? If you wipe out your GBUdb data then it will be gone. Flags other than ugly are preserved in GBUdb. If you buid a new server and you want to preserve your GBUdb data then you can copy the .gbx file to the new server before you start it. The .gbx file is a binary snap-shot of your GBUdb data. By default it is created about once per hour so that your SNF node does not have to start learning again from scratch if it is abruptly restarted. Please let us know if you have other questions. Best, _M
[sniffer] Re: Problem with Sniffer-Porn rule this morning
I also have hit this. A single hit, also from AOL. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, July 18, 2008 6:37 AM To: Message Sniffer Community Subject: [sniffer] Problem with Sniffer-Porn rule this morning Pete, There appears to be a problem with rule 1984485 this morning. I'm getting a number of FP hits on it from AOL users. Darin.
[sniffer] Re: Problem with Sniffer-Porn rule this morning
I've just used proper channels and submitted the message and the snippet from the MessageSniffer log to the false@ email address. I've also added this: rule id='1984485'/ to the rule-panics section of the snf_engine.xml file on each of my servers. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 18, 2008 8:31 AM To: Message Sniffer Community Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning I also have hit this. A single hit, also from AOL. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, July 18, 2008 6:37 AM To: Message Sniffer Community Subject: [sniffer] Problem with Sniffer-Porn rule this morning Pete, There appears to be a problem with rule 1984485 this morning. I'm getting a number of FP hits on it from AOL users. Darin.
[sniffer] Re: It's official. SNF Version 3.0 is Ready!
Congratulations on shipping, Pete! Andrew 8) p.s. Hey, I love the new mascot. Much cuter than the old SortMonster... -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, June 26, 2008 12:24 PM To: Message Sniffer Community Subject: [sniffer] It's official. SNF Version 3.0 is Ready! Hello Sniffer folks, Back in Q1 we were sure we'd be ready with the new SNF after nearly a year of testing on both large and small systems. What a surprise! After publishing the first release candidate we went from version 1-5 to version 2-27 at a breathtaking pace! Thank you to everyone who has tested, poked, prodded, and twisted the new SNF -- not to mention keeping up with all of those updates during the final phase of testing. I can't imagine getting to this point without your patience, trust, attention to detail, and persistence! Bravo! Without further fanfare: Today the latest release candidate becomes the official production release of Message Sniffer (SNF) Version 3.0. The changes: -- Minor updates to readme files. -- Changed the build / version information and recompiled. -- Removed redundant comments from the configuration file. We have been bug free for more than 2 months with several hundred systems using the new engine. You can download the latest distributions from this page: http://www.armresearch.com/products/index.jsp You may also notice that we've published our new web site! There are a few bits of documentation still under construction here and there, but we're well on our way to filling those in along with a stream of continues improvements and additions based on our work with you! Once again, Thanks to everyone for a fantastic job! Thanks for all of your support, comments, and efforts! As always we're hear to help. Now, onward to the next upgrade... always work to do ;-) Cheers! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Bad rule alert: 1940812
Pete, if we have a significant number of hits, they'll be from all kinds of IP sources. Should we dump the GBUdb? If so, how? The documentation is perfectly clear on how to tweak an IP or dump an IP in the GBUdb, but doesn't mention a wholesale clearing of it. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 17, 2008 12:46 PM To: Message Sniffer Community Subject: [sniffer] Re: Bad rule alert: 1940812 Hello, --- following up. Intended to make the original post with a high priority flag. Also - the rule was removed at approximately 15:10:00 EDT Hope this helps, _M Tuesday, June 17, 2008, 3:35:47 PM, you wrote: Hello Message, Rule 1940812 has already been removed from the core rulebase. You can render the rule inert immediately by adding it to your rule panics list. Rule was coded at 13:03:17 EDT The rule was coded for an obfuscated version of the word Tuesday and was coded with a bad abstraction character. We sincerely apologize for the inconvenience. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Bad rule alert: 1940812
Thanks, Pete. I had very few actual hits; I have lots of lines that indicate the rule panic in place, but the number of actual hits is quite small. How I found my hits: cd /d C:\MessageSniffer gawk ($6 == \Final\) ($7 == 1940812) *.20080617.log Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 17, 2008 1:31 PM To: Message Sniffer Community Subject: [sniffer] Re: Bad rule alert: 1940812 Hello Andrew, Tuesday, June 17, 2008, 4:21:49 PM, you wrote: Pete, if we have a significant number of hits, they'll be from all kinds of IP sources. Should we dump the GBUdb? If so, how? It is unlikely that good IPs will be moved to into the black ranges with a short event like this-- so you should not need to dump GBUdb unless you see GBUdb false positives. The design of GBUdb is such that there is significant inertia for well known IPs -- if they are known to be good -- or at least solidly not bad, then the IPs will not be easily moved into the black ranges. The documentation is perfectly clear on how to tweak an IP or dump an IP in the GBUdb, but doesn't mention a wholesale clearing of it. If you do decide to dump your GBUdb then follow this procedure: Stop SNFServer Delete the .gbx file in the SNF working directory. Restart SNFServer That procedure will cause SNF to build a new GBUdb file from scratch based on what it is learning from that point on. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Bad rule alert: 1940812
Thanks, Pete. I had four actual false positives on one server, versus 324 unique hits for the bad rule. So yes, I'd say that the autopanic feature worked quite well. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 17, 2008 1:47 PM To: Message Sniffer Community Subject: [sniffer] Re: Bad rule alert: 1940812 Hello Andrew, Tuesday, June 17, 2008, 4:41:41 PM, you wrote: Thanks, Pete. I had very few actual hits; I have lots of lines that indicate the rule panic in place, but the number of actual hits is quite small. How I found my hits: cd /d C:\MessageSniffer gawk ($6 == \Final\) ($7 == 1940812) *.20080617.log I haven't checked telemetry yet -- still very busy here battling the stock-push spam other storms. However, you were likely protected by the Auto-Panic feature in the new SNF. The first time the bad rule hit a message with an IP source in the white range it would have been automatically added to your node's internal panic list rendering it inert. That probably explains why you have very few hits. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Test
pong ... From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T Sent: Monday, May 26, 2008 9:08 AM To: Message Sniffer Community Subject: [sniffer] Test Ping Testing as I have not received any list messages for a while. John T eServices For You
[sniffer] Re: Ideal config for scaleable solution?
Paul, since you're working in a Windows world, check out Alligate from alligate.com as a Windows platform based email gateway. I've put Alligate in front of my Declude setup and it drastically reduced the number of emails I had scan for content and sender in Declude, and gained back a lot of disk time and cpu time. The product can share your existing server, but is recommended for a dedicated gateway. It can scale to many gateways while sharing a central database. It'll do everything you want, actually. That's as much as I'm going to say here, because this list is all about Message Sniffer. If you were a *nix shop, you would still lean towards having a dedicated gateway server (or many) and your CPU hog would be spamassassin, which you would run in a client/server model to shift the CPU usage to other boxes. Meanwhile, you might check the Declude support list for scalability tips with your existing setup. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Paul Rogers Sent: Thursday, February 21, 2008 4:53 PM To: Message Sniffer Community Subject: [sniffer] Ideal config for scaleable solution? Ie, ideal for processing/serving 10+ million emails per day in an imail/declude/snf configuration. SNF seems to generally be the big processor hog (though the new beta has definitely made huge performance improvements over the prior version). OK...this is a bit off-topic, but I'm looking for some feedback in how to plan for handling this type of load (current load is between 1.3m and 1.8m/day). Should I just throw more high performance hardware at it? Scale out perhaps by dedicating a server to just the junk mail scanning. Then have a relatively wimpy server taking care of normal Imail stuff (recipient of the declude/snf clean and/or tagged emails). Along that line of thought, can SNF be configured to work directly with the MS/IIS SMTP server? This combo could work great as a spam-killing gateway. Has anyone assembled this sort of configuration in a load balanced/redundant environment? Paul --- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Rule Database copy question
It appears that both the reload and the rotate options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, January 16, 2008 11:41 AM To: Message Sniffer Community Subject: [sniffer] Re: Rule Database copy question Hello Shawn, Wednesday, January 16, 2008, 2:26:14 PM, you wrote: Hello, I am using the latest beta version of Message Sniffer. I am asking this question because I thought I read this somewhere but I can not find where I read it. If I copy my rule database file to the c:\snf directory while SNFServer.exe is running, does SNFServer automatically load the new updated rule database? Yes. If so, how long does it usually take before SNFServer realizes that there is a new rule database that was copied to that directory? Within about a second of seeing the new file it will load and check the new rulebase. If there is something wrong with the rulebase file it will keep the current rulebase active until a better one shows up. Is there anyway to verify that SNFServer has loaded the latest rule database that was copied? I know I can run a SNF2check.exe on the rule database to check the file before I copy it, but it would be great to know if SNFServer.exe has loaded the latest copy that I have copied to the c:\snf directory. SNFServer will indicate that the new rulebase was loaded in it's log file. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Rule Database copy question
Thanks for the response, Pete! I was using both parameters in my scheduled pattern download script, which would tell Sniffer that there was a new pattern, and would rotate the logs before uploading them back to you. With the new (beta) version, both extras have become redundant, so I've removed them from my script. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, January 16, 2008 12:43 PM To: Message Sniffer Community Subject: [sniffer] Re: Rule Database copy question Hello Andrew, Wednesday, January 16, 2008, 3:02:16 PM, you wrote: It appears that both the reload and the rotate options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. True -- if you called the SNFClient with rotate or reload then it would interpret those as the names of files to scan; would most likely not find them; and would produce a harmless error in the log file. SNFServer automatically reloads configuration files and rulebase files when they are altered or replaced. SNFServer can rotate log files on a per-day basis by including a date stamp in their name. If you move a log file manually or by a script then a new one will be created as needed. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: No email updates.
For what it's worth, it is working for my two licences. I received email update notifications at: 90 minutes ago 3 18 minutes ago 4 38 minutes ago 6 hours 13 minutes ago Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday, November 21, 2007 5:47 AM To: Message Sniffer Community Subject: [sniffer] No email updates. Fred # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer codes
The Ugly value returned by the beta Message Sniffer you're using with the Good, Bad and Ugly database has a result code of 40, and this code is missing from your list. (The White value overlaps with result code 0, which internally to Message Sniffer will mask any other spam result code on your system. The White return value also indicates did not find a reason to call this spam, so do not use a return value of zero to reward an email with negative points in your weighting system... because zero means it wasn't hammy, it does not mean that it was hammy). (The Bad value replaces the existing return value 63, which is experimental IP). I suggest you re-read the descriptions for the return values and adjust your test names for values 60 to 63. The documentation for the return values in the production version of Message Sniffer is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes And the supplementary documentation for the return values in the beta version of Message Sniffer is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.GBUdb You should find that your total for the test SNIFFER which triggers on all non-zero values equals the total of all the other non-zero tests (e.g. the count of return value 40 plus the counts for each of the return values for values 47 through 63). If not, then there are errors for the command line or with writing to the Message Sniffer logfile (return values 65 and 66). Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Friday, November 09, 2007 4:49 PM To: Message Sniffer Community Subject: [sniffer] Sniffer codes Hi I have many messages failling Sniffer (0) but not any of the others meaning i'm missing some codes Suggestions ? TIA SNIFFER external nonzero E:\snfsrv\snfClient.exe 0 0 SNIFWHTLST external 000 E:\snfsrv\snfClient.exe 0 0 SNIFFER-TRAVEL external 047 E:\snfsrv\snfClient.exe 12 0 SNIFFER-INSUR external 048 E:\snfsrv\snfClient.exe 15 0 SNIFFER-AVPUSH external 049 E:\snfsrv\snfClient.exe 12 0 SNIFFER-WAREZ external 050 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SPMWRE external 051 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SNAKEO external 052 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SCAMS external 053 E:\snfsrv\snfClient.exe 15 0 SNIFFER-PORN external 054 E:\snfsrv\snfClient.exe 17 0 SNIFFER-MALWARE external 055 E:\snfsrv\snfClient.exe 17 0 SNIFFER-Toner external 056 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SCHEMES external 057 E:\snfsrv\snfClient.exe 15 0 SNIFFER-CREDIT external 058 E:\snfsrv\snfClient.exe 15 0 SNIFFER-GAMBL external 059 E:\snfsrv\snfClient.exe 15 0 SNIFFER-GREYM external 060 E:\snfsrv\snfClient.exe 14 0 SNIFFER-OBFUS external 061 E:\snfsrv\snfClient.exe 17 0 SNIFFER-SPAM external 062 E:\snfsrv\snfClient.exe 12 0 SNIFFER-GENERAL external 063 E:\snfsrv\snfClient.exe 17 0
[sniffer] Re: Beta
Pete, one of the questions I had right away when I looked at the documentation accompanying the software package was about the communication channel. The documentation clearly pointed out that ports 25 is the default and that 80 is selectable, but didn't go further. I just answered my own question by sniffing the traffic... The question was: Ok, so I can govern the port, but will my stateful firewall like it? The answer is yes and no; if my firewall is expecting SMTP application layer traffic outbound on port 25/TCP then it won't like Sniffer's GBU/synch traffic. Which means that a firewall: * That does outbound packet filtering will be fine if it lets out 25/TCP. * That does stateful inspection will be fine if it lets out 25/TCP. * That does application layer filtering of SMTP on 25/TCP will not be fine. I suspect that the same would be true of 80/TCP if Sniffer is so configured. I doubt that this is a problem for most environments, but it is an important point for environments that have application layer filtering. These environments would be able to update their Sniffer database, but not participate in GBU, nor would they be able to use the synch system to report their logs or spam samples. Presumably, the affected environment could implement a new rule or override the application inspection and drop down their security to just allowing outbound 25/TCP without applying SMTP application layer inspection. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 17, 2007 5:35 AM To: Message Sniffer Community Subject: [sniffer] Re: Beta Hello John, Wednesday, October 17, 2007, 1:41:18 AM, you wrote: Our SYNC server software rejects connections by default. If an SNF node follows the expected connection protocols and authenticates properly and consistently then it will be allowed to communicate with the system. If it fails to do any of these things or looks suspicious in any way then it will be automatically black listed for increasingly extended periods and potentially null routed by our fire-walls. The security mechanisms are fully automatic and constantly monitored. If something goes wrong on my server, either by a mistake I make in a configuration file or a bug or whatever, and my server in connecting to the SYNC server should be rejected and subsequently black listed, is there a notification that takes place that some one will review to see if that sniffer license is otherwise valid and otherwise no known problems are seen so that I will then be notified saying hey there is a problem contact us so that the problem can be resolved? Yes. The system is completely automated and reliable. There is nothing to be concerned about. Quite simply, nothing can go wrong, go wrong, go wrong... go.. Seriously though-- In order to be black-listed by our system you would have to be abusing the SNF software or using some alternative software to attempt to gain access or deny access to the SYNC servers. Otherwise the most you could do would be to loose contact for some time. That said, if any system does something to become black-listed then you can be sure it will have our attention. It is basically impossible for you to cause a properly functioning SNF node to become black-listed by altering the configuration file. It is far more likely that your SNF node would simply fail to connect. Chances are that if you were making an adjustment that could cause this you would also be watching to make sure that things were working correctly when you finished. In case you did cause the system to lose it's connection with us, the system is designed so that SNF nodes will remain reliable and effective for extended periods even if they are unable to contact the SYNC server. It is also designed to recover gracefully when the problem is corrected. The GBUdb system is highly effective even when it does not share it's information with the other SNF nodes. Each GBUdb node learns first about it's local traffic. As long as your SNF rulebase file is up to date - or even close to being up to date, your system is likely to be very effective at filtering spam. If your SNF/GBUdb node becomes detached from the main system for an extended period, it will degrade in it's performance. Once the problem is corrected it should recover in a very short time. In the event we detect any IPs being black listed or acting suspiciously we will be watching closely so that we can analyze any potential threats and take appropriate actions. If we can identify a customer involved in such a case we will contact them to investigate and correct the problem. Locally, your status reports indicate when the last sync event occurred. This is one of the ways you can check the status of your system. Consider this example from recent telemetry: timers
[sniffer] Re: Bad Rule: 1604021
Thanks for reporting this, Pete! My numbers were more extreme than Pi-Web's. That bad rule triggered on 18,023 messages yesterday. Due to the rest of my spam software, two-thirds were either passed (as presumed ham) or deleted (as very spammy). So the one-third that was held, I re-scanned today. MessageSniffer today would catch 6,419, and ignore 218. Of the 218 that MessageSniffer would ignore today, 17 are spam and the rest really are ham. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 15, 2007 1:00 PM To: Message Sniffer Community Subject: [sniffer] Bad Rule: 1604021 Hello Sniffer Folks, This is an alert about a potentially bad rule 1604021. The rule was an abstract pattern for some of today's image spam. Indications are that the final coding was too broad. The rule was in place for approximately 5 hours ending about 30 minutes ago. Some differences in timing are inevitable since all rulebases are compiled individually. If you have the ability to release and rescan from quarantine based on SNF rule IDs then we recommend executing that process against this rule id: 1604021. Hope this helps, Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Spammers turning to PDF attachments?
See this article at the Internet Storm Center: http://isc.sans.org/diary.html?storyid=3012 Pump and dump scams now in PDF Published: 2007-06-20, Last Updated: 2007-06-20 21:33:39 UTC by Maarten Van Horenbeeck (Version: 1) Apparently the groups behind what we know as pump and dump spam have found a new way to bypass spam filters. As of yesterday, we've been observing e-mails with bogus text, often in german, each with a PDF in attachment... Andrew. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Downloads are not working....
My last upload averaged a lame 6 KB/s. My last download varied widely in the speed obtained: 0K .. .. .. .. .. 17.85 KB/s 50K .. .. .. .. ..9.58 KB/s 100K .. .. .. .. .. 11.12 KB/s 150K .. .. .. .. .. 20.96 KB/s 200K .. .. .. .. .. 14.76 KB/s 250K .. .. .. .. ..5.15 KB/s 300K .. .. .. .. .. 10.10 KB/s 350K .. .. .. .. .. 12.67 KB/s 400K .. .. .. .. .. 221.93 B/s 450K .. .. .. .. ..3.18 KB/s 500K .. .. .. .. ..2.30 KB/s 550K .. .. .. .. .. 816.78 B/s 600K .. .. .. .. .. 10.43 KB/s 650K .. .. .. .. ..5.69 KB/s 700K .. .. .. .. .. 132.17 B/s 750K .. .. .. .. . 8.55 KB/s PathPing.exe shows me sub 80ms per hop between my firewall and ftp.sortmonster.net So my guess is that the ftp server itself is busy. Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com mailto:sniffer@sortmonster.com ] On Behalf Of Chuck Schick Sent: Thursday, May 17, 2007 11:11 AM To: Message Sniffer Community Subject: [sniffer] Downloads are not working Speeds are really slow and the connection is lost before completionEverything checks out good on our end. Is something going on with the sortmonster end of things? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Downloads are not working....
Thanks for the update, Pete. Over on the Declude JunkMail support mailing list, it's like déjà vu all over again. Andrew 8) p.s. For the many of us here that don't subscribe to that list... The small number of recently active messages have been re-queued to the list several times. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, May 17, 2007 12:50 PM To: Message Sniffer Community Subject: [sniffer] Re: Downloads are not working Hello Chris, Thursday, May 17, 2007, 2:30:13 PM, you wrote: Oh god, that would explain why I put in a support request with appriver and it bounced back. One of our clients exchange servers was down today and they queue mail until it is back up, but I'm trying to get someone to release it now. This isn't good The good news is that the problem has been corrected now. We are still seeing some after-effects from it, but those should be gone before too long. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Files in Sniffer Directory
Would it be a good idea in a future version to delete files that are older than a certain date automatically? I disagree. Having MessageSniffer delete the old files would hide the problem. With the messages left behind, you have a valuable symptom that something is wrong with your infrastrucure. If you ignore them, they are cosmetic and do not consume any disk space (relative to your normal disk space consumption of logging and spam holding). Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman Sent: Thursday, March 08, 2007 11:19 AM To: Message Sniffer Community Subject: [sniffer] Re: Files in Sniffer Directory Would it be a good idea in a future version to delete files that are older than a certain date automatically? For example, if the file date is older than the current date minus [Insert Number of Days Here] days, it could automatically remove it. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, March 08, 2007 12:24 PM Subject: [sniffer] Re: Files in Sniffer Directory Hello Keith Johnson, Thursday, March 8, 2007, 10:55:27 AM, you wrote: Periodically I will check the Sniffer directory for misc. files that may be there and remove them. These files include .FIN .ERR .WRK, etc. I only remove those that have older time stamps on them. Yesterday when I logged in, I had well over 150 of .AMT files. Does anyone know what these files are and what causes them? By them being present as well as old .FIN, etc., would it have an impact on Sniffer's processing performance? Thanks for the aid on this. .AMT ?? Could you mean .ABT ? If so - then .ABT indicates a job that was aborted by a client instance of SNF. The extensions to SNF job files change to represent the status of the job. http://kb.armresearch.com/index.php?title=Message_Sniffer.Tech nicalDetails.Peer-Server#What_file_extensions_that_are_used_fo r_the_various_temporary_files_that_are_created_in_the_Sniffer_folder.3F explanation about=where these files come from and how cellular peer-server technology works When an SNF instance is launched it looks to see if there are any instances currently acting as servers. If there is a server present then it will submit it's job to be processed (.QUE) -- it has become a client instance. It takes a look around to see how busy the system is by checking the number of job files present and the information in the .stat file (if present). Based on what it sees it sets an alarm clock and goes to sleep - expecting to find it's job has been completed when it wakes up. If it wakes up and the job is not done - it will give it another try, maybe a few,... but if it decides it's waited too long then it gives up-- (ABT). An aborting SNF instance will try to take out the server instance that failed to respond by changing that server's job file from .SVR to .ERR -- this prevents other instances from seeing that server instance and trying to use it; and it lets the server instance know that it's got a problem (if it is still alive). Next, the client instance will load the rulebase itself and scan it's own message. After that - it _SHOULD_ remove it's job file. HOWEVER -- if something kills off the instance before it has a chance to finish then the .ABT file will be left behind (if it's gotten to this stage). (In some cases, Windows will fail to delete the file at all even though it will tell the client instance it has deleted the file!) When a system gets too busy to handle the load it may start to kill off SNF instances before they are finished - this leaves orphaned job files in the workspace. /explanation Deleting old job files that have been left behind is a good thing. It shouldn't be necessary on most systems. However, as long as you only delete older files that are not active you will not get into any trouble. If you leave orphaned job files to build up in the SNF workspace then SNF client instances will sleep longer than they should because they will see the extra files as evidence of a heavy traffic load. This can effect performance by increasing the number of active processes on the system. Also, the extra files slow down directory scanning and this can also reduce performance and bring the system closer to having a problem. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to
[sniffer] Re: Pictures worth a few words...
Postini posts some statistics here, but their conclusions can lag by months: http://www.postini.com/stats/index.php global spam traffic is a big concept... Postini did however process over 650 million messages in the last 24 hours. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Paul Rogers Sent: Tuesday, January 16, 2007 8:32 AM To: Message Sniffer Community Subject: [sniffer] Re: Pictures worth a few words... Along these same lines...are there any public sites which do realtime monitoring of global spam traffic? I googled but really didn't find much. I'd be very surprised if there wasn't even a single organization monitoring global spam traffic. Paul --- -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, January 16, 2007 10:43 AM To: Message Sniffer Community Subject: [sniffer] Pictures worth a few words... Hello Sniffer Folks, I'm sure most of you already know about the recent dramatic increases in blackhat activity. These two graphs show what it looks like from our spamtrap submission data-- graphs represent new spam and/or variants in messages per hour, past 48 hours and past 30 days. Note on the 48 hour graph that 20 hours ago the rates doubled (as if somebody flipped a switch) and this does not appear to be a spike (It's not coming down). _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. --- [This E-mail scanned for viruses by Declude EVA] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Configuring Sniffer in declude....
If you don't mind, does WeightGate add any noticeable CPU cycles to run on top of running Sniffer? Thanks for the aid. On a 100,000 emails per day on a 2.8 GHz Xeon, no, it doesn't. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Thursday, November 30, 2006 11:29 AM To: Message Sniffer Community Subject: [sniffer] Re: Configuring Sniffer in declude Pete, If you don't mind, does WeightGate add any noticeable CPU cycles to run on top of running Sniffer? Thanks for the aid. Keith Johnson -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, November 29, 2006 4:57 PM To: Message Sniffer Community Subject: [sniffer] Re: Configuring Sniffer in declude Hello Chuck, If I might jump in here -- you are basically correct but you'll have to rename ShowMe.exe to the original weightgate name. When it is named ShowMe.exe it only records the command line parameters in a log file as a debugging aid. Second, with that done this should work fine as long as each command line is identical in Declude. Third, I noticed that your group IDs are out of date (based on the names you've used) and most likely you will want to revisit your weights also. A reference to the current group IDs (result codes) can be found here: http://kb.armresearch.com/index.php?title=Message_Sniffer.Tech nicalDetai ls.ResultCodes Hope this helps, _M Wednesday, November 29, 2006, 3:48:21 PM, you wrote: Darrell: If I want to use Weightgate I assume that I put it in for each instance of sniffer. Such as - SNF external 063 c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, November 29, 2006 12:33 PM To: Message Sniffer Community Subject: [sniffer] Re: Configuring Sniffer in declude Chuck, Declude will only call Sniffer one time as long as the path and executable are identical which they are. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chuck Schick [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, November 29, 2006 2:16 PM Subject: [sniffer] Configuring Sniffer in declude Several years ago when we first started using message sniffer I set it up for in the following manner in my global.cfg file. SNIFFER-GENERALexternal063 F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode 7 SNIFFER-EXPERIMENTALexternal062 F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode 12 0 SNIFFER-OBFUSCATIONexternal061 F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode11 So one and so forth. With the increase in spam and CPU load is there any advantage load wise to just call sniffer once using nonzero instead of the return code. It seems like someone told me that sniffer was only called once and not seperately for each return code. Could someone confirm that. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC.
[sniffer] Zombie message volume
This diary entry over at the Internet Storm Center points to an increased volume of traffic from probable zombies, and they posit that the increase in this traffic would coincide with the spam increase that people are seeing. http://isc.sans.org/diary.php?storyid=1828 Their graph shows a sharp ramp-up on October 14th, 2006. Andrew. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Yahoo! Is Retarded
I like your new sig, John. How's this for an addendum? "Experience is that which you acquire, just after you needed it." Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Thursday, October 26, 2006 8:13 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: Yahoo! Is Retarded Youre preaching to the choir. John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan HickmanSent: Thursday, October 26, 2006 7:24 AMTo: Message Sniffer CommunitySubject: [sniffer] Yahoo! Is Retarded Now, myword choice of 'Retarded' is merely to illuminate the slowness of Yahoo! in regards to this issue and the severity of their decision and not to indicate that they are mentally handicapped which is an accusation for which I have no basis. However, as evidence of this, please review the following URLs: http://ca.answers.yahoo.com/question/index?qid=20061024160658AAAh0QY http://answers.yahoo.com/question/index?qid=20061024080547AAf54ah Jonathan Hickman
[sniffer] Re: Increase in spam
For another organization's graph of spam trends as received by them, check out the updated graphs at TQM cubed: http://tqmcube.com/tide.php Their graph shows a sharp uptick at the end of June 2006. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 18, 2006 6:23 AM To: Message Sniffer Community Subject: [sniffer] Re: Increase in spam Hello K, Wednesday, October 18, 2006, 8:52:17 AM, you wrote: I've been seeing a massive increase in spam over the last 2 days getting through with minimal scores. Could this be due to the drawback of the filter involved with false positives, or something else? It's hard to pin down, but not likely to be the pulled rule. We have seen a relative increase in new spam campaigns over the past 2 days preceded by a lull. That may be what you're noticing. I've attached a graph to illustrate. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Version 2-3.5 Release -- Faster Engine
That's good news, Pete. And with the WeightGate executable and source thrown in at no extra charge! Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 23, 2006 9:26 AM To: Message Sniffer Community Subject: [sniffer] Version 2-3.5 Release -- Faster Engine Hello SNF Folks, The plan was to hold off until the next major release, however in light of recent increases in spam traffic we are pushing out a new version with our faster engine included. All other upgrades are will wait for the major release ;-) The scanning engine upgrade results in a 2x speed increase that hopefully will help with the higher volumes we are seeing now. Version 2-3.5 also rolls up 2-3.2i1 which included the timing and file locking upgrades. You can find version 2-3.5 here: http://kb.armresearch.com/index.php?title=Message_Sniffer.Gett ingStarted.Distributions Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Significant increase in false positives
I'm attaching an old message to this list which may come in handy. It's from my perspective, which is using Declude and IMail, with the spam messages in d:\imail\spool\spam and needing to be moved to d:\imail\spool to be re-scanned. Now that I use a newer version of Declude, my pathsared:\imail\spool\spam for the source and d:\imail\spool\proc for the destination. Replace "828931" with "1174356" in the gawk line. Replace the date embedded in the sniffer log file name wildcard with today's date. I went through the 15th, 16th and 17th to be safe. If you'rearchiving your logs, you'll of course have to unpack them first. And if you don't rotate your logs often, youmay not need the wildcard on the log filename at all. I think I had 267 hits in my msgids.txt file. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Monday, October 16, 2006 8:09 PMTo: Message Sniffer CommunitySubject: [sniffer] Re: Significant increase in false positives Dear Pete, Sniffer blocked 35,000 messages today, and roughly 7200 of them were blocked by the 1174356 rule. Do you think many of these were false positives?Do you know a way of searching through 35,000 Imail messages to find the FP's ? What would you suggest in this situation. Thank you, Michael SteinComputer House - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Monday, October 16, 2006 8:46 PM Subject: [sniffer] Re: Significant increase in false positives Hello Darin, Monday, October 16, 2006, 5:17:26 PM, you wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Not sure if this is it, but there was an image segment rule that went in over the weekend and resulted in an unusual number of false positives today. The rule was removed. IIRC the rule id was: 1174356 Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] ---BeginMessage--- Goran, this is pretty much what I did to get to re-queuing:gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.I then used a batch file I had previously created called qm.cmd (for queue and move). Note that the folders I specify are for Declude 1.x, which has an overflow folder. I use the overflow folder so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held messages. I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder. If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).I hope that helps,Andrew 8) p.s. Another re-posting in HTML so as to preserve the line breaks. Sorry for the duplication, folks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 7:47 PM To: Landry, William (MED US) Subject: Re[4]: [sniffer] Bad Rule - 828931 Hello William, Tuesday, February 7, 2006, 7:39:05 PM, you wrote: LWMU grep -c "Final.*828931"
[sniffer] Re: yahoo mail problems
I had a similar problem with Hotmail once upon a time; the details were different, but the remedy was the same. I run a caching DNS server on my outbound DNS host, so I simply addeda DNS zone forYahoo.com on it, and populated only enough MX record information so that I could reliably get tojust a few hosts. The same dummy zone technique could be used here to consistently deliver mail to the same Yahoo! mail hosts and therefore their greylisting will work as they expect. If you try it and it works, please let us know. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech SupportSent: Tuesday, October 17, 2006 9:12 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems Heres what we have found so far Yahoo is grey listing but instead of running a centralized GL database each of their servers has its own A lookup for their MX shows Mx1.mail.yahoo.com Mx2.mail.yahoo.com Mx3.mail.yahoo.com So your server grabs one of these and does a lookup which returns a round robin response for mx1.mail.yahoo.com of 4.79.181.14 4.79.181.15 4.79.181.168 67.28.113.71 67.28.113.73 67.28.113.19 Each of which has a TTL of 1800 So your server tries one of these and gets deferred to try again. It waits and tries again but depending on your retry frequency TTL may have expired And so the process starts over with a new MX1.mail.yahoo.com server Not sure if this is all correct but it is the best we can figure out as of yet From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 12:11 PMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems Now that I've looked into it further,yes! Our E-mails to Yahoo have also been bouncing back as undeliverable with the same error. I have sent out a few test messages and will report back when I have some more info. Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 11:52 AM Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 11:54 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours nowthese are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: Paypal failing SNIFFER-GENERAL
Column 7 is the one that contains the rule that was hit. In this case, it was 1100444. Column 8 is the one that contains the group. In this case, it was 60 Ungrouped Black Rules (Sniffer General). Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, August 23, 2006 12:24 PM To: Message Sniffer Community Subject: [sniffer] Re: Paypal failing SNIFFER-GENERAL Hi Pete, I'm not sure which column is which, but here are the log lines for the message (minus the authorization code) 20060823163449 D83a20d3001502962.SMD 0 32 Match 1100444 60 1502 1551 98 20060823163449 D83a20d3001502962.SMD 0 32 Final 1100444 60 0 3798 98 The FP was submitted at 1:34pm ET. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, August 23, 2006 2:22 PM Subject: [sniffer] Re: Paypal failing SNIFFER-GENERAL Hello Darin, I may be behind... but I don't see an FP report on this. Do you have the rule id? _M Wednesday, August 23, 2006, 1:36:08 PM, you wrote: FYI... I just reported one of these, so watch out. Darin. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Lots of drug spam getting through
Would that be the Laugh in the subject line pharmaceutical spam campaign? That was mentioned by Dave Doherty on the Declude.JunkMail mailing list, and when I checked my logs I found many hundreds with clear variations on the keywords in the text, e.g. there is a joke about lawyers and they are using a list of synonyms for lawyer (and many other words/phrases) so that each mailing is permuted. MesageSniffer was catching at least some of these yesterday but I don't know if the permutations are being caught. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, August 21, 2006 8:38 AM To: Message Sniffer Community Subject: [sniffer] Re: Lots of drug spam getting through Hello Nick, There have been a couple new very aggressive spikes today... most likely these are part of that. I will dig-in with the rule-techs and see what is what. Thanks, _M Monday, August 21, 2006, 11:27:37 AM, you wrote: We're seeing similar - I keep submitting them to [EMAIL PROTECTED], but the same type of spam keeps getting through... Nick Marshall Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: 21 August 2006 15:33 To: Message Sniffer Community Subject: [sniffer] Lots of drug spam getting through We are seeing tons of spam coming through with the subject Re: new ... and advertising drugs. Any luck on stopping this? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] _ Giacom mail management by MessageStar -- [This e-mail was scanned for viruses by Giacom Anti-Virus] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: AW: [sniffer] Re: Update pacing...
