[sniffer] Stock spam
Hi, Another topic on stock spam? Lots of them are coming through. What do you guys do to limit the number of false negatives? Michiel
[sniffer] Re: New MDaemon 9.51 any issues with Sniffer?
Jim, We have upgraded to 9.51. The plugin works the same. Met vriendelijke groet, ing. Michiel Prins Small Office Solutions tt. Vasumweg 24a 1033 SC Amsterdam the Netherlands tel. 020-4082627 fax. 020-4082628 [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska Jr.Sent: dinsdag 31 oktober 2006 18:59To: Message Sniffer CommunitySubject: [sniffer] New MDaemon 9.51 any issues with Sniffer? Pete, Are their any issues with using the current sniffer MDaemon plug-in with the new version 9.51 version of MDaemon? I usually dont have to do anything with Sniffer when upgrading, but considering the email I got from MDaemon pushing enhanced spam filtering capacity I wanted to make sure nothing changed with the way sniffer integrates? Has anyone else upgraded to 9.51 with sniffer yet? Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
[sniffer] catch more spam (in response to the current discussion)
Crew, If I might suggest something that has nothing to do with sniffer directly... I succesfully reduced the number of spams delivered to our server with 25% by automatically blacklisting the IP adresses which deliver spam. If the weight of an e-mail goes over the hold weight, I add the IP address to the list of blocked IP addresses for the next 60 minutes. During that time, connections from these IP's are denied or dropped (don't really know). After that, it's automatically removed. This is something you can do with the MDaemon content filter using the Add Line To A Text File action (combined with a script that creates tarpit.sem every minute), don't know if this can be done with Declude or other systems. Drawback is that false positives would generate a temporary blacklisting, but I have not had any problems so far (the rule is in place for two weeks now). Michiel -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: woensdag 20 september 2006 16:43 To: Message Sniffer Community Subject: [sniffer] Re: Sniffer does not catch as much as it used to. Hello Fox,Thomas, I might ad that for a long while it has been a common recommendation for SNF to be weighted at 70-80% of your hold weight. Quite often, some result categories are weighted to hold on their own. These days blackhats are using a burst-mode delivery tactic that makes it virtually certain the IPs they are using are previously unknown and unlisted. As a result, if several IP blacklist hits are required in addition to SNF then you are much more likely to see leakage than in previous months. In testing our new GBUdb engine on our spamtrap servers I can see a constant stream of new IPs sourcing spam and I also see the rate of new IPs spike significantly when new variants of messages arrive. These spikes are much higher than previously measured and continue to grow. Hope this helps, _M PS: GBUdb is a real-time collaborative behavior analysis engine that tracks statistics on good, bad, unknown (ugly), and ignored IPs. The engine will be part of the next release of SNF due shortly. Wednesday, September 20, 2006, 10:02:36 AM, you wrote: Hi Rick, I've found that tuning for spam is a constant process. I am always tweaking settings, changing weights, etc., in response to spam leakage. Just yesterday I spent about 2 hours on it. I (very reluctantly) implemented some phrase filtering, using the filter function in Declude. I've been reluctant to do phrase filtering in the past, just because I'm so scared of false positives, but I was able to work with a phrase list I was pretty sure would be safe. I also increased the weighting of some of the other Sniffer tests we use, specifically the tests that scan for porn, get rich quick and stuff like that. The weighting isn't so high that any one test will cause the message to fail, but I did set it high enough on a few of the Sniffer result codes so that it fails that specific Sniffer test and just one other test, it will fail as spam. It comes down to, IMHO, how much time you want to spend on it, and how vigilant you want to be. I'd much rather spend a few hours a month tweaking settings, than dealing with lusers calling daily because they got an ad for Viagra. :-) I'd be happy to share my config files privately if you think it would help. Good luck! Tom I just signed my annual renewal for Sniffer but it seems that it used to catch lots of the email and now is only catching about 50% of the email Why when we are sending in our information does this continue to happen? We are getting lots of you won, Pharmacy spelled wrong and nonsense emails that sail through both Declude and Sniffer. Between the 2 of them that is over $1000 per year for spam/virus/hijack protection that seems not be happening like it used to. Any answers as to when we will get relief on these? Rick Hogue --- [This E-mail scanned for viruses by Declude Virus] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list
[sniffer]Concerned about amount of spam going through
Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? Groet, Michiel
RE: [sniffer] Stock SPAM now HTML
Isn't it time to call for an exorcist? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: donderdag 2 februari 2006 5:31To: sniffer@SortMonster.comSubject: [sniffer] Stock SPAM now HTML Well the plain text stock spam has just taken a turn to more interesting and SNF is not capturing it yet as of 10:55 EST. I have submitted a couple to spam@ Now they are including part of a picture to make up the text. Here is what the source looks like CHINA WORLimg src="" CORP. br Syimg src="" br Price $img src="" br Shares out: img src="" Million br Market Capitimg src="" Million br Significant Revenue Growth iimg src="" br Averagimg src="" br Rating: Stroimg src="" Buy br 7 days trading img src="" $2.50 br 30 day trading target: $3.img src="" br Goran Jovanovic Omega Network Solutions
RE: [sniffer] The SPAM bots?
G'day, I'm just wandering... what CAN be done about this? If I send an embedded picture to someone, how's sniffer gonna see the difference between my holiday picture and the stock spam? I reckon it's gonna be tough to block these? Cheers, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: maandag 30 januari 2006 16:16 To: sniffer@SortMonster.com Subject: [sniffer] The SPAM bots? Hi, Are the bots working again? I am seeing a number of the STOCK pitches coming through (the ones that use the picture attachment eg. tdimg border=0 alt= src=cid:a8c0936faa69131141800cf3347d17a4/td) Sniffer did not catch the message and I have forwarded it to SPAM@ Thanx Goran Jovanovic Omega Network Solutions This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
Can I also use this product on my snailmail? :p From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman Sent: vrijdag 30 december 2005 16:58 To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! I believe a new topic is in order. Quick, someone ask a newbie question! - Original Message - From: John W. Enyart To: sniffer@SortMonster.com Sent: Thursday, December 29, 2005 11:27 AM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Amen. Keep this professional, or take me off the list. My mailbox is filling up with this garbage. - John W. Enyart EAI, Inc. 3259 Blackberry Lane Malvern, PA 19355-9670 610/935/3085 FAX 610.935.3086 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf Tombe Sent: Thursday, December 29, 2005 11:23 AM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! What the heck is going on with people posting to this list lately? People seem to be jumping all over each other, jumping to a lot of conclusions and getting all riled up. Its the Holiday Season for goodness sake! Its supposed to be a time of good will to others. We can agree or disagree about the amount of the price hike; but is all the other escalating banter really necessary? Wolf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, December 28, 2005 9:33 PM To: sniffer@SortMonster.com Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf Sent: Wednesday, December 28, 2005 5:43 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Wednesday, December 28, 2005 5:00 PM To: sniffer@SortMonster.com Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude. Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam keeps getting through...
Pete, I have an additional question. What do you do with spam in foreign languages, like dutch? Do you create rules for those as well? Lots of dutch messages are not blocked by sniffer. Regards, Michiel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: dinsdag 11 oktober 2005 10:47 To: sniffer@SortMonster.com Subject: Re: [sniffer] Spam keeps getting through... Can we just forward them regularly or do we need to change anything about how the headers display when we forward them? Pete McNeil wrote: On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Headers showing up in message body after switching to Mdaemon
Same here, MD 8.11 and Sniffer (running from Content Filter) and NOT seeing the reported behaviour. Michiel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge Asch Sent: zondag 21 augustus 2005 22:28 To: sniffer@SortMonster.com Subject: Re: [sniffer] Headers showing up in message body after switching to Mdaemon I am using the latest version of MDaemon and the Sniffer plugin and I can say I haven't noticed any strange behavior. -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message Sniffer says Sniffer List is Spam
That one was not blocked by my rulebase...? Regards, Michiel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bayerdorffer Sent: vrijdag 13 mei 2005 16:32 To: sniffer@SortMonster.com Subject: [sniffer] Message Sniffer says Sniffer List is Spam Hello, A lot of the email from the Message Sniffer list, gets marked as spam by Message Sniffer! See attached. Daniel This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo
Yes, you read it correctly... Mdaemon is capable of blocking spam by sending 'User Unknown' replies during SMTP, which might actively do something against spammers who clean up their lists when these reponses are received. Dunno if they're bright enough to do that tho... Michiel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: dinsdag 19 april 2005 5:22 To: sniffer@SortMonster.com Subject: RE: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo Wow - inline Virus scanning - and if I read the flow chart correctly, their heuristic engine actually sounds like a scoring system for DNSBL and various other indicators and reject a message during connection. Now that's the kind of SMTP engine I've been wanting all along. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, April 18, 2005 06:57 PM To: sniffer@sortmonster.com Subject: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo Hello Sniffer folks, For those of you who are MDaemon users and may not know, we have developed a plugin version of Message Sniffer that works on the latest version of MDaemon (v8). The folks on the MDaemon beta list have had access to it for a while now and it has been working well. There are no known bugs at this time :-). You can find the plugin on the MDaemon installation page of our site: http://www.sortmonster.com/MessageSniffer/Installation/MDaemon.html The plugin is VERY, VERY fast and much easier to use than the command line utility. If you are still using the command line utility I highly recommend that you switch to the plugin version right away :-) Now that version 8 of MDaemon is out, it is time to finish testing this new version and to get the word out. To help with testing, we have been providing a fully updated rulebase to our beta testers. To help with this next phase of testing we are making this fully updated license public for MDaemon users who want to try the new plugin!! :-) This will only last until the end of April though ;-) Please help us to get the word out about this -- tell all your MDaemon friends what they have been missing. Most of our customers come from your recommendations and we really appreciate that. Remember to tell your friends to let us know about your help when they purchase Message Sniffer so that we can give you your free month! Every new user makes Message Sniffer more powerful! Thanks for all your help! Best, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Sniffer Updates
Title: Re: Re[2]: [sniffer] Sniffer Updates I made this one, which is probably also somewhere on the sniffer site. Change directories and keys for your use: d: cd\Batch Files\Sniffer wget http://sniffer:[EMAIL PROTECTED]/Sniffer/Updates/key.snf -O key.snf.gz --timestamping --header=Accept-Encoding:gzip gzip -d -f key.snf.gz :Check fcom32 "c:\mdaemon\sniffer\key.snf" "d:\batch files\sniffer\key.snf" if errorlevel 1 goto Test goto :Done :Test snf2check.exe key.snf password if errorlevel 1 goto Done copy /y key.snf c:\mdaemon\sniffer copy /y key.snf key.old :Done Check for wrapping by your e-mail client! I've put an empty line between every line, to make sure you see what belongs together. Next to the --timestaping feature of wget, I also use fcom32.exe to see if the file is really different than the one before. This example also uses gzip! Greets, Michiel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim MatuskaSent: maandag 27 december 2004 19:51To: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Sniffer Updates Does anyone have any good instructions on how to modify your update scripts to use gzip? Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Tom Baker | Netsmith Inc To: sniffer@SortMonster.com Sent: Monday, December 27, 2004 10:43 AM Subject: Re: Re[2]: [sniffer] Sniffer Updates Automate harassment reminders to those of us not using it. :)I think I'll go enable gzip tonight-Original Message-From: [EMAIL PROTECTED] [EMAIL PROTECTED]To: Landry William sniffer@SortMonster.comSent: Mon Dec 27 12:36:06 2004Subject: Re[2]: [sniffer] Sniffer UpdatesOn Monday, December 27, 2004, 12:46:19 PM, Landry wrote:LW Are folks taking advantage of the "wget" compression option beforeLW downloading their rulebase updates? If the slow download speeds are aLW bandwidth saturation issue on the Sniffer end, this would certainly cut downLW on the bandwidth requirements on their end and increase the download timesLW for everyone.LW Also, I've got to ask, if the downloads are happening "behind the scenes",LW by an automated or triggered download, why the concern about speeds, as longLW as your downloads are successful?From what I've seen in the logs, only about 5% of folks are takingadvantage of gzip right now.Also, I did some incantations on the log (grep, awk, uniq etc) andcame up with just under half of our customers downloading theirrulebase between 1200 and 1300 today. That's between 2 and 3 times asmany as should have done it ;-) -- so the backlog is explainable.This kind of thing happens for lots of reasons and there are a lot ofways to mitigate the problem.A big one on the list - certainly - is using the gzip capability. Withonly 5% of folks using this and average compression ratios well above50% there is plenty of room to "make a big dent" in this._MThis E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Sniffer updates...
Title: Message There's a Sniffer plugin for MDaemon v8.0 (MD 8.0 is still in beta) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe WolfSent: woensdag 22 december 2004 15:42To: [EMAIL PROTECTED]Subject: [sniffer] Sniffer updates... I'm currently using Sniffer via Imail and Declude. We all know that Ipswitch has lost their mind and is abandoning the small ISP, and now it seems that Declude has lost their way. The new version of Declude is tied to a single MAC address. That counts me out since I run multiple NIC's in the same machine and am multi-homed. Their spyware "phone home" system is a violation of our security policies as well. That leads me to Sniffer. I love the product. Does anyone have a complete list of mail servers that have direct support for Sniffer? The Imail / Declude thing is too much to deal with and I'm going to make a change. Thanks, Joe
RE: [sniffer] Mdeamon Problems
Rob, If you followed the walkthrough on the site, you should have result code headersin your e-mail messages. Could you check if that's the case? Regards, Michiel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ~ ROB @ ZELLEM ~Sent: woensdag 8 december 2004 20:54To: [EMAIL PROTECTED]Subject: [sniffer] Mdeamon Problems Hey guys... I have just set up mdeamon v. 6.8.5 on windows 2000. I have installed the Message Sniffer according to the web site. How ever it's not doing anything. It's going through the program ( a ms dos window comes up running the program, only b/c i did not check the box hide the window ) So i know it running. The log says something like snfrv2r3md5000766.msg17163White8498308225830130 The numbers vary form line to line. So what have I done wrong that it's not working correctly. What does Match, Final, Clean, white mean? Thanks. Robbie GarrettIt Manager, Network AdministratorZellem Printingwww.zellemprinting.com526 N. Charlotte St.Lancaster PA, 17543717-299-0403Fax me @ 717-299-5861
RE: Re[4]: [sniffer] Version 2-3.0i8 published.
What we did was write a wrapper around sniffer, and fire that wrapper from the Content Filter. that wrapper measures how long each sniffer instance takes. In the previous version, it took way longer when using the persistent version than when not using the persistent version. You would expect it to be the other way around. I could try the new version tomorrow to see if this one is actually faster, but if I don't get around to doing it tomorrow, I can't check it anymore, coz I'm going down under for a month. Regards, Michiel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: woensdag 20 oktober 2004 19:50 To: Frank Osako Subject: Re[4]: [sniffer] Version 2-3.0i8 published. On Wednesday, October 20, 2004, 12:54:04 PM, Frank wrote: FO Hello _M _ Systems with heavier loads _should_ see a reduction in their backlog FO See a reduction of what in their backlog? Can you give an example FO of how to see this type of measurement? Another good question - I will try to get a solid, detailed answer. I'm not an MDaemon expert so I'm not sure what the best strategies are for measuring throughput performance and backlog (inbound/outbound queue length). Perhaps there are some MDaemon experts on list that can share their strategies for making these measurements? In particular, how best to measure these things when the system in question is not overloaded? Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Version 2-3.0i8 published.
But did you run the persistent version also? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge Asch Sent: woensdag 20 oktober 2004 22:03 To: [EMAIL PROTECTED] Subject: Re: [sniffer] Version 2-3.0i8 published. If you fire up Task Manager on a windows machine (or your favourite ps tool elsewhere), and set the View, Update Speed to High, then sort by the name in reverse, you will see multiple sniffer.exe and one with a PID that doesn't change. That's your persistent instance. I fired up Task Manager. Could't see Sniffer.EXE nor [mylicense].exe as a persistent instance. Could even see the 'clients'. Funny, since I know it is running (since the logs it's being created, and messages are being sniffed) -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New test version 2-3.0i7
Does this version have speed improvements over the previous official release, when NOT using the persistent option (with Mdaemon)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: zondag 17 oktober 2004 21:39 To: [EMAIL PROTECTED] Subject: [sniffer] New test version 2-3.0i7 Hello Sniffer Folks, Here is the latest interim/beta version. Everyone who is using an interim version is encouraged strongly to move to this one (2-3.0i7). This version fixes a client recovery bug. The client recovery bug prevented client instances from recovering if something went wrong with the client-server process. Under normal circumstances the client will load the rulebase and process the message itself if it detects a problem with the result it should receive from a server instance. The bug would cause this to fail resulting in a Fail Safe return value - thus causing additional spam to get through. Though the problem with the recovery logic is fixed now, the main source of recovery cases is not yet resolved. At random intervals and to varying degrees on different systems, the client instance in a persistent server configuration will be unable to open the job file with it's result. The server instance does not report an error. Retrying the open operation after a delay does not result in success. I'm still working on that one. In any case, this version handles those cases. http://www.sortmonster.com/MessageSniffer/Betas/MessageSniffer2-3.0i7-Distr ibution.zip This version also includes new Diagnostics code which will produce a diagnostics file containing all of the major peer-server coordination events. The diagnostics can be turned on/off in the configuration file. Note that the configuration file has changed in this distribution. The changes are only additions, so your old .cfg file will work if you do not wish to use any of the new features. This version is backward compatible as a drop-in replacement. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] rules file?
Nope, all is working as expected here. Regards, Michiel Prins Reject.nl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: donderdag 16 september 2004 16:13 To: [EMAIL PROTECTED] Subject: [sniffer] rules file? Has anyone else out there all of the sudden on 9/16 having problems with the rules file flagging all emails as spam? This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Charset
Pete, even your message had a chaset header: Content-Type: text/plain; charset=us-ascii I think you'll generate more FP's if you do something like that than FN's you might have now. Aren't there spamassassin config files that detect this spam? Met vriendelijke groet, ing. Michiel Prins SOS Small Office Solutions / REJECT Wannepad 27 1066 HW Amsterdam tel. 020-4082627 fax. 020-4082628 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: vrijdag 20 augustus 2004 4:58 To: Jorge Asch Subject: Re[2]: [sniffer] Charset On Thursday, August 19, 2004, 10:45:37 PM, Jorge wrote: JA Could a filter be created that will tag as spam any messages that JA contaning NON-ascii characters? I mean allow only CHRS 1 through 255. JA I believe this fill filter out all these foreign character sets, and JA let through regular old and plain messages through... JA Of course such a rule will only apply for most of us on the western JA hemisphere... In theory this could be done, but it would be a tricky gadget - probably best done as something programatic... There are a lot of opportunities for false positives. I will think about this... Then again - why not simply block on anything that says charset= ? If it's plain old ascii, then there's no need for charset. (Lots of FPs with this, but then I would never use a filter like that... It might be very close to what you are looking for. The other way to do it would be to build patterns that match all of the known character sets -- or at least the majority. That would be a chunk of work but doable - especially with a few well placed wildcards and a good comprehensive list. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Charset
Can't you use the content filter of your mail server to detect if the charset is used? Met vriendelijke groet, ing. Michiel Prins SOS Small Office Solutions / REJECT Wannepad 27 1066 HW Amsterdam tel. 020-4082627 fax. 020-4082628 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge Asch Sent: donderdag 19 augustus 2004 15:16 To: [EMAIL PROTECTED] Subject: [sniffer] Charset I asked about this about ayear ago, with no luck... Is there anyw ay Message Sniffer, could be used to block certaing message, depending on their Charset-Type (in content-type). For example, I would like to block all Windows-1251 (Cyrillic) messages from my server. I know SpamAssasing has such a feature, but I would rather do it with Message Sniffer. Is such a thing possible now? How about in the future? I am getting bombarded with messages in foreign languages, and Message Sniffer does *not* detect them (and it seems forwarding them to [EMAIL PROTECTED] is pointless, since they still coming in... seems that theres no easy way to create a rulebase for them) -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] German Spam?
It is indeed german. Germany is also a large spam market, I'm getting some of those messages too. They mainly spam at .de adresses, but sometimes they send it to domains from other countries. You can also use german SA rules to filter out most of them: http://www.exit0.us/index.php/GermanRules Regards, ing. Michiel Prins SOS Small Office Solutions / REJECT Wannepad 27 1066 HW Amsterdam tel. 020-4082627 fax. 020-4082628 [EMAIL PROTECTED] Spamvrije zakelijke e-mail? reject.nl! Consultancy - Installation - Maintenance Network Security - Project Management Software Development - Internet - E-mail -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steinar Rasch Sent: donderdag 10 juni 2004 12:40 To: [EMAIL PROTECTED] Subject: RE: [sniffer] German Spam? I am also receiving what seems to be German spam. Regards, Steinar Denne eposten er skannet og funnet fri for virus av Epost.no med Declude og FRISK F-Prot Software. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Possible blip?
