Re: Re[4]: [sniffer] Rash of false positives
This morning my server quit sending mail and my tech said the Dr. Watson error on the server was my Sniffer file...I rebooted and thought it was OK but quit again..I had a lot of mail back logged...so I updated a new rule base but it did not seem to helpI reinstalled Imail and things seem OK but slow since there is such a back log of mailIf things don't get back to normal I will be back.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support"Crossroads to a Cleaner Internet" - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 3:03 PM Subject: Re[4]: [sniffer] Rash of false positives On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote: Hi Pete, There was a consistent stream of false positives over the mentioned time period, not just a blast at a particular time. They suddenly started at 5pm (shortly after a 4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today (not many legitimate emails came in between 11pm and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am. There were a number of different rules involved, and over 45 false positives in that time period. This is highly unusual -- I didn't remove many rules, and normally only one or two would be responsible. If you found that a large number of rules were responsible then something else happend and we need to look at that... I'd need to see your SNF logs from that period since the changes (removals anyway) in the rulebase were very small and unrelated - that just doesn't line up with your description. One thing does-- in the past if snf2check was not used to check a new download then a corrupted rulebase could cause SNF to produce erratic results... since snf2check has been in place we have not seen this. Is it possible that a bad rulebase file got pressed into service on your system? -- probably a look at the logs would help there too since this kind of failure is accompanied by very specific oddities in the logs. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Sniffer Resources
When I turn off sniffer my server acts normally on rescources..but when I turn it on it goes to 100% and stays there most of the time...I have tried updating the sniffer and rebooting the server but does not help...it has been doing this for about a month...has anyone else seen this..if not what can I do to resolve it..right now I have sniffer turned off so I can just send mail thru the server.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Andy Schmidt sniffer@SortMonster.com Sent: Monday, September 05, 2005 9:43 AM Subject: Re: [sniffer] Integration with today's new ORF version: On Monday, September 5, 2005, 9:26:38 AM, Andy wrote: AS http://www.vamsoft.com/orf/agentdefs.asp AS AS It says to contact vendor. Here I am G. Yes indeed. How may I help you? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positive?
[EMAIL PROTECTED] Is there any reason this would be in the sniffer file...I tried to do some troubleshooting and finally just whitelisted their address...and they got itbut I don't think Declude was holding it...I have SNIFFER on Delete... Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Monday, July 11, 2005 8:54 AM Subject: [sniffer] Update on outages etc... Hello Sniffer Folks, All of the critical equipment is now restored. We also have some additional equipment we will be bringing online over the coming weeks that will help us improve our update rates. We are currently short staffed due to the effects of Hurricane Dennis, but we expect that to change within the next 48 hours. The outward results from the outage and the short staffing will be that updates are slightly behind and that support may take a bit longer than usual. Sorry for any inconvenience. I will keep you posted :-) Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Not Getting Updates
I just noticed that I am no longer getting updated emails for the sniffer to trigger the automatic update.. The last one was on Nov 11...Customers had told me they were getting more spam but I just thought we were getting hammered with more.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 1:58 PM Subject: [sniffer] Important interim release announcement Hello Sniffer folks, NEW VERSION AVAILABLE: We have released a new interim version of Message Sniffer (V2-3.1i1). This version includes a new filter chain module called Defunker. This module re-scans the body of each message with all HTML, XML, and many other obfuscation mechanisms removes. This allows the current rulebase to capture more versions of each spam without additional rules. While this is an interim release, it has been very stable and is considered to be production ready at this time. We highly recommend that you adopt this new version. You can download this interim version from our Try-It page (at the bottom). MDAEMON PLUGIN UNDER DEVELOPMENT: For our MDaemon customers who do not follow the md-beta list, the current beta of MDaemon includes a Plug-In interface which allows third party developers to build modules that process messages as they pass through the system. We have implemented and are currently testing a Message Sniffer plugin for MDaemon. The plugin is at version 0.51a at the time of this writing. Since the plugin is loaded by the MDaemon server at start-up, the Message Sniffer engine and rulebase remain resident in memory. This allows us to run Message Sniffer on MDaemon very efficiently. If you are able to participate in the MDaemon beta program then we encourage you to try the new plugin and tell us what you think. You can download the latest distribution of the plugin on our Try-It page (At the bottom). Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Help