FWIW I take the belt and suspenders approach. The rulebase notification by email does trigger a Message Sniffer update script on my system, but I don't rely on it solely. In addition, I also use an "at" schedule every four hours. As in Markus' (and Bill's) sample, I use the -N parameter for wget so as toavoid bandwidth abuse by only downloading the file if it is newer than the one I've already got. The specific time I schedule it for I determined from this page: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.LogFiles.Submit because after I download a rulebase, I upload my logs. Still on my to-do list is updating my script so as to compress my logs before I upload them. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus GuflerSent: Thursday, June 22, 2006 2:15 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: AW: [sniffer] Re: Update pacing... Instead of sending a mail for each update I've disabled the email-notifcation (REM) and changed the wget-line as followswget -N -nv http://www.sortmonster.net/Sniffer/Updates/%LicenseID%.snf -O %LicenseID%.new.gz --header=Accept-Encoding:gzip --http-user=sniffer --http-passwd=ki11sp8m -a snfupd.txt As Alex sugested I've added the -nv switch in order to avoid unneccessary data. I've also changed the last parameter from -o to -a in order to append the results of each update to snfupd.txt. So I have a logfile where I can easily see time and result of each update. Her's an example: 13:32:22 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf [2923892] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 15:43:22 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf [2929252] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 17:54:41 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf [2943056] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 20:08:18 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf [2952731] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! Markus -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Hirthe, Alexander Sent: Tuesday, June 20, 2006 9:46 AM To: Message Sniffer Community Subject: [sniffer] AW: [sniffer] Re: Update pacing... Hello, I switched from just downloading the file every xx hours to the snfupd.cmd form the Imail Package. The only thing I additionally modified is a '-nv' switch for wget. With this you'll only get the result of the download, not a line for every 50 kB. Alex -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:sniffer@sortmonster.com] Im Auftrag von Pete McNeil Gesendet: Montag, 19. Juni 2006 23:46 An: Message Sniffer Community Betreff: [sniffer] Re: Update pacing... Hello Harry, Monday, June 19, 2006, 4:47:14 PM, you wrote: My script does not check for update first. Is there a sample that does do that that you can point me to? This page describes automated updates and lists several scripts. http://kb.armresearch.com/index.php?title=Message_Sniffer.Tech nicalDetails.AutoUpdates The one I recommend most for Winx based systems is ImailSnifferUpdateTools.zip Don't let the name fool you - if you are NOT using IMail the scripts are still great --- you will only need to find another way to call them if your system does not provide a "program alias" functionality. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Weight Gate Success? Failure?
Pete, I plan to use it or something similar in non-production once I set up a new test system. A quick test with a batch file worked fine. Although I'm no programmer, I have reviewed the source and saw no obvious logical problems or coding flaws. Rigorous testing on the command line showed that it works perfectly. Command line testing also showed that it dealt with extremely large numbers correctly. Command line testing also showed that when passed values that are out of bounds or doggerel, no executable is launched and a safe value of 0 is returned as the return value. Command line testing also showed that it handles long file names (even if Declude doesn't like quotes in filenames) which makes it more generally useful. I think you've done a great job, Pete! Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 13, 2006 8:49 AM To: Message Sniffer Community Subject: [sniffer] Weight Gate Success? Failure? Hello Sniffer Folks, Is anyone successfully using the WeightGate utility? Anyone having trouble with it? I've literally heard nothing so far ;-) Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Numeric spam source has been revealed
It was broken code in the latest Bagel/Beagle: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.ht ml Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
(sniff) Aw, cut it out, Matt. You're making me all weepy. p.s. Pete, that's pretty darned amazing! From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Pete,I think that you just broke Scott's record with his two hour feature request with your own a two hour program :)Anyone remember those days???Thanks,MattPete McNeil wrote: Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited. I don't want to mix delimiters... everything so far is using spaces, so it makes sense to continue that way IMO. Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight. I haven't seen any bugs with %WEIGHT% since shortly after it was introduced, but you never know. I have seen some issues with other Declude inserted variables though. Well, errors are always a possibility, but in this case it _should_ be reasonably safe. For example, if this is used to gate SNF, then a missing %WEIGHT% would result in trying to launch a program with the same name as the authentication string, and it is highly unlikely that would be found, so the result would be the "program not found" error code. That's not perfect because it's a nonzero result, but it is safe in that it is not likely to launch another program. One other thing that I came across with the way that Declude calls external apps...you can't delimit the data with things like quotes. There is no mechanism for escaping a functional quote from a quote that should appear in the data that you pass to it...so don't use quotes as delimiters :) Not a problem... I just whipped together a utility called WeightGate.exe that can be downloaded here (for now): http://www.messagesniffer.com/Tools/WeightGate.exe Suppose you wanted to use it in Declude to skip running SNF if your weight was already ridiculously low (perhaps white listed) or already so high that you want to save the extra cycles. Then you might do something like this: SNF external nonzero "c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0 (hopefully that didn't wrap, and if it did you will know what I meant ;-) To test this concept out you might first create a copy of WeightGate.exe callled ShowMe.exe (case matters!) and then do something like this: SNF external nonzero "c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0 The result of that would be the creation of a file c:\ShowMe.log that contained all of the parameters ShowMe.exe was called with -- that way you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS returns zero, so this _should_ be safe ;-) If you run WeightGate on the command line without parameters it will tell you all about itself and it's alter ego ShowMe.exe. That description goes like this (I may fix the typo(s) later): WeightGate.exe (C) 2006 ARM Research Labs, LLC. This program is distributed AS-IS, with no warranty of any kind. You are welcome to use this program on your own systems or those that you directly support. Please do not redistribute this program except as noted above, however feel free to recommend this program to others if you wish and direct them to our web site where they can download it for themselves. Thanks! www.armresearch.com. This program is most commonly used to control the activation of external test programs from within Declude (www.declude.com) based on the weigth that has been calculated thus far for a given message. As an added feature, if you rename this program to ShowMe.exe then it will emit all of the command line arguments as it sees them to a file called c:\ShowMe.log so that you can use it as a debugging aid. If you are seeing this message, you have used this program incorrectly. The correct invocation for this program is: WeightGate low weight hight program arg 1, arg 2,... arg n Where: low = a number representing the lowest weight to run progra. weight = a number representing the actual weight to evaluate. high = a number representing the highest weight to run program. program = the program to be activated if weight is in range. arg 1, arg 2, ... arg n = arguments for program. If weight is in the range [low,high] then WeightGate will run program and pass all of arg 1, arg 2,... arg n to it. Then WeightGate will collect the exit code of program and return it as WeightGate's exit code. If WeightGate gets the wrong number of parameters it will display this message and return FAIL_SAFE (zero) as it's exit code. If weight is not in range (less than low or greater than high) then WeightGate will NOT launch program and will return
Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. I've seen the free version with hit rates as low as 10% on the remaining messages that have been already filtered by a gateway, which I thought was still decent because these were the messages that had already evaded the blacklist tests. And free is good. On the same system, I noted that this made Sniffer about half as effective as fresh SURBL/URIBL testing, but I had no way to compare their overlap. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Waller Sent: Tuesday, June 06, 2006 5:46 AM To: Message Sniffer Community Subject: Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through We just use a single test, we don't categorise. If SNIFFER returns a result we weight it. However, SNIFFER oftens returns a zero result when the email is obviously junk i.e. SNIFFER returns a positive result (spam) in about 30% of all identified junk mail. SNIFFER external nonzero \declude\sniffer\sniffer.exe 23 0 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 11:17 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages Date TestSS SH HH HSIMP 0605 SNIFFER-TRAVEL 12 0 0 23 2 0605 SNIFFER-INSUR 4 0 0 0 0 0605 SNIFFER-AV 0 0 0 0 0 0605 SNIFFER-MEDIA 13450 0 0 8 0605 SNIFFER-SWARE 73 0 0 0 0 0605 SNIFFER-SNAKE 83860 0 0 9 0605 SNIFFER-SCAMS 138 0 0 2 3 0605 SNIFFER-PORN908 0 0 1 3 0605 SNIFFER-MALWARE 12 0 0 2 3 0605 SNIFFER-INK 2 0 0 0 0 0605 SNIFFER-RICH28650 0 2 219 0605 SNIFFER-CREDIT 363 0 0 0 1 0605 SNIFFER-CASINO 300 0 0 0 0 0605 SNIFFER-GENERAL 28810 0 41 41 0605 SNIFFER-EXP-A 450 0 0 36 7 0605 SNIFFER-OBFUSC 4 0 0 5 0 0605 SNIFFER-EXP-IP 28 0 0 8 5 SSSniffer says spam, final result too SHSniffer says spam, final result not HHSniffer says ham, final result too HSSniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to
Re: [sniffer]A design question - how many DNS based tests?
I use just shy of 60 DNS based tests against the sender, both IP4R and RHSBL. Perhaps 10-12 matter. Due to false positives, I rate most of them relatively low and have built up their weights as a balancing act. That act is greatly assisted by using a weighting system and not reject on first hit, and furthered by being able to do combo tests such as the example Nick offered on a different thread this morning. SPAMHAUS XBL (CBL and the Blitzed OPM), SPAMCOP, FIVETEN, MXRATE-BL are consistent good performers for me. Tests that I try out tend to stay in my configuration after they've become inutile as long as they do no harm. I groom the lists perhaps four times per year. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 6:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to this UseNet thread: http://groups.google.com/group/Gmail-Problem-solving/browse_thread/thread/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2 which has a rather low signal to noise ratio. Suffice it to say that in that thread, they eventually come up with "spammers fake the from address on a regular basis, yes, even yours" and "hey, we don't know what this is". The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain. (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addressesat one go byusing the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up. Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view. No payload in the numeric spam means no commercial gain.) The only theories thatIcan get behindrevolve around information-gathering. Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies. That would only give them partial information and would require that they co-ordinate the data back from their many zombies. And it supposes that the bad guys care about list scrubbing. The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run. I think they just screwed up again. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Possible Paypal Phishing
John, I think my last post answered that. FWIW, also check out the SPF record: nslookup -type=TXT email.paypal.com Which allows postdirect.com as a mailer. In this case, it's not needed, because they also allow SPF from the PTR records that match. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:45 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing But how is PayPal's DNS involved in this as at what point are the Paypal DNS servers queried? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 9:38 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Ebay Phishing Emails getting through
Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. I've just manually submitted the ~35 messages that my filters triggered on for phishing that didn't trigger Message Sniffer today but ended up in my HOLD folder anyway due to their total spamminess. Most of them are against eBay and came from Germany. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, May 17, 2006 12:53 PM To: Message Sniffer Community Subject: Re: [sniffer]Ebay Phishing Emails getting through Hello Jim, Wednesday, May 17, 2006, 2:46:48 PM, you wrote: Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. ot Ah... So the list is working :-) I'll have to update the signup instructions... I can check that off the list. /ot Today, starting at about 0100 E, the blackhats really took it up a notch. I know because I was on duty making rules at the time. One of the things I saw a lot of were new phishing attacks - all varieties and variants. I know the team has been pushing hard on these, but some are bound to get through on the first few passes. Another thing we've noticed in the grand scheme is that localized phishing attacks are becoming more common. These are less likely to hit our spamtraps since the target lists used are highly regional -- so if we don't have a spamtrap in that geography our view of the spam may be delayed. We're working on this problem on a number of fronts.. Ideas, as always, are welcome. Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
RE: Re[2]: [sniffer] New Rulebot F001
Pete, One of these was EarthLink [207.217.120.227], and one of these was Google Mail [64.233.166.182]. SpamBag lists the EarthLink address as a source of bogus bounces, and I posit that this would be the source of the mail to the spamtraps that would trigger the F001 bot. I would like to state that I don't need Message Sniffer to identify servers that send bogus postmaster notifications. This would be entirely due to false positives such as the three examples above. Given that spammers clearly recycle their email database as a fake-mailfrom database, any spamtrap address will get bogus bounces and therefore, the spamtraps will flag legitimate senders' IP addresses in Rule 63. I don't expect nor want you to discuss the details of the spamtraps as the point of one class of your spamtraps is that their methods are secret. However, Matt has described a subset of the filters various Decluders have used to filter out postmaster bounces and other reflected noise, and I can certainly chip in on that conversation offline. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, March 06, 2006 3:18 PM To: Darin Cox Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's logs and had a few false positives. DC Not sure if these are due to the new rulebot, but it's more than DC we've had for the entire day for the past month. DC Rules DC -- DC 873261 DC 866398 DC 856734 DC 284831 DC 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Sniffer, MDLP, and invURIBL?
Joe, Are you using MDLP to autotune your weights in Declude? If so, you can exclude invURIBL and other tests which you don't want to change, whether because you think the weight is perfect, or because their randomness doesn't fit MDLP's idea of a weighting system. Check out this snippet from The McNeil on this list at some point in the past: "Use the #MDLP:MANUAL feature to lock these tests at the values you set. In your GLOBAL.CFG file create a line that lists the tests you want to adjust manually. #MDLP:MANUAL TEST1 TEST2 TEST3 You can also use more than one line if you wish... #MDLP:MANUAL TEST1 ... #MDLP:MANUAL TEST2 ... #MDLP:MANUAL TEST3 ... The #MDLP:MANUAL directive appears to be a comment to Declude so it will be otherwise ignored. If you have an #MDLP directive you want to comment out then you can add an additional # as in: ##MDLP:... This will cause MDLP to ignore it as well." Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe WolfSent: Saturday, February 25, 2006 9:05 AMTo: sniffer@SortMonster.comSubject: [sniffer] Sniffer, MDLP, and invURIBL? I'm currently running Sniffer via Declude and use MDLP. Great! Since all the talk about invURIBL on the Imail list I thought I'd give it a try. The only problem I have is that it doesn't seem to be compatible with MDLP. invURIBL assigns its own weight to each message. The global.cfg line is as follows: INV-URIBL external weight "X:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP%" 0 0 I'm not an expert but the %WEIGHT% must pass the weight determined by invURIBL to Declude. I don't know what the variables of the weighting system are. I'm worried that I may start getting a bunch of false positives since MDLP can't manage the weighting of invURIBL. Would appreciate any advice from anyone that knows more about this than I do! Thanks, Joe
RE: Re[4]: [sniffer] When to go persistent
Goran, When you issue a reload you can tell that the new rulebase is being used because the *.svr file's date and time will change to the current time. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 24, 2006 7:31 AM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] When to go persistent Hi, I just got my service up and running using Matt's post http://www.mail-archive.com/sniffer@sortmonster.com/msg00169.html It was simple especially since I already the resource kit installed. Now I know that this I supposed to work to get the persistent instance to load the new rulebase after a download. REM Load new rulebase file. %LicenseID%.exe reload But is there any way to query the service and ask it to tell you when was the last time the rulebase was loaded? Or what version of the rulebase it is using? When running in peer mode this question does not arise since the instances read the file off disk so there is no problem. With the persistent instance this is not the case and I would like to know that it really is using the newest rulebase. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, February 23, 2006 3:11 PM To: Rick Robeson Subject: Re[4]: [sniffer] When to go persistent On Thursday, February 23, 2006, 1:22:53 PM, Rick wrote: RR I thought you had to run this as a service? RR Rick Robeson RR getlocalnews.com RR [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Strictly speaking you do not have to run it as a service, but it is more convenient to do so. If you run it from the command line then you would need to remain logged in. Running the persistent instance from the command line is convenient for testing, but it is much better to run it as a service in a production environment - that way it starts and stops with the other services as expected, doesn't require any account to be logged in, etc... _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] When to go persistent
Goran, I'd be interested in Pete's technical answer, too. The practical answer is that you should always go with the persistent instance of Message Sniffer. From reading Pete's previous screeds and monitoring the list here in the last year and from having my own troubles, it's pretty clear to me that only marginal cases suffer with the persistent mode (and I was one of them). Pete's answer on volumes won't answer what are the marginal cases, it just doesn't fit your question. For me, it was simple lack of hardware, but I was *right* on the edge. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 8:30 AM To: sniffer@SortMonster.com Subject: [sniffer] When to go persistent Hi, Is there any good rule of thumb, in terms of messages processed per minute/hour/day when you should move to a persistent instance of Sniffer? Thank you Goran Jovanovic Omega Network Solutions This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Bad Rule - 828931
Thanks for the update, Pete. I also appreciate that you expanded on how that rule went wild. I can see that the intent was good but the unintended consequences were not so good. Here's how it played out on my server: How many messages hit the FP rules: 2,042 How many messages Declude decided were ham anyway: 1,093 How many messages Declude decided were viruses: 0 How many messages Declude decided were spam: 949 Of the spam, when re-queued, how many were ham: 583 Of the spam, when re-queued, how many were still spam: 366 So, in total: How many messages hit the bad 828931 rule: 2,042 How many were indeed spam: 366 How many were false positives: 1,676 Andrew 8) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Bad Rule - 828931
Thanks for the update, Pete.I also appreciate that you expanded on how that rule went wild. I can see that the intent was good but the unintended consequences were not so good.Here's how it played out on my server:How many messages hit the FP rules: 2,042How many messages Declude decided were ham anyway: 1,093How many messages Declude decided were viruses: 0How many messages Declude decided were spam: 949Of the spam, when re-queued, how many were ham: 583Of the spam, when re-queued, how many were still spam: 366So, in total:How many messages hit the bad 828931 rule: 2,042How many were indeed spam: 366How many were false positives: 1,676Andrew 8)p.s. Re-posted in HTML so that I don't have to explain the line breaks that were eaten in the plain text version post.
[sniffer] Rulebots gone wild
By the way, Pete, thank you very much for publicly posting the URL where we could download FPSigIDs.csv so that we could work on recovering our own false positives. I was able to use this information to selectively re-test all of the messages detected by those rules. That was 2,449 messages. More than half of those were detected as spam by other Message Sniffer rules, leaving me with 1,038 messages that I re-queued in my Declude JunkMail Pro on Ipswitch Imail. For what it's worth, that 1,038 messages that did not trigger any rules in the new rulebase included 378 spam messages which were then caught by my Declude JunkMail Pro configuration. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, January 19, 2006 9:15 AM To: Jeff Alexander Subject: Re: [sniffer] How can I On Thursday, January 19, 2006, 8:37:01 AM, Jeff wrote: JA JA JA I have been having a lot of problems with the rules since Friday. JA JA How can I see what rules are set for spamming. There are many thousands of rules. For security purposes we don't expose their content freely. If you have false positives, please follow the false positive process and as part of that process, the rules involved with any particular case will be shown to you. It's not clear from your note but most likely you're trouble is part of a problem we had with our rule-bots a few days ago. The rule-bots have been disabled and the bad rules they created have been rolled out of the core rulebase. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rollback of bot rules..
Thank you, Pete. In my spelunking, I've found too many rules to put in as panic entries my .cfg file, and this morning I dropped the weight for my experimental class tests to low values, and heavily edited my combo tests that build on Sniffer hits. I'm attaching a report showing the number of hits for the various rules that I'm pretty sure are false positives, and this was from a modest sample of my traffic. Now that the source of the bad rules is gone, and I see that the latest .snf update's file size has significantly shrunk, I'm going to find all the rules that triggered tests 61 and 63 and re-queue them in my Declude for scanning to get the false positives through my mail system. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, January 17, 2006 2:06 PM To: sniffer@sortmonster.com Subject: [sniffer] Rollback of bot rules.. Hello Sniffer Folks, There is an unknown problem with the bots surrounding SURBL and SORBS testing. Rather than search for all the needles in all the haystacks we are taking the following action: The bots will be offline until further notice - so all rules will be those that are developed by our human rule-techs for the time being. All SURBL or SORBS related rules that were generated by bots in the past 18 hours will be rolled into our Problematic rule group. This is where rules go when they have been removed due to an FP - the Problematic rule group does not get published - it simply prevents rules from being duplicated. Since we have a huge backlog of false positive reports, it may take a while to get through them all. Please be patient. The database changes will occur in the next half hour. All updates after that time should have these troublesome rules removed. Once I resolve what happened to the bots I will let everyone know. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html 10 491587 1 534442 4 618807 1 800976 16 802046 1 802834 1 802871 1 803025 5 803052 1 803099 1 803115 1 803163 43 803228 5 803243 1 803403 1 803530 5 803621 1 803967 6 804085 3 804105 10 804289 3 804436 1 804561 4 804788 1 805080 1 805141 32 805157 1 805270 5 805273 2 805306 1 805367 10 805460 2 805475 1 805517 4 805528 3 805531 3 805613 1 805807 1 805863 1 806121 3 806338 2 806396 40 806424 21 806488 11 808137 2 808421 2 808456 1 808733 2 809667 1 809928 60 810112 3 810136 1 810761 1 810833 2 811233
RE: [sniffer] POP3 Account Question
(nuts, to fast on the "Send" button). ... plus, future hits on spam that is already detected can accumulate hits on, say, SNIFFEREXPIP that weren't already hitting. Therefore, trying to save bandwidth and processing power over at sortmonster.com by submitting less spam is not helpful. Pete, how'd I do? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, December 05, 2005 12:34 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] POP3 Account Question I had the same question, but more specifically: Is is helpful for sniffer trap (spam and user trap) submissions to skip, or to include messages on which sniffer already hits. I imagine that all trap hits are useful, and that duplicate submissions reinforce the rule strength for a given hit when we submit spam that is already detected... Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, December 05, 2005 12:28 PMTo: sniffer@SortMonster.comSubject: [sniffer] POP3 Account Question I'm working on setting up a spamtrap that'll be for Sniffer. One question: Do you want the email to be filtered? options. Bring in all email. Delete all email that Sniffer finds a match on. So the only mail left will be mail that Sniffer returned a 0 on. Run normal tests.
[sniffer] OT: MDaemon HELO greeting
Can anybody give me the short and sweet "how-to" change the HELO in MDaemon withoutchanging the hostname of the mail server? I don't use MDaemon, I'm trying to help someone else. Thanks, Andrew 8)
RE: [sniffer] New virus...
I suppose it depends on just deep the sniffer signature goes... Previous viruses including Sober.* have come in waves, with variants that skirt all but the most intrusive antivirus blocking schemes. I submitted a sample to the Norman Sandbox, which turned up different information than the McAfee, Trend Micro et al writeups. I googled the CLSIDs that turned up and didn't come up with much, but a fascinating thing was that they also hit on previous Norman Sandbox entry that Google happened to have in its cache from Sep-25-2005. Maybe the bad guys are testing their software there before release? Hmmm... So anyhow... If sniffer is *so* amazing that it could identify the CLSID within an executable within a zip file within a MIME segment of a message file, well, that would certainly be amazing, now wouldn't it? I figure the CLSID is unlikely to change as quick as the distribution method and packaging. Andrew 8) P.s. We'll see how well the shiny new Common Malware Enumeration scheme pans out. So far, the vendors' names for the malware are quite different. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Thursday, October 06, 2005 12:02 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] New virus... No need to block zips, with Declude just add BANZIPEXTS ON to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 05, 2005 8:41 PM To: sniffer@sortmonster.com Subject: [sniffer] New virus... Importance: High Hello sniffer, Hello folks... watch out for a new virus email with an attachment named pword _ change . zip - extra spaces added to skip filters ;-) We're adding some SNF rules to catch it. No word about it on virus lists or scanner services yet (that I can see). You may want to temporarily block .zip files - or at least this particular zip file until the new rules can be pushed out and the virus scanners catch up. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] YAhoo mails failing sniffer?
Inversely, I just had a 419 scam come from a legitimate hotmail account, with a Yahoo! Email address as payload, and for the record, that email address (nor anything else) trigger a Sniffer detection. I've just submitted it to the spam@ address. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, September 21, 2005 9:29 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] YAhoo mails failing sniffer? Quick follow-up. The bad rule appears to be 497585. Matt Marc Catuogno wrote: I'm seeing a few legit e-mails from Yahoo failing sniffer. Anyone else? --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Integration with today's new ORF version:
I just thought I'd revive this thread and say that on a tiny organization for whom I also administer the mail, this was welcome news. They have ORF plus Exchange 2000. I added the free eval version of sniffer to their mix with the new ORF External Agent feature. Despite the delay in patterns, it is picking up some of the small amount of spam that leaks in despite the RBL based tests. I also used the standard download scripts wrangled by Bill Landry instead of my own, and found this pretty easy to set up. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, September 05, 2005 7:46 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Integration with today's new ORF version: Congratulations! (Sorry for having wasted band-width, I just saw the contact vendor link - never clicked on the link that contained the XML definitions G Found it now...). Anyway - thanks for the integration. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, September 05, 2005 10:43 AM To: Andy Schmidt Subject: Re: [sniffer] Integration with today's new ORF version: On Monday, September 5, 2005, 9:26:38 AM, Andy wrote: AS http://www.vamsoft.com/orf/agentdefs.asp AS AS It says to contact vendor. Here I am G. Yes indeed. How may I help you? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Sniffer Resources
Richard, are you rotating your sniffer logs daily? I had the same experience a very log time ago, and found that without rotating the logs, appending to a monster text file was soaking up a lot of cpu and disk on my server. Bill Landry worked with a lot of people here to make his download script generic enough for everyone's use. Bundled with that is a script for rotating your logs and uploading them back to SortMonster so that your system provides feedback on rule strengths. You can find more information about the logs here: http://www.messagesniffer.com/Support/TechDetails/logFiles.jsp And the user submitted scripts section is here: http://www.messagesniffer.com/Support/submittedScripts.jsp In particular, you would want to download: http://www.messagesniffer.com/Support/UserScripts/ImailSnifferUpdateTool s.zip And then edit the cmd files to provide your executable name and auth key in the variables supplied. And then schedule the rotate/update script, e.g. At 10:23PM /every:m,t,w,th,f,sa,su c:\messagesniffer\snfupd.cmd I hope that helps somebody, Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Tuesday, September 06, 2005 8:07 AM To: sniffer@SortMonster.com Subject: [sniffer] Sniffer Resources When I turn off sniffer my server acts normally on rescources..but when I turn it on it goes to 100% and stays there most of the time...I have tried updating the sniffer and rebooting the server but does not help...it has been doing this for about a month...has anyone else seen this..if not what can I do to resolve it..right now I have sniffer turned off so I can just send mail thru the server.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Andy Schmidt sniffer@SortMonster.com Sent: Monday, September 05, 2005 9:43 AM Subject: Re: [sniffer] Integration with today's new ORF version: On Monday, September 5, 2005, 9:26:38 AM, Andy wrote: AS http://www.vamsoft.com/orf/agentdefs.asp AS AS It says to contact vendor. Here I am G. Yes indeed. How may I help you? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Test
Ping? Pong. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert MathiasSent: Thursday, August 04, 2005 3:59 PMTo: sniffer@SortMonster.comSubject: [sniffer] Test Apologies, but need to test. Robert
RE: Re[2]: [sniffer] Sniffer taking a long time?
So basically, what you are saying is that my volume is really too low to take advantage of the persistent sniffer (and such may actually decrease my performance), and I should stick with the non-service version. Is that right? That is about what I thought (without the details of how sniffer works, I just wanted to be sure). Well, Dan, for the inevitable rush of traffic, I'd stick with the persistent sniffer implementation now that you have it working. If the 2 second wait time galls you, then use your **.cfg file and specify the MaxPollTime: 500 value at 500 ms or whatever you'd like your maximum wait time to be instead of 2 seconds (2000 ms). Andrew 8) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] FireDaemon
FireDaemon is dirt cheap. Yes, you can have one service for free if you find an older version. If you want free and will settle forno interface, then check out the free SrvAny.exe that is downloadable from Microsoft as part of their Windows Server Resource Kit. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David PayerSent: Sunday, July 31, 2005 5:16 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] FireDaemon The newest version is not a free version. Older versions gave you one service for free. The new one does not. Got a license? David Payer - Original Message - From: Greg Wanner To: sniffer@sortmonster.com Sent: Sunday, July 31, 2005 5:43 PM Subject: [sniffer] FireDaemon Can anybody help me with a problem getting the persistent mode to work with FireDaemon. I loaded the latest version, 1.7. I believe I have everything setup correctly, the right .exe name, authenicationxx and persistent in parameters. It starts to fire up, then stops. Any hints? [EMAIL PROTECTED]
[sniffer] New, but broken worm?
My email server has received about 200 of a certain message since 8:30 AM PDT. The Subject line is merely 1, the forged mailfrom is approximately the first 8 characters of the target address plus a forged domain. There is an attachment called 1.txt and a message text body that begins on a new line ICA= plus three characters, the first one of which may be low-bit ASCII and the second two are high-bit. The sources include zombie networks, normal mail servers, and bounced messages from normal servers. I've sent a bunch of samples to the usual spam@ address and thought I'd make a more general posting here. My guess is that it's a new worm, and that it's broken. Incidentally, I don't think this is related to a current spam campaign in which the Subject: line includes a number inside of square brackets. I just thought I'd head off that distraction. Andrew 8) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New, but broken worm?
I'm on updates this evening. I'll watch for this. It sounds like something that requires an abstract rule --- probably not enough content for the other coders to try it safely... I am surprized I didn't hear about it though... Please send me another note with a few of these as attachments (even better if they are raw files from your mail queue - that way there will be no re-coding by any mail clients) -- send to our support@ address. If they get through then that means we're not filtering them yet -- I'll use them as examples and will try to code a complex rule that's safe. Thanks! _M Sure thing, Pete. I think the formatting survived ok, and even took the time to review the submission guideline on your support web page. It looks like Tito's submission survived intact, but I'll send a follow up as per your request, it's dead easy (but will include my standard Declude headers). Andrew 8) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Phishers Jump On MasterCard Breach
FYI http://www.securitypipeline.com/news/164901324 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Gotta catch 'em all (not Pokemon, spam)... Sniffer caught all of them today: gawk "$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log temp.txt fgrep -ftemp.txt dec0617.log | fgrep "Total weight" If your volume is quite high, that second line, instead of showing all the total weights for the netblocks in question, could instead show which lines sniffer didn't hit on: fgrep -ftemp.txt dec0617.log | fgrep "Total weight" | fgrep -v "SNIFFER" Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 4:20 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Spam blocks loading me up with spam I'm also taking out the: 200.49.32.xxx to 200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with SBL 17983. The trouble on this spammer for me, is they aren't listed anywhere (with the 299.49.50.XXXs and are probably burning through domain names faster than the SURBLs can really be effective. So unless I get an SURBL hit or a Sniffer hit they are leaking through. Hopefully with Pete's new rules, this will be stopped. 200.49.32.0/24200.49.32.0/24moved 06-15-05SBL17983200.49.33.0/24200.49.33.0/24starsoftmails.comadded 02-17-05SBL17983200.49.34.0/24200.49.34.0/24moved 06-15-05SBL17983200.49.35.0/24200.49.35.0/24moved 06-15-05SBL17983200.49.36.0/24200.49.36.0/24moved 06-15-05SBL17983200.49.37.0/24200.49.37.0/24afdtc.comadded 02-17-05SBL17983200.49.38.0/24200.49.38.0/24afdtc.comadded 02-17-05SBL17983200.49.39.0/24200.49.39.0/24afdaa.comadded 02-17-05SBL17983200.49.40.0/24200.49.40.0/24moved 06-15-05SBL17983200.49.41.0/24200.49.41.0/24moved 06-15-05SBL17983200.49.42.0/24200.49.42.0/24moved 06-15-05SBL17983200.49.43.0/24200.49.43.0/24awwsc.comadded 02-17-05SBL17983200.49.44.0/24200.49.44.0/24arvvv.commoved 05-29-05SBL17983200.49.45.0/24200.49.45.0/24starofferzone.comadded 02-17-05SBL17983200.49.46.0/24200.49.46.0/24fdcmm.comadded 02-17-05SBL17983200.49.47.0/24200.49.47.0/24bicsc.comadded 02-17-05SBL17983 - Original Message - From: Darrell ([EMAIL PROTECTED]) To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:44 PM Subject: Re: [sniffer] Spam blocks loading me up with spam Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hitswith sniffer. Total volume was low,at less than50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Also, thedomains in the body textare not hitting on SURBL tests. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hitswith sniffer. Total volume was low,at less than50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: Re[2]: [sniffer] Spam blocks loading me up with spam
Today I saw hits from this campaign on another IP block as well, and plugging that into SenderBase.org gives me: http://www.senderbase.org/search?searchString=200.49.37.130 Note in the top right that they list: 200.49.36.0/22 belonging to Network Access Point S.R.L., and following that link shows 19 domains, many of which follow Scott's spam campaign sample domains. Weirdly, plugging in that CIDR format back into SenderBase reveals little joy. I've submitted to spam@ multiple samples from today of spam that I caught with and without Sniffer so that Pete can see what is common. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, June 16, 2005 3:58 PM To: Chuck Schick Subject: Re[2]: [sniffer] Spam blocks loading me up with spam Additional info (justifying the IP block rules just added): http://www.senderbase.org/search?searchString=200.49.48.0%2F20 I wonder why nobody else is listing these IPs yet. Could we just be the first? (This exercise has given me some ideas for new research tasks-- :-) ) Interesting. _M On Thursday, June 16, 2005, 6:46:13 PM, Chuck wrote: CS We have been seeing these. CS Chuck Schick CS Warp 8, Inc. CS (303)-421-5140 CS www.warp8.com CS -Original Message- CS From: [EMAIL PROTECTED] CS [mailto:[EMAIL PROTECTED] CS On Behalf Of Scott Fisher CS Sent: Thursday, June 16, 2005 4:04 PM CS To: sniffer@SortMonster.com CS Subject: [sniffer] Spam blocks loading me up with spam CS Am I the only one getting blasted by these spam from these IP CS blocks? Sniffer seems a little behind on catching these. CS 200.49.48.0/24 200.49.48.0/24 CS 200.49.49.0/24 200.49.49.0/24 mowz2.com CS 200.49.50.0/24 200.49.50.0/24 qckcstmr.com CS 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com CS 200.49.52.0/24 200.49.52.0/24 aahtv.com CS 200.49.53.0/24 200.49.53.0/24 aakai.com CS 200.49.54.0/24 200.49.54.0/24 aakib.com CS 200.49.55.0/24 200.49.55.0/24 aakli.com CS 200.49.56.0/24 200.49.56.0/24 aafix.com CS 200.49.57.0/24 200.49.57.0/24 e.com CS 200.49.58.0/24 200.49.58.0/24 CS 200.49.59.0/24 200.49.59.0/24 CS Domain names and links seem to be five chars beginning with aa. They CS also seem to be progressing through the IP blocks. CS i think they started in on the June 15th and have been spamming CS pretty consistantly. CS This E-Mail came from the Message Sniffer mailing list. For CS information and (un)subscription instructions go to CS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New Spam/Virus?
Title: Message I'm seeing what Scott sees, but the payload is an encrypted zip. VirusTotal.com says: This is a report processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file. Antivirus Version Update Result AntiVir 6.30.0.15 06.06.2005 no virus found AVG 718 06.06.2005 no virus found Avira 6.30.0.15 06.06.2005 no virus found BitDefender 7.0 06.06.2005 no virus found ClamAV devel-20050501 06.06.2005 Worm.Mytob.CO DrWeb 4.32b 06.06.2005 Win32.HLLM.MyDoom.44 eTrust-Iris 7.1.194.0 06.05.2005 no virus found eTrust-Vet 11.9.1.0 06.06.2005 no virus found Fortinet 2.27.0.0 06.06.2005 W32/MyTob.EN-mm Ikarus 2.32 06.06.2005 no virus found Kaspersky 4.0.2.24 06.06.2005 Net-Worm.Win32.Mytob.bg McAfee 4507 06.06.2005 Generic Malware.a!zip NOD32v2 1.1131 06.06.2005 Win32/Mytob.DO Norman 5.70.10 06.06.2005 W32/Mytob.GE Panda 8.02.00 06.06.2005 no virus found Sybari 7.5.1314 06.06.2005 W32/Mytob.G Symantec 8.0 06.06.2005 no virus found TheHacker 5.8-3.0 06.06.2005 no virus found VBA32 3.10.3 06.06.2005 Net-Worm.Win32.Mytob.bg VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, June 06, 2005 2:29 PMTo: sniffer@SortMonster.comCc: Declude.Virus@declude.comSubject: Re: [sniffer] New Spam/Virus? Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
RE: [sniffer] New Spam/Virus?
Title: Message http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] This is the virus that I was seeing. The one that Jim and others are seeing may be this MyTob, whose description was still pending when I was at Trend's site: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDW and may be the same as: http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Monday, June 06, 2005 2:41 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] New Spam/Virus? I'm seeing what Scott sees, but the payload is an encrypted zip. VirusTotal.com says: This is a report processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file. Antivirus Version Update Result AntiVir 6.30.0.15 06.06.2005 no virus found AVG 718 06.06.2005 no virus found Avira 6.30.0.15 06.06.2005 no virus found BitDefender 7.0 06.06.2005 no virus found ClamAV devel-20050501 06.06.2005 Worm.Mytob.CO DrWeb 4.32b 06.06.2005 Win32.HLLM.MyDoom.44 eTrust-Iris 7.1.194.0 06.05.2005 no virus found eTrust-Vet 11.9.1.0 06.06.2005 no virus found Fortinet 2.27.0.0 06.06.2005 W32/MyTob.EN-mm Ikarus 2.32 06.06.2005 no virus found Kaspersky 4.0.2.24 06.06.2005 Net-Worm.Win32.Mytob.bg McAfee 4507 06.06.2005 Generic Malware.a!zip NOD32v2 1.1131 06.06.2005 Win32/Mytob.DO Norman 5.70.10 06.06.2005 W32/Mytob.GE Panda 8.02.00 06.06.2005 no virus found Sybari 7.5.1314 06.06.2005 W32/Mytob.G Symantec 8.0 06.06.2005 no virus found TheHacker 5.8-3.0 06.06.2005 no virus found VBA32 3.10.3 06.06.2005 Net-Worm.Win32.Mytob.bg VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Monday, June 06, 2005 2:29 PMTo: sniffer@SortMonster.comCc: Declude.Virus@declude.comSubject: Re: [sniffer] New Spam/Virus? Yes I have seen them too: email starts with: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, June 06, 2005 4:13 PM Subject: [sniffer] New Spam/Virus? Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
RE: [sniffer] Rule 353039 - .comcast.net
Thanks for the quick work, Pete. I put in the Rule-panic entry as soon as you sent the email to this list. For what it's worth, I just finished with all my held mail for the last two days, and I had no false positives from messages with a mailfrom that included c o m c a s t. Lots of mail that came from everywhere including ComCast zombies and possibly servers, and contained ComCast email addresses in the body. From the sheer bulk of it, it's no wonder that one of your robots thought c o m c a s t was a good indicator of spam. The only message that that was held, which a subsequent re-scan with Sniffer turned up, was actually a W32/[EMAIL PROTECTED] virus (which I don't expect Sniffer to catch). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, May 10, 2005 7:28 AM To: sniffer@sortmonster.com Subject: [sniffer] Rule 353039 - .comcast.net Importance: High Hello Sniffer Folks, A rule was created today by one of the robots which targets .comcast.net -- This happened when a number of blacklists including SBL listed comcast IPs causing the robot to be convinced that a message in the spamtrap warranted tagging the domain. The rule has been removed and I am pushing out new rulebase compilation as quickly as possible. Please do not rush to download your rulebase file in response to this --- wait for the update notification or else your file is not updated. I believe we've caught this quickly enough that most of you will not be effected. However, if you suspect that you do have the bad rule in your rulebase you can temporarily eliminate the rule by adding 353039 to your Rule-panic entries in your configuration file. The rule cannot be recreated once removed. We are very sorry for the confusion. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Latest medication campaign
On the weekend and since, I saw a lot of them get through but Sniffer was dutifully catching them, unfortunately, they also served to highlight Sniffer hyperaccuracy because those messages just weren't reaching my HOLD weight. Check out the Message Sniffer change rates for the last few days: http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp Something is definitely going on. On Sunday, the blue line was almost the entire New Rule group. It started me thinking about making Sniffer my hold weight, and then only applying counterweights. Meanwhile, I've added SURBL-ish testing with a tiny Declude weight, but with a combo of the new test and any Sniffer hit, that seems to have made the difference. I've only seen 1 undeliverable end up in the postmaster box, and I've fixed why that happened (I set my skipweight for various Declude filter text tests too low, so they weren't getting run when the weight was close to my HOLD weight). So now it's back to the server room for me. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, April 13, 2005 10:16 AM To: sniffer@SortMonster.com Subject: [sniffer] Latest medication campaign I am seeing a lot of these get through John T eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] MDLP Tests
Jay, here's more web information on the mxrate tests: http://www.mxrate.com/lookup/dns.htm Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, April 02, 2005 1:43 PM To: Jay Sudowski - Handy Networks LLC Subject: Re: [sniffer] MDLP Tests On Saturday, April 2, 2005, 4:09:31 PM, Jay wrote: JSHNL Hello - JSHNL I am reviewing your MDLP report at JSHNL http://www.sortmonster.com/MDLP/MDLP-Example-Long.html, and find JSHNL some tests that are seemingly quite effective that I'm not JSHNL familiar with. If anyone has any informaiton about these tests, JSHNL please let me know: JSHNL - FABEL (is this the same as FABELSOURCES at JSHNL http://www.declude.com/Articles.asp?ID=97Redirected=Y?) FABEL ip4rspamsources.fabel.dk127.0.0.2 JSHNL - MXRATE-* MXRATE-BLACKip4rpub.mxrate.net 127.0.0.2 MXRATE-WHITEip4rpub.mxrate.net 127.0.0.3 MXRATE-SUSP ip4rpub.mxrate.net 127.0.0.4 JSHNL - UCEPROTEC* UCEPROTECRDOip4rdnsbl-1.uceprotect.net 127.0.0.2 UCEPROTECCMUL ip4rdnsbl-2.uceprotect.net 127.0.0.2 UCEPROTECCVIR ip4rdnsbl-3.uceprotect.net 127.0.0.2 JSHNL Also, perhaps I am misunderstanding the data, but SNIFFER has a JSHNL SQ of .802 - isn't that relatively bad ? Actually, that's the hyper-accuracy penalty at work. I wrote a bunch about that on the MDLP page. What's going on is that SNF frequently catches spam that virtually no other tests are catching yet and as a result the total weight never reaches the threshold. Every one of those events shows up counting against it. We research these periodically (we used to look at them constantly) and with very rare exceptions we find that these are not false positives. In fact, on our systems last year SNF had fewer than 10 FP. (several of those were messages from customers that actually contained examples of spam, malware, or logs with spammy URI). Of course, our numbers are a more than bit skewed because the vast majority of traffic on our system is spam... so we can't use that to calculate a false positive rate that has any real meaning. The closest we can really get to an indication of false positive rates from SNF is to point at our FP rate page: http://www.sortmonster.com/MessageSniffer/Performance/FalseReportsRates. jsp This page shows counts of all false positives reported to us on a daily basis for all of our customers. At least two of these systems are service providers with 10 or more licenses which submit false positives automatically as they are reported from their customers. So anyway, the short answer is that the SA and SQ values on the SNIFFER tests are skewed by the hyper-accuracy penalty inherent in how MDLP develops these scores. The true accuracy values are very much higher and this is regularly confirmed by both hard reviews of the data and anecdotal evidence from our customers. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Money, drugs, and sex
http://www.sophos.com/spaminfo/articles/spamwords.html Interesting, but a pity they didn't publish a list of, say, their 1,000 most popular obfuscations. Andrew 8) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] mini-obfuscation
Wow, Pete! Wow. I didn't feel I could measure up to adding on to that thread, so I started over. Although the search space is theoretically huge (you pointed out the marketecture of large numbers), in practice, the spammers mostly use the grains quite close to the marble and use the grains over again for a while. How many times have we all been frustrated that a piece of spam ending up in *OUR* mailbox that was s close in content to spam we whacked yesterday? I thought the top n obfuscations might be interesting to look at, and perhaps a shortcut (temporary, albeit) for spam catching. I thought we might see whether, for example, broken URLs, fake comments, or high-bit ASCII character substitutions were the obfuscation technique du jour. I while back curiousity got the better of me (it was raining, and I had a few days off) and I did a few grep sweeps on a warm spam corpus. I was disappointed in my success rate for: v.?i.?a.?g.?r.?a.? and similar queries with deliberately substitutions (e.g. using a 1 for i). I started writing a grep-generating-permutation engine and decided my time was better spent on scritching my cat under his chin. Of course, I have a lot more time for my cat since I implemented Sniffer. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, March 22, 2005 4:37 PM To: Colbeck, Andrew Subject: Re: [sniffer] Money, drugs, and sex On Tuesday, March 22, 2005, 4:47:30 PM, Andrew wrote: CA http://www.sophos.com/spaminfo/articles/spamwords.html CA Interesting, but a pity they didn't publish a list of, say, their CA 1,000 most popular obfuscations. If you do the math then 1000 wouldn't even scratch it. One way to attack this ( at least one of the ways we do it in Message Sniffer ) is to apply some obfuscation algorithms to each word in the list using some generic expansion patterns -- this helps to simplify the problem a bit. For example, one obfuscation algorithm is to insert a single extra character in the word. If you take the word obfuscation and apply this expansion algorithm you get something like: o~bfuscation ob~fuscation obf~uscation ... obfuscatio~n where ~ represents any random character. Then think about adding two characters... ... ob~fusc~ation ... Then think about breaking the word with an empty anchor at any of the places where you would insert a character... ... obfusa href=http://yo-mama.it;/acation ... and so on... Of course, you can't simply apply all of the possible obfuscation algorithms, and you can't completely exercise each one that you do try... you have to pick and choose and learn as you go because otherwise you would simply never finish the job. *** If you iterate through all of the permutations and count them then the numbers become astronomical... as in viagra can be obfuscated (and detected by their fine software) more than 5,600,000,000 different ways ahem. That's market speak for look how powerful our software is -whoooah! This is similar to a lot of other AI problems too and it's probably why I'm involved since I love AI work. In most AI problems if you add up all of the possible solutions to the problem you usually come up with a number you couldn't possibly write down without writing the formula instead. That is, the number would be so large that you would probably die of old age before you actually finished writing all the digits. In the AI world we talk about this huge sea of possibilities as a solution space. If you tried to check every possible solution one by one until you found the best answer it would take you forever. This is called a brute force attack. It's also what makes the big numbers seem impressive, and what makes most encryption schemes work.### Since we don't usually have forever, we do something else in the AI world. We use algorithms to search the solution space for the best answer. That is, rather than just going through the possible solutions one at a time as we come to them (brute force) we try to figure out which ones to look at and which ones to skip. The way we make that decision is to use an algorithm that leverages special rules of thumb (heuristics) to help us search the solution space more efficiently. This effectively reduces the solution space and makes it possible to come up with an answer that is good enough+++ within the time we have. So, when they talk about recognizing more than 5 billion different obfuscated forms of the word viagra they are really just estimating how many of the permutations their heuristics are able to eliminate from the solution space. (A more accurate way to think about it might be that a single heuristic for a particular obfuscated word covers a large amount of the solution space all at once. Since it's already been covered it doesn't have to be searched -- the extra work is eliminated as compared to a brute-force attack.) For example: Suppose you have a sandbox into which someone has
RE: [sniffer] New change rates analysis
http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp Oooh, pretty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Sunday, February 20, 2005 3:52 PM To: sniffer@sortmonster.com Subject: [sniffer] New change rates analysis Hello Sniffer Folks, I have updated the change rates analysis page to show a bar graph of the recently created rules and their relative strengths (by age). This replaces the old text report we had before, though the data is still the same and then some. Comments welcome. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Determine Version
Title: Message Yup, just type the executable's filename in a command window, and the version information is on the last couple of lines in the resulting help. Andrew 8) p.s. My version says build - v2-3.2 Nov 23 2004 01:21:33 -Original Message-From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith JohnsonSent: Saturday, February 19, 2005 8:20 AMTo: sniffer@SortMonster.comSubject: Determine Version Is there a easy way to determine the Sniffer version you are running (i.e. command line or the like)? Thanks for the aid. Keith
[sniffer] OT - Microsoft Patch Day - Exchange and SMTP updates
Hello, all. Aside from the usual Internet Explorer and Office patches, this patch cycle also includes an update to the October update MS04-035 which affects a DNS query vulnerability in the SMTP handling in Windows 2000/2003 as well as Exchange 2003. http://www.microsoft.com/technet/security/bulletin/ms04-035.mspx This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] OT - Microsoft Patch Day - Exchange and SMTP updates
Yes, I patched 3 servers last night and tested without issue. Most of the way through a normal workday now, also without issue. Message volumes are high enough that I expect any problems to have turned up by now. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, February 10, 2005 10:49 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] OT - Microsoft Patch Day - Exchange and SMTP updates The MS04-35 reissue some how slipped under the radar yesterday of the other patches.. So far no public exploits for that. However, SANS is indicating POC code has been released for MS05-05/09. So far for the cycle I patched one LOW volume production mail server and one standby server. Both of those are showing no issues. Anyone else apply these yet? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. Colbeck, Andrew writes: Hello, all. Aside from the usual Internet Explorer and Office patches, this patch cycle also includes an update to the October update MS04-035 which affects a DNS query vulnerability in the SMTP handling in Windows 2000/2003 as well as Exchange 2003. http://www.microsoft.com/technet/security/bulletin/ms04-035.mspx This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert Follow Up
For what it's worth, I'm definitely seeing an increase in volume over the weekend (double the spam, actually), and I believing it is tapering off already. In addition to the volume of separate messages, the number of recipients is generally up. The messages look generally like the kind of jobs outsourced to spam gangs, who then create variations of the email. I haven't looked close enough to check whether the payload URLs are the same. YMMV... Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, January 24, 2005 11:15 AM To: sniffer@sortmonster.com Subject: [sniffer] Spam Storm Alert Follow Up Hello sniffer, One other note before I go join the rule coders... Many of the new spam coming through are resurrecting old spam rules... I've seen this kind of thing before (which is why we have a deep-scan robot looking for this kind of activity), however I've not seen it in such numbers before. Something interesting is definitely going on. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Sniffer and SURBL
Thanks, Pete. I was thinking that Sniffer's l33t ninja skillz would be well-used for searching a large corpus of URIs, particularly the current bout of spammers you and I mentioned before Xmas (the ones that are specifying the domain name, not a URL, and which Sniffer is catching because of the consistent instructions, regardless of the dynamically changing domain names), as a URI filter might miss them because of obfuscation, or might miss the real payload. Sniffer would catch these URIs, because it only cares about tokenized text, not whether that text was detected in a URL. There would still be a place for both SURBL lookups and Sniffer in that scenario, because they are refreshed on different schedules and have independent spamtraps feeding them. I wasn't thinking about Sniffer incorporating a real-time lookup; I agree with your direction for the product. For the reason you cited, I'll go a little further and say that Sniffer would have to really break out in a new direction to be worth implementing a real-time lookup of some sort. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, January 10, 2005 4:58 PM To: Colbeck, Andrew Subject: Re[2]: [sniffer] Sniffer and SURBL On Monday, January 10, 2005, 7:17:29 PM, Andrew wrote: CA Pete, I thought that you had said at one point that SortMonster CA fetches one or more SURBL zones and incorporates those as spam data CA for Message Sniffer? CA It seems like a great idea to me. But then, from my distance, a lot CA of things look like a good idea for someone else to implement! That's not exactly how it works - What we do is that our robots will look at some of the messages that hit our spamtraps and if they find a URI that looks like a good choice they will cross check it with SURBL. More often than not we've already got the URI coded from our manual work, but this robotic mechanism allows the rulebase to keep up minute by minute - and since the email triggering this work has come in through one of our spamtraps, it acts like an extra check - so those listings that we do have tend to be very solid. At some point we may bolt on some additional real-time lookups like SURBL etc... but we don't have plans for that just yet, and most installations already have these tools employed in other mechanisms they are running, so it would be redundant for us to add it - at least at this point. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Change in coding policies
It sounds good to me, Pete. May I humbly suggest that this be a new result code, e.g. 046? Until now, Message Sniffer has been very parsimonious with the new categories, but this looks like one that will be here for a long time. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 21, 2004 6:38 AM To: [EMAIL PROTECTED] Subject: [sniffer] Change in coding policies Hello Sniffer Folks, Backscatter from rejected virii and joe-jobs has become a very significant problem. Up to now we have tried as much as possible to avoid coding for NDRs and other such backscatter - though some pattern matches have been unavoidable. Generally it is a very bad idea these days for a server to send a response of any kind when a virus is captured since most virii forge the sender information. Similarly, bounces from joe-jobs and dictionary attacks are also a problem. These kinds of messages tend to be more of a problem than a solution and the volume has now reached extreme levels (IMO). From now on, we are going to start coding rules to capture these kinds of messages. The rules that we do code for these messages will go into the malware group. For example, we will be introducing rules that watch for bounces that contain large numbers of failed addresses - indicating a probable dictionary attack / joe-job; and we will be coding rules for most virus bounces when they reach our spamtraps or are submitted to us as spam - since clearly the return address on the bounce indicates that the sender information must have been forged (bounce going to a spamtrap). If there is some need on your system to receive these messages then the best strategy will be to create local white rules to let these through. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] test sender
Title: Message Well, an indirect way to do this is to use the (undocumented?) Declude directive: rsp set off TESTNAME as the first bit of text in your test message. That won't actually trigger sniffer, but it will for the purpose of making your JunkMail think that the test has been triggered. Andrew 8) -Original Message-From: Bonno Bloksma [mailto:[EMAIL PROTECTED] Sent: Friday, December 10, 2004 1:26 PMTo: [EMAIL PROTECTED]Subject: [sniffer] test sender Hi, Is there a test sender where I can have the program send us a test mail that should fail a specific sniffer test? I know I can test sniffer itself agains a single good and bad file, but I want to test the chain. The Declude site has something like that where it is sending the EICAR teststringin the various ways a virus might reach the mailserver. That way the full setup of the mailserver with the scanner can be tested. I would like something where I can send myself a msg which should fail with an exitcode for TRAVEL or for PORN etc. That way I can test for sure whether my "improvements" haven't broken something in stead of waiting till my users complain (certain) spam has increased. It's the small typos that can get to ya in a big way. ;-) Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? _