Crew, I reposrted this speed issue before, but despite very intensive debugging and testing, we have not found an external cause (meaning: not sniffer) for the following: When I use sniffer without the persisten flag, I get this log: h0t861s420040520214718md5845369.msg12516Clean000284440h0t861s420040520214718md5845370.msg11015Clean000274736h0t861s420040520214804md5845371.msg10916Match10940662439343h0t861s420040520214804md5845371.msg10916Match115560582286230743h0t861s420040520214804md5845371.msg10916Final115560580358043h0t861s420040520214825md5845372.msg11015Match29048522757278846h0t861s420040520214825md5845372.msg11015Match122523522930294246h0t861s420040520214825md5845372.msg11015Match122017522968297746h0t861s420040520214825md5845372.msg11015Match122016523346335546h0t861s420040520214825md5845372.msg11015Final29048520550446 which looks good (total execution time about 125ms) When I have a persistent version running (max 50 ms polling time), I get: h0t861s420040520214841md5845373.msg016Clean000359753h0t861s420040520214852md5845374.msg1631Match1193776268474138h0t861s420040520214852md5845374.msg1631Final119377620381038h0t861s420040520215115md5845375.msg031Match29081632413243244h0t861s420040520215115md5845375.msg031Final29081630945844h0t861s420040520215134md5845376.msg094Clean0002437042h0t861s420040520215320md5845377.msg4715Clean000194535 Which arevery good exec times (average45 ms). We have created our own program that does lots of spam checking for messages. At some point, it fires Sniffer. We log the time it takes for Sniffer to run, for statistical purposes. When sniffer is NOT persistent, I get the following log snippet (same messages as 1st sniffer log above, the second number after the .msg is the time it takes for sniffer to run): 0,"2004-05-20 23:47:18",md5845369.msg,172,157,0,15,15,0,43406,20,"2004-05-20 23:47:18",md5845370.msg,172,156,16,0,0,0,43309,20,"2004-05-20 23:48:04",md5845371.msg,188,172,0,15,0,15,3578,10,"2004-05-20 23:48:25",md5845372.msg,186,156,14,0,0,0,5572,1 Average time to run sniffer is 160 ms (sniffer said 125 ms). That means, sniffer can't report about 35 ms which isnormalfor application startup and shutdown (also the log is written _after_ the exec time calculation has been made, file operations also take time). But, now comes the big mystery: when persistent mode is ON, it takes a lot more time to execute (while max polling is only 50ms!) 0,"2004-05-20 23:48:41",md5845373.msg,827,812,15,0,0,0,3607,10,"2004-05-20 23:48:52",md5845374.msg,842,812,0,0,0,0,3833,10,"2004-05-20 23:51:15",md5845375.msg,936,874,0,0,0,0,9560,10,"2004-05-20 23:51:35",md5845376.msg,889,859,15,0,0,0,26387,00,"2004-05-20 23:53:21",md5845377.msg,937,922,0,15,0,15,1922,0 Which averages at 850 ms! While I expected 45 + 25 ms (to compensate for average waiting time) = 70 ms! Pete, could you please check why this is happening (particularly in code OUTSIDE what's measured and logged)? I you can't find anything, I'll ask my collegue to come up with a timing program, which I would like to release on this list so other ppl can check how long it really takes to execute sniffer (measured from 'the outside'). Regards, ing. Michiel Prins SOSSmallOffice Solutions/REJECT Wannepad 27 1066 HWAmsterdam tel. 020-4082627 fax. 020-4082628 [EMAIL PROTECTED] Spamvrijezakelijke e-mail?reject.nl! Consultancy-Installation-Maintenance Network Security - Project Management SoftwareDevelopment -Internet- E-mail
RE: [sniffer] Final beta (b2) for snfrv2r3
Pete, The speed problem has been found. McAfee Netshield 4.51 was making our server RIDICULOUSLY slow, despite the fact that we tried excluding the Sniffer folder and even disabling the service from the tray-icon. Upgrading to Virusscan Enterprise 7.x fixed our problem and our performance levels are in the regions that you mentioned. Thanks for thinking along! Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michiel PrinsSent: donderdag 8 april 2004 21:11To: [EMAIL PROTECTED]Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Preliminary tests show there's no I/O problem but I'll do some additional benchmarking here and get back to you on this. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeilSent: woensdag 7 april 2004 17:38To: [EMAIL PROTECTED]Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Extraordinary...Compare with a snippet from our IMail/NT4 test platform (severely underpowered)...snf2beta 20040407140913 D0b86122.SMD 30 90 Final 75148 63 0 6891 68snf2beta 20040407140913 D0b8614e.SMD 90 140 Final 103691 57 0 8878 72snf2beta 20040407140914 D0b88122.SMD 40 141 Final 103689 57 0 9003 71snf2beta 20040407140915 D0b880b6.SMD 90 20 Final 106244 52 0 817 65snf2beta 20040407140916 D0b8a0de.SMD 40 210 Final 104044 52 0 8779 76snf2beta 20040407140917 D0b8b122.SMD 30 60 Final 70077 53 0 3727 73snf2beta 20040407140920 D0b8e0b6.SMD 20 40 Clean 0 0 0 2958 54snf2beta 20040407140927 D0b960b6.SMD 30 80 Final 30439 54 0 3885 73snf2beta 20040407140934 D0b930b6.SMD 20 40 Clean 0 0 0 2647 67snf2beta 20040407140935 D0b9e0a8.SMD 20 130 Final 73558 52 0 6242 80snf2beta 20040407140942 D0ba414e.SMD 20 160 Final 105444 52 0 8252 87snf2beta 20040407140942 D0ba40de.SMD 201 60 Final 105825 52 0 3351 68snf2beta 20040407140947 D0baa0b6.SMD 30 121 Final 30439 54 0 3898 72snf2beta 20040407140947 D0baa14e.SMD 40 80 Final 66835 52 0 5358 64snf2beta 20040407140952 D0bad122.SMD 20 110 Final 97422 57 0 6104 79snf2beta 20040407140952 D0bae0d2.SMD 30 81 Final 83761 57 0 4790 72snf2beta 20040407140952 D0bac0b6.SMD 40 90 Final 1686 48 0 5415 80snf2beta 20040407141003 D0bb90b6.SMD 20 40 Final 49992 54 0 2186 69The first thing I notice is that the setup times (first number) on your system are consistently large. According to your log entries it is taking a quarter of a second to scan the working directory for a job... That's a LOT of time for a directory scan to take.The message scan itself doesn't seem to be out of range.The next thing I notice is that your messages arrive several seconds apart consistently. I see 10 sec, 16, 12, 4, 10, etc... In our log we frequently scan several messages in the same second.I see two things going on based on this data:I suspect your system is I/O bound. There is no reason that a directory scan should take more than a few tens of milliseconds except occasionally... That puts your numbers out by nearly an order of magnitude (compare 20s 30s w/ 109, 187, 280+!). Be sure that Sniffer's working directory does not have any extra files in it. Sniffer instances measure their apparent work load by counting the number of files in their working directory... The theory is that aside from a handful of necessary files the rest are jobs waiting to be processed... so if the number of files is large then the load must be high and so a Sniffer instance should be prepared to wait a bit longer for service.Sniffer should be running in it's own directory with no other files present that don't need to be there. Be sure to clean out any dead job files that might have built up with a prior error etc...My thinking on I/O is that if it takes 100-280 msec to scan the directory for job files then it's likely to take quite a while to load any program - including the shell. This can explain the additional time you are seeing in your measurements. Under normal circumstances I would expect that operation to happen almost instantaneously since the Sniffer executable, command shell, and other files that must load should remain consistently in memory due to their being called so
[sniffer] Log file in GMT?
Pete, My Sniffer log file logs times which are two hours early. I supspect that it's because Amsterdam is in GMT+2. Why does sniffer not log local time? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kirk Mitchell Sent: donderdag 8 april 2004 23:35 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 At 05:42 AM 4/8/04 -0400, Pete McNeil wrote: http://www.keyconn.net/misc/sniffer.htm I'll bet you are using b1 - this first 2-3beta does not implement the command interface. Yes, I had b1 in use, trying b2 now. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Final beta (b2) for snfrv2r3
Preliminary tests show there's no I/O problem but I'll do some additional benchmarking here and get back to you on this. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeilSent: woensdag 7 april 2004 17:38To: [EMAIL PROTECTED]Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 Extraordinary...Compare with a snippet from our IMail/NT4 test platform (severely underpowered)...snf2beta 20040407140913 D0b86122.SMD 30 90 Final 75148 63 0 6891 68snf2beta 20040407140913 D0b8614e.SMD 90 140 Final 103691 57 0 8878 72snf2beta 20040407140914 D0b88122.SMD 40 141 Final 103689 57 0 9003 71snf2beta 20040407140915 D0b880b6.SMD 90 20 Final 106244 52 0 817 65snf2beta 20040407140916 D0b8a0de.SMD 40 210 Final 104044 52 0 8779 76snf2beta 20040407140917 D0b8b122.SMD 30 60 Final 70077 53 0 3727 73snf2beta 20040407140920 D0b8e0b6.SMD 20 40 Clean 0 0 0 2958 54snf2beta 20040407140927 D0b960b6.SMD 30 80 Final 30439 54 0 3885 73snf2beta 20040407140934 D0b930b6.SMD 20 40 Clean 0 0 0 2647 67snf2beta 20040407140935 D0b9e0a8.SMD 20 130 Final 73558 52 0 6242 80snf2beta 20040407140942 D0ba414e.SMD 20 160 Final 105444 52 0 8252 87snf2beta 20040407140942 D0ba40de.SMD 201 60 Final 105825 52 0 3351 68snf2beta 20040407140947 D0baa0b6.SMD 30 121 Final 30439 54 0 3898 72snf2beta 20040407140947 D0baa14e.SMD 40 80 Final 66835 52 0 5358 64snf2beta 20040407140952 D0bad122.SMD 20 110 Final 97422 57 0 6104 79snf2beta 20040407140952 D0bae0d2.SMD 30 81 Final 83761 57 0 4790 72snf2beta 20040407140952 D0bac0b6.SMD 40 90 Final 1686 48 0 5415 80snf2beta 20040407141003 D0bb90b6.SMD 20 40 Final 49992 54 0 2186 69The first thing I notice is that the setup times (first number) on your system are consistently large. According to your log entries it is taking a quarter of a second to scan the working directory for a job... That's a LOT of time for a directory scan to take.The message scan itself doesn't seem to be out of range.The next thing I notice is that your messages arrive several seconds apart consistently. I see 10 sec, 16, 12, 4, 10, etc... In our log we frequently scan several messages in the same second.I see two things going on based on this data:I suspect your system is I/O bound. There is no reason that a directory scan should take more than a few tens of milliseconds except occasionally... That puts your numbers out by nearly an order of magnitude (compare 20s 30s w/ 109, 187, 280+!). Be sure that Sniffer's working directory does not have any extra files in it. Sniffer instances measure their apparent work load by counting the number of files in their working directory... The theory is that aside from a handful of necessary files the rest are jobs waiting to be processed... so if the number of files is large then the load must be high and so a Sniffer instance should be prepared to wait a bit longer for service.Sniffer should be running in it's own directory with no other files present that don't need to be there. Be sure to clean out any dead job files that might have built up with a prior error etc...My thinking on I/O is that if it takes 100-280 msec to scan the directory for job files then it's likely to take quite a while to load any program - including the shell. This can explain the additional time you are seeing in your measurements. Under normal circumstances I would expect that operation to happen almost instantaneously since the Sniffer executable, command shell, and other files that must load should remain consistently in memory due to their being called so frequently. It's a good bet that much of your delay time is bound in this part of the equation.The next place I think you're finding delays is in sleeping. There are several seconds between messages on your system consistently so Sniffer is going to sleep much of the time. If Sniffer can't find work for several seconds the poll delay times will expand accordingly. It's a good bet that the rest of the time in your 1.5 seconds is due to the fact that the next message you're going to process is 5-10 seconds away from the last.After waiting 1 second the poll delay will be ~ 630msAfter about 2.5 seconds the poll delay will be ~ 1650ms...By the time you get beyond 5 seconds the poll delay will be 4000ms, so your average sleep time will be 2 secs. Based on this I think 1.5 seconds is not unlikely... on the other hand since the next message is likely to be 5 or more seconds away this should have no apparent effect on throughput, and since Sniffer is sleeping most of the time your
RE: [sniffer] Final beta (b2) for snfrv2r3
Hmmm, log file from sniffer shows significant increase in performance (up to 50% faster, see below). However, according to my own logs, the total time that sniffer takes is way longer. During non-persistent operation about 300 ms on top of what sniffer logs, which could be because of loading times of sniffer itself. When sniffer is persistent, 'loading' time is about 1.5 seconds. My conclusion from this, is that when sniffer is running persistent, cpu usage and rulebase loading times are decreased but total execution time seems to have tripled from about 550 ms to about 1650 ms. To calculate the total execution time, I store system time in ms just before and after ShellExecuteEx() and calculate the difference. That seems like an honest and reliable way to determine execution time for sniffer. sniffer log: h0t861s420040407080330md5581512.msg26532Clean000221432h0t861s420040407080340md5581513.msg26516Clean000150335h0t861s420040407080356md5581514.msg28278Clean0001366440h0t861s420040407080408md5581515.msg265110Clean0002692944h0t861s420040407080412md5581516.msg28132Clean000219935h0t861s420040407080422md5581517.msg28116Final33612540252040h0t861s420040407080426md5581518.msg25031Clean000263635h0t861s420040407080431md5581519.msg26631Clean000591341h0t861s420040407080436md5581520.msg18846Final105667520352241h0t861s420040407080446md5581521.msg10932Clean000215236h0t861s420040407080454md5581522.msg12547Clean000408335h0t861s420040407080506md5581523.msg18747Clean000520532h0t861s420040407080514md5581524.msg18847Clean000563234h0t861s420040407080524md5581525.msg188109Clean0002476343h0t861s420040407080531md5581526.msg18847Final105667520274239h0t861s420040407080538md5581527.msg18816Clean000196735h0t861s420040407080550md5581528.msg187125Clean0002471850h0t861s420040407080557md5581529.msg18732Clean000323634h0t861s420040407080607md5581530.msg12531Clean000291832h0t861s420040407080620md5581531.msg18732Final105073500237444h0t861s420040407080632md5581532.msg18815Clean000361133h0t861s420040407080638md5581533.msg125125Clean0002756845h0t861s420040407080650md5581534.msg18778Clean0001615533 I'm really puzzled about the cause for the extra delays. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeilSent: woensdag 7 april 2004 11:21To: [EMAIL PROTECTED]Subject: RE: [sniffer] Final beta (b2) for snfrv2r3 What does the sniffer log show during this time?_MAt 04:48 AM 4/7/2004, you wrote: Pete,Despite my suggestions with less polling time, I can't seem to get the persistent version to speed up my message processing. I've copied part of my custom log file below. Bold numbers are the amount of ms it takes to execute sniffer (timed by an external program that executes it). Persistent sniffer was turned ON on the blue lines. I've set max polling time to 50ms for this test. However, scanning takes more than a second longer...0,"2004-04-07 10:03:31",md5581512.msg,672,546,78,0,2223,0,0,3,10,"2004-04-07 10:03:40",md5581513.msg,657,531,93,0,1490,0,0,3,10,"2004-04-07 10:03:57",md5581514.msg,734,594,93,0,14601,0,0,3,10,"2004-04-07 10:04:09",md5581515.msg,797,624,93,0,29398,0,0,3,10,"2004-04-07 10:04:13",md5581516.msg,686,562,93,0,42408,2,0,3,10,"2004-04-07 10:04:22",md5581517.msg,749,547,93,0,2611,1,0,3,10,"2004-04-07 10:04:26",md5581518.msg,656,532,93,0,43402,2,0,3,10,"2004-04-07 10:04:32",md5581519.msg,671,547,93,0,6022,0,0,3,10,"2004-04-07 10:04:37",md5581520.msg,1905,1672,92,0,3564,1,0,3,10,"2004-04-07 10:04:47",md5581521.msg,1811,1688,93,0,2152,0,0,3,10,"2004-04-07 10:04:55",md5581522.msg,1811,1688,78,0,4122,0,0,3,10,"2004-04-07 10:05:05",md5581523.msg,1843,1671,93,0,5250,0,0,3,10,"2004-04-07 10:05:13",md5581524.msg,1811,1688,78,0,5677,0,0,3,10,"2004-04-07 10:05:21",md5581525.msg,1797,1671,93,0,273387,0,0,3,10,"2004-04-07 10:05:30",md5581526.msg,1891,1671,93,0,2760,1,0,3,10,"2004-04-07 10:05:37",md5581527.msg,1811,1672,93,0,36384,2,0,3,10,"2004-04-07 10:05:49",md5581528.msg,1796,1656,93,0,27065,0,0,3,10,"2004-04-07 10:05:56",md5581529.msg,1812,1686,79,0,3554,2,0,3,10,"2004-04-07 10:06:06",md5581530.msg,1843,1671,78,0,44939,2,0,3,10,"2004-04-07 10:06:
RE: [sniffer] Call for beta testers... snfrv2r3b1
Paul, Did you have the persistent sniffer.exe running when this log was generated? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer, LLC Sent: donderdag 18 maart 2004 15:15 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 Groet, RE: MDaemon: I guess I'm confused on how to determine the Content Filter poll time. Here's a (.txt snippet of my CF log file which does not show a delay (or at least to my level of skill abilities; which is minimal by-the-way). I'll be happy to test some things on our server if you have any specific instructions for me. We share the same objectives. Regards, Paul Roulier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michiel Prins Sent: Thursday, March 18, 2004 2:59 AM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 Paul, Aren't you having problems that the polling times just make the waiting times in the CF longer? While normally my bottleneck was the loading of the rulebase, now it's the polling time which is way longer. Pete, With Mdaemon, where there's only one message being processed at a time, and there's no multithreading content filter yet, I would like to be able to set polling time to a fixed 25 or 30 ms. Normally, loading the rulebase would take 200, with polling I understand this could be reduced to 30 ms - if the time can be set to a fixed ms. Could you also consider the other options I asked? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer, LLC Sent: donderdag 18 maart 2004 4:21 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 _M, FYI: Have been running the beta ver 2.3b1 on MDaemon 7.0.0 for several hours now and all is stable. Everything is performing as advertised... paul roulier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Wednesday, March 17, 2004 2:05 PM To: [EMAIL PROTECTED] Subject: [sniffer] Call for beta testers... snfrv2r3b1 Hello folks, I know folks are anxious to get their hands on this version so I'm going to play this beta round a little looser than usual. Version 2-3b1 implements a persistent mode feature for our cellular peer-server technology. Launching a persistent instance of Message Sniffer has the effect of creating a daemon so that all other instances will elect to be clients. We observed a DRAMATIC improvement in system performance on our NT4/Imail/Declude test bed. In static tests on my Toshiba 6100 we saw no memory leaks and consistent performance over the past 18+ hours of testing. This included several tests with more than 100+ concurrent client instances - all without failure and without making the system unresponsive (though the WinXP file system did start to show signs of strain). This beta is for the windows platform only... once we're happy with this version will will make the source and *nix versions available as always. Windows platform users who are interested in testing the new beta should download the following file: http://www.sortmonster.com/MessageSniffer/Betas/snfrv2r3b1.zip The file contains an executable and a short readme file. We are going to be extremely busy for the next few hours so we won't be able to provide support on this until later this evening. We have many updates and rulebase mods to attend to at the moment since we shifted resources heavily toward development last evening and through the night... The current spam storm continues to rage with more than 500 core rule-base changes yesterday alone! Be careful. Backup your current production version. Watch carefully. Enjoy :-) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com
RE: [sniffer] F-Prot and netsky
Mike, No ideas on f-prot, but justsomething we do: Weuse a combination of 2 virusscanners, McAfee (updated automatically with dailydat every day, automatic install of extra.dat emergency datspossible from version 7 and up) and Kaspersky, which I update every hour. Using this combo, we blocked all non-zip netsky viruses because of the restricted attachments list we use, and about 50 netsky zipped viruses slipped through because of the time between discovery and fix. This resulted in 3 actual infected networks which we had to clean. Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOSSmallOffice Solutions /Reject / Wannepad 27 - 1066 HW - Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy- Installation- Maintenance Network Security -Internet - E-mail SoftwareDevelopment - Project Management -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike VandeBergSent: dinsdag 24 februari 2004 15:33To: [EMAIL PROTECTED]Subject: [sniffer] F-Prot and netsky I was wondering if anyone else is using F-prot for their virus engine in declude, and what they now think about it. Netsky was discovered on the 18th, and F-Prot actually had it posted on their website as being discovered by them on the 19th. But they didn't update their definition files to actually catch it until early this morning. This meant that netsky ran rampant under F-Prots nose for 6 days. I feel this is completely unacceptable, and I am going to change my virus engine this week unless someone can tell me that there is a good reason why I shouldn't. Any ideas or feedback from someone using F-Prot? Thanks Mike VandeBergNetworkAdministratorNTS Services Corp309-353-5632 ext. 227 Mobile 309-241-8973[EMAIL PROTECTED] ---This message has been scanned for spam and viruses by Reject
RE: [sniffer] Autoupdating rule file
I use WGET, which is available for free on the internet. This is my script: c: cd \MDaemon\Sniffer wget http://sniffer:[EMAIL PROTECTED]/Sniffer/Updates/12345678.snf -O serial.tst if exist 12345678.tst goto Test goto Done :Test snf2check.exe 12345678.tst abcdefghijklmnop if errorlevel 1 goto Done if exist 12345678.old del 12345678.old ren 12345678.snf 12345678.old ren 12345678.tst 12345678.snf :Done if exist 12345678.tst del 12345678.tst - Replace '12345678' with your licenseID and 'abcdefghijklmnop' with your rulebase password. This script also keeps a .old file which is your previous rulebase in case you need to rollback. You can execute this script automatically every few hours or have it triggered when the update notice is mailed to you. Regards, Michiel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy C. Bohen Sent: donderdag 12 februari 2004 14:58 To: [EMAIL PROTECTED] Subject: [sniffer] Autoupdating rule file I bought Pyrobatch FTP, nice little program, figured I could use it for other things. But I'm having some problems getting the script going to update my file. Anyone willing to send me a script that I can use? Thanks!! Timothy C. Bohen CMSInter.Net LLC / Crystal MicroSystems LLC === web : www.cmsinter.net email: [EMAIL PROTECTED] phone: 989.235.5100 x222 fax : 989.235.5151 --- This message has been scanned for spam and viruses by Reject http://www.reject.nl This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html