Last nite sniffer began deleting all my messages...I did a fresh download and everything started working again...I guess I need to whitelist the sniffer download email address in case this happens again...I suppose my filter was even deleting my sniffer email to activate the downloads.. I dont know how long it was doing it...I know it was working around 3PM and noticed it not working at 4 AM this morning.. Any ideas on what went wrong.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 2:41 PM Subject: Re: [sniffer] Help This seems like a rulebase thing.We spoke on the phone.If the problem isn't solved by getting a fresh rulebase then we should go hunting for a rule. Send a note to yourself with sniffer on, then grab the sniffer log entries for the captured message and send them to us at [EMAIL PROTECTED] I'll look them up to see what they are and see if we've coded something that's matching your outgoing messages.Thanks,_MAt 12:34 PM 3/26/2004, you wrote: Here is what I have figured out.. With sniffer on I CAN"T send mail to my self although my wife can send mail to me...With sniffer off I CAN send mail to myselfThere has to be something in the rule base that is doing this...or maybe my Windows NT update broke something???Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 7:02 PM Subject: Re: [sniffer] Help MicroNeil Voice Line: 703-779-4909 _M At 01:30 PM 3/25/2004, you wrote: I got it.I am on to something so I might figure it outif I dont is there a number I can call.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 11:27 AM Subject: Re: [sniffer] Help Have you tried a reboot? Checked your error logs? Made sure that DNS and all of your E-mail services are running? Is there even a chance that you will be able to receive this message? Matt Richard Farris wrote: I just did an Windows NT update and now I cant get any email...when I turn sniffer off I at least can send mail to myself but still cant get from outside..any ideas., Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 2:01 PM Subject: Re: [sniffer] Possible Bad Rule? We had a badly coded rule that matched yahoo. The rule has been removed. About 30 rulebases went out before it was caught. These are being recompiled with the correction right now. I will see if I can push yours to the top. _M At 02:02 PM 3/24/2004, you wrote: I am getting a lot of complaints today from Yahoo users... Sheldon - Original Message - From: "Darrell LaRock" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: "'SnifferSupport'" [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:33 AM Subject: [sniffer] Possible Bad Rule? Pete, I am seeing a ton of false positives for RULE 100543. I sent a few in to you to check out ([EMAIL PROTECTED]). I wanted to post this here as well since it seems to take approx. 24 hours to process false positives. Darrell This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [sniffer] test
This may have been aswered before but what do we do with the emails coming in and getting by the filter with .zip files that look like a virus...I have Declude 1.79 installeddo I have to go as far as to exclude all .zip files? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 3:49 PM Subject: Re: [sniffer] test At 04:17 PM 5/4/2004, you wrote: At 02:49 PM 5/4/2004, Vivek Khera wrote: On May 4, 2004, at 3:42 PM, Pete McNeil wrote: Every rulebase is potentially a different size composition, plus sizes typically change with each update. I'm glad to hear all the positive reports on this. :-) Forgive me... What is the URL for the zipped version of the file... :( Actually - the URL is the same. The file will be compressed with gzip if your browser (or wget, etc...) notifies the server that it can accept that type of compression. This requires a little bit of extra scripting and that you download gzip. This hasn't made it to the archive yet but I think the following message snippet will help you get started: This can be done with wget, for example, but setting this up appears to be technically complex - so I'm going to leave it at that for now. (Requires the --header switch and piping the output through gzip) It is not so complex: In the wget command change -O sniffer.new to -O sniffer.new.gz and add the switch --header=Accept-Encoding:gzip And in the next line put the command gzip -d -f sniffer.new.gz That looks about right. Of course you will also need to download gzip to make this work if you don't already have it. http://www.gzip.org/ _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Help
Everything looks good here now...not only was my rulebase corrupted but my upline provider which does some initial spam filtering for me was having trouble with their filter (nothing to do with sniffer)...so I was broken in two places...thanks for all the help.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:41 PM Subject: Re: [sniffer] Help This seems like a rulebase thing.We spoke on the phone.If the problem isn't solved by getting a fresh rulebase then we should go hunting for a rule. Send a note to yourself with sniffer on, then grab the sniffer log entries for the captured message and send them to us at [EMAIL PROTECTED] I'll look them up to see what they are and see if we've coded something that's matching your outgoing messages.Thanks,_MAt 12:34 PM 3/26/2004, you wrote: Here is what I have figured out.. With sniffer on I CAN"T send mail to my self although my wife can send mail to me...With sniffer off I CAN send mail to myselfThere has to be something in the rule base that is doing this...or maybe my Windows NT update broke something???Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support - Original Message - From: Pete McNeil To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 7:02 PM Subject: Re: [sniffer] Help MicroNeil Voice Line: 703-779-4909 _M At 01:30 PM 3/25/2004, you wrote: I got it.I am on to something so I might figure it outif I dont is there a number I can call.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 11:27 AM Subject: Re: [sniffer] Help Have you tried a reboot? Checked your error logs? Made sure that DNS and all of your E-mail services are running? Is there even a chance that you will be able to receive this message? Matt Richard Farris wrote: I just did an Windows NT update and now I cant get any email...when I turn sniffer off I at least can send mail to myself but still cant get from outside..any ideas., Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 2:01 PM Subject: Re: [sniffer] Possible Bad Rule? We had a badly coded rule that matched yahoo. The rule has been removed. About 30 rulebases went out before it was caught. These are being recompiled with the correction right now. I will see if I can push yours to the top. _M At 02:02 PM 3/24/2004, you wrote: I am getting a lot of complaints today from Yahoo users... Sheldon - Original Message - From: "Darrell LaRock" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: "'SnifferSupport'" [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:33 AM Subject: [sniffer] Possible Bad Rule? Pete, I am seeing a ton of false positives for RULE 100543. I sent a few in to you to check out ([EMAIL PROTECTED]). I wanted to post this here as well since it seems to take approx. 24 hours to process false positives. Darrell This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =