[sniffer] Now OT: Re: [sniffer] Re: Opening truncate.gbudb.net
One impacted customer wanted me to put back their original pw back in. Boss can't learn a new one! Sheesh.. That makes me... cry. Not mail-related: a user of our web app forgot his password today and was having a ridiculously hard time using our password reset form (basic enter-your-e-mail-and-submit, but he kept missing the submit part). He declared it broken and demanded a completely new account. I noted we can't do that without giving him a new username (old accounts stick around, the usual primary key/audit trail restriction) and suggested it would be harder to remember jimpatient2 than jimpatient. He got all kinds of crazy on me. Fine, I said, I'll break policy. You have a brand-new account with the same name. And did nothing at all. Then, he said, the reset form started working. Cheers, S. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Sniffer Updates every 6 or 7 minutes
Rory Nimmo wrote: Hi folks. My Sniffer rule base is updating every 6 or 7 minutes today. I have not made any changes at my end. Can you shed any light on this please? It should be fixed now. A bug in smb (used internally to populate the delivery servers) causes datestamp problems when daylight savings time switches. The problem should be solved now. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Sniffer 3.0 Installed
Hello Andy, First, let me say thanks for sharing all of this. We don't often get detailed feedback on these things. Your valuable insights will be used to make later releases better. With that said I will add a few comments here and there to explain why things are the way they are and help others achieve their goals (which might be different). Saturday, October 4, 2008, 2:12:47 AM, you wrote: Hi, Didnt realize I had been uninstalled for a few months. I saw that V3 was released, so I gave it a shot. I unzipped the installation files to a new /SNF folder. All files were expanded into the same folder (your zip file had not subfolders!). The vast majority of SNF installations on Windows systems keep all SNF components in the same folder. So, for the majority of folks SNF is simply decompressed into "it's own folder", configured, and launched. This makes things simple and there is no question where to find things. Along the way we have been asked for the ability to put logs in a different location, get rulebsae files from a different location, configuration files, and so forth. We've added those features so that the folks who have reason to move things around can do so. We decided not to create a presumed directory structure for SNF because the folks who've asked us to provide these features all had their own unique way to divide things and move them. Any structure we created would have been wrong for most folks, so we keep the single folder option as our default since it is what everyone was used to and what most of our customers have been using. SNF is used on a lot of platforms -- each with their own conventions. Not only that but within each platform administrators and user communities develop their own preferences. The paths/ section described next allows folks to manipulate some file locations according to user preferences. Following the instructions I customized the XML files. I noticed THESE parameters: node identity='D:/IMail/declude/SNF/identity.xml' paths log path='D:/IMail/declude/SNF/Log/'/ rulebase path='D:/IMail/declude/SNF/Rulebase/'/ workspace path='D:/IMail/declude/SNF/Workspace/'/ /paths Im a believer in keeping different data in their distinct subfolders, so I set up the /Log, /Rulebase and /Workspace subfolders by hand and updated the XML file. The I took a wild guess that SOME files would have to be moved into those subfolders but there are NO instructions WHAT files go WHERE for things to actually work! The current documentation is located here: http://www.armresearch.com/support/articles/software/snfServer/config/node/paths/index.jsp The general design is such that log files will be written into the log path, the rulebase file will be read from the rulebase path, and the remaining files should reside in the workspace path. I will add a task to clarify this in our documentation and provide more detail. I found it annoying that further down in the same XML File was yet another path that was NOT included in the paths node in the top of the XML file: update-script on-off='on' call='D:/IMail/declude/SNF/getRulebase.cmd' guard-time='180'/ The configuration file is organized by function. The top of the configuration file and in particular the paths/ section is concerned with describing the architecture of the SNFServer installation. The update-script/ feature is a component of the networking section because it is triggered by SNF network operations, so we put it's configuration information in that section. This feature is still evolving -- in it's original design it was presumed that the update script would reside in the single SNF directory, or perhaps in the workspace directory -- so only the name of the script would be required in this location. We actually have had quite a few successful installations this way. However, along the way we've determined that the update script might be located anywhere on the system and that we could not always assume the current workspace for SNFServer indicated the location (or even a relative location) for the udpate script. To prevent errors we've taken to coding the full path to the script in this section of the configuration. Another part of the thinking on this is that the update-script feature is completely optional. In fact many of the larger systems that we service use entirely separate update mechanisms and turn this feature off. It seemed to make more sense to put the script path closer to the network features that trigger it. Next I had to customize the getRuleBase.cmd because it too does NOT support the use of the rulebase/workspace paths. Here was yet ANOTHER place where I had to manually configure the same path information again, as well as the license key. Needless to say, Im not a friend of having redundant path information in several locations as this is an unnecessary source of error. This is an unfortunate, but necessary
[sniffer] Re: Sniffer 3.0 Froze Mail Server
Ouch - 3.0 didn't even last 12 hours. Imail was frozen up because it apparently couldn't launch any more Sniffer client instances. Event Log was full with: Event Type:Information Event Source:Application Popup Event ID: 26 Description: Application popup: SNFClient.exe - Application Error : The application failed to initialize properly (0xc142). Click on OK to terminate the application. Had to manually kill a HUGE multiple list of imailsrv.exe's (taskkill /im imailsrv.exe /f ) and a similar long list of SNFClient.exe's. Normally, this Imail Server runs unattended for weeks until a Windows security update requires reboot! Best Regards, Andy From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Saturday, October 04, 2008 2:13 AM To: Message Sniffer Community Subject: [sniffer] Sniffer 3.0 Installed Hi, Didn't realize I had been uninstalled for a few months. I saw that V3 was released, so I gave it a shot. I unzipped the installation files to a new /SNF folder. All files were expanded into the same folder (your zip file had not subfolders!). Following the instructions I customized the XML files. I noticed THESE parameters: node identity='D:/IMail/declude/SNF/identity.xml' paths log path='D:/IMail/declude/SNF/Log/'/ rulebase path='D:/IMail/declude/SNF/Rulebase/'/ workspace path='D:/IMail/declude/SNF/Workspace/'/ /paths I'm a believer in keeping different data in their distinct subfolders, so I set up the /Log, /Rulebase and /Workspace subfolders by hand and updated the XML file. The I took a wild guess that SOME files would have to be moved into those subfolders - but there are NO instructions WHAT files go WHERE for things to actually work! I found it annoying that further down in the same XML File was yet another path that was NOT included in the paths node in the top of the XML file: update-script on-off='on' call='D:/IMail/declude/SNF/getRulebase.cmd' guard-time='180'/ Next I had to customize the getRuleBase.cmd - because it too does NOT support the use of the rulebase/workspace paths. Here was yet ANOTHER place where I had to manually configure the same path information again, as well as the license key. Needless to say, I'm not a friend of having redundant path information in several locations as this is an unnecessary source of error. Through testing I determined that some more files had to be moved to certain sub folders for things to work: UpdateReady.txt - /Workspace GBUdbIgnoreList.text - /Workspace Your .SNF - /Rulebase Then I had to further adapt the getRuleBase.cmd because throughout this procedure, you need to prefix references to the rulebase and the UpdateReady.* files with the appropriate paths for things to actually work. At this point, I'm still no clear where the mingwm10.dll, exchndl.dll and AuthenticationProtocol.swf need to reside! I didn't move them, but I'm not sure if that creates a problem down the road. Here are my suggestions: a) Snf_engine.xml should have one ApplPath parameter where I can just define 'D:/IMail/declude/SNF'. Unless I OVERRIDE any of the other paths, it should know the that by default the other paths are all assumed to be below the ApplPath and no extra parameters are necessary: identity.xml getRulebase.cmd Log/ Rulebase/ Workspace/ b) There should be a simple command line utility (e.g., SNFClient.exe -Paths) to automatically create Environment Variables for the paths. This way, this command can just be included at the beginning of the getRuleBase script and one doesn't have to manually hardcode those same paths into yet another location. PS: Here is my corrected version of the getRuleBase CMD file that looks for the files in the correct subfolders: @ECHO OFF SETLOCAL REM - Edit This Section SET SNIFFER_PATH=D:\IMail\declude\SNF SET RULEBASE_PATH=%SNIFFER_PATH%\Rulebase SET WORKSPACE_PATH=%SNIFFER_PATH%\Workspace SET AUTHENTICATION=authenticationxx SET LICENSE_ID=licenseid REM CD /d %SNIFFER_PATH% if not exist %WORKSPACE_PATH%\UpdateReady.txt GOTO DONE REM The next line may cause trouble if your system stops while this REM script is running. It is not needed when this script is run REM from SNF's update-script/ feature since only one copy will run REM at a time. However, if you are going to run a version of this REM script as a scheduled task you will want to uncomment the next REM line to make sure only one copy runs at a time-- just be sure to REM clean out any stale .lck files after a restart. REM if exist %WORKSPACE_PATH%\UpdateReady.lck GOTO DONE :DOWNLOAD COPY %WORKSPACE_PATH%\UpdateReady.txt %WORKSPACE_PATH%\UpdateReady.lck wget
[sniffer] Re: Sniffer 3.0 Installed
Hello Andy, Saturday, October 4, 2008, 12:28:44 PM, you wrote: HI Pete, Thanks for your feedback. I had to create the UpdateReady.txt file before I was able to test my update script from the command line but I didnt realize that I would be created in the Workspace folder. Without that information, one cannot adapt the update script to ones needs. Since the server always creates UpdateReady file in the Workspace folder and always expects the .SNF file in the Rulebase folder, its pretty safe to say that anyone using the getRuleBase.cmd would absolutely have to add the Workspace and Rulebase paths otherwise they cant possibly find the UpdateReady file and the script will just exit OR it will not place the SNF File where the server will find it. Anyone who has their own update mechanism clearly doesnt fall under this discussion at all. My conclusion is, that the current getRuleBase.cmd only handles the case when there are no separate directories but the with the changes I made, the getRuleBase.cmd would allow a user to define separate directories at the top of the script (if thats how they configured things) and thus correctly handle a SINGLE as well as separate directories. In my opinion, that is the more correct behavior. I'm still trying to think of a way to describe this modification so that it makes sense without causing lots of confusion. Since we're trying to reach a larger audience these days we've created a generalized approach and built an installer that configures SNF, Declude, mxGuard, and MINIMI on IMail, SmarterMail, and even a "generic" (roll your own) configuration. The installer performs upgrades from the previous version as well. The idea is that more folks won't have to do any tweaking at all. Your proposed getRulebase works great for your structure-- and I agree it's a nice idea to have a WORKSPACE_PATH and RULEBASE_PATH variable.. BUT I'm having a hard time figuring out a way to include those and their various options without adding a lot of confusion and complexity... The existing getRulebase script works perfectly when used with the installer and nobody has to touch it. My best thinking at the moment is to perhaps do something like this: REM - Edit This Section - SET LICENSE_ID=licenseid SET AUTHENTICATION=authenticationxx SET SNIFFER_PATH=D:\IMail\declude\SNF REM Modify the next two lines if you modify SNF's directory structure. SET RULEBASE_PATH=%SNIFFER_PATH% SET WORKSPACE_PATH=%SNIFFER_PATH% REM - Of course doing that would mean rewriting our installer too (Since it needs to modify/generate the getRulebase script. For the immediate future this discussion is archived and searchable and I will add a task to the web site project to describe some of these getRulebase.cmd scenarios. How does that sound? _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer 3.0 Installed
Hi Pete, My best thinking at the moment is to perhaps do something like this Right, exactly. As long as the parameters are already there to be modified and the script uses those parameters, then the script is ready to go for any user (with or without distinct directories). Of course doing that would mean rewriting our installer too (Since it needs to modify/generate the getRulebase script. Yes, if you want the installer to handle the subdirectory layout, then it would have to adapt the additional two lines in the getRulesbase script - which would make it more flexible to deal with different customer scenarios. Best Regards, Andy From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, October 04, 2008 3:52 PM To: Message Sniffer Community Subject: [sniffer] Re: Sniffer 3.0 Installed My best thinking at the moment is to perhaps do something like this: REM - Edit This Section - SET LICENSE_ID=licenseid SET AUTHENTICATION=authenticationxx SET SNIFFER_PATH=D:\IMail\declude\SNF REM Modify the next two lines if you modify SNF's directory structure. SET RULEBASE_PATH=%SNIFFER_PATH% SET WORKSPACE_PATH=%SNIFFER_PATH% REM - Of course doing that would mean rewriting our installer too (Since it needs to modify/generate the getRulebase script. For the immediate future this discussion is archived and searchable and I will add a task to the web site project to describe some of these getRulebase.cmd scenarios. How does that sound? _M
[sniffer] Re: FW: [sniffer] Re: Sniffer 3.0 Froze Mail Server
Hi Pete, Well, I eliminated WeightGate for the time being, just to do my due diligence. Also, since there is a fix sized buffer, I assume actually LOWERING the 3rd number (the allocation for each non-interactive process) would allow for MORE parallel processes to run (as long as the value is still large enough to support each of the applications that rely on it.) Of course, I assume the heap issue in reality is actually a SECONDARY problem ( a symptom of too many non-interactive tasks being launched and not completing). Since the 'heap' space is finite, there is a hard limit as to how many processes can be in a wait state at the same time. The problem to focus on is not the known, limited heap, but rather the reason why these processes were unable to complete and thus eventually too many processes being active. Best Regards, Andy From: Pete McNeil [mailto:[EMAIL PROTECTED] Sent: Saturday, October 04, 2008 10:07 PM To: Andy Schmidt Cc: [EMAIL PROTECTED] Subject: Re: FW: [sniffer] Re: Sniffer 3.0 Froze Mail Server Hello Andy, Saturday, October 4, 2008, 9:22:39 PM, you wrote: Hi Pete, Here the log files. I can't tell you WHEN the problem was triggered. I was off site and was alerted around noon that the SMTP service had become unresponsive. I assumed it had crashed, but found it running. Thus I tried restarting the SMTP service, but after shutting down, it wouldn't allow me to restart. That's when I started looking a bit more closely. Once I realized that I had all these SNFclient processes running (I checked the event log to see if it would give me any clue - but since the errors had been occurring for a while, my system event log had wrapped around, so I couldn't tell when it actually started and how long it may have taken between the actual problem and until the SMTP service became unresponsive. This Imail server is a PowerEdge 2950, Quad CPU, 3GHz. 2 GB of RAM and normally using about 1.5 GB of virtual RAM and on weekends, CPU load is usually below 10%. When this was going on, I didn't pay close attention because I wasn't quite sure yet what was going on and was trying to figure out how to get out of it. But, based on the memory use graph, I would guess it had maxed out 4 GB of virtual RAM, which eventually starved the SMTP service and prevented it from accepting more connections.. As soon as I flushed the command line programs, the memory curve dropped very sharply by easily half. Sorry - don't have anything more specific. I've been watching your telemetry and I don't think the problem was triggered by an ordinary overload. Your message rate is not high enough to cause that -- SNFClients will only wait about 30 seconds or so at most if they are unable to make contact - - even on the busiest systems. The other thing that strikes me is that you had to kill a lot of imailsrv.exe instances as well-- this is new and very different. Once the mystery heap was exhausted I would expect SNFClient instances to build up in a broken state (0x142) but there is no good reason for imailsrv instances to build up that I can think of -- except maybe some kind of list processing event? (IIRC, imailsrv is called to handle list processing requests through an alias -- it's been a while). I will check the SNF log to see if I can identify anything useful. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC.
[sniffer] Re: FW: [sniffer] Re: Sniffer 3.0 Froze Mail Server
Hello Andy, Saturday, October 4, 2008, 10:21:31 PM, you wrote: Hi Pete, Well, I eliminated WeightGate for the time being, just to do my due diligence. Also, since there is a fix sized buffer, I assume actually LOWERING the 3rdnumber (the allocation for each non-interactive process) would allow for MORE parallel processes to run (as long as the value is still large enough to support each of the applications that rely on it.) Of course, I assume the heap issue in reality is actually a SECONDARY problem ( a symptom of too many non-interactive tasks being launched and not completing). Since the heap space is finite, there is a hard limit as to how many processes can be in a wait state at the same time. The problem to focus on is not the known, limited heap, but rather the reason why these processes were unable to complete and thus eventually too many processes being active. Indeed. Eliminating WeightGate might impact this because it will represent one less process per message. I just did a search of errors in the SNF logs and didn't find anything unusual. I was unable to pinpoint the time of the problem -- that will require a harder analysis of the data. Indications are that SNFServer didn't see any significant issues during the period covered by the two logs you sent. When client's talked to it they were served (according to the logs). You're showing about 40 msg/minute on average. According to a spot check of log entries SNFServer is finished processing these in an unmeasurable amount of time (0 indicates 15 ms for both setup, read, scan, and response). Most of the logs performance metrics p/ indicate s='0' and t='0' -- setup time in ms, and scan time in ms. On occasion I see some nonzero t values - but nothing unusual (16, 47, 63, etc). You probably don't need a lot of threads active on your system. If you have provided for a high number then you might consider reducing that number... Processing 1 message per second would exceed your average handily and doesn't take a lot of threads. If for some reason you were hit with a large number of messages and put them in work in parallel then that might have exhausted the heap. The new SNF is much more efficient than the old one and so it would have more easily allowed this... Sometimes introducing a more efficient component into a system exposes problems that were hidden by the previous less efficient component -- the less efficient component may have masked the problem by artificially reducing or shaping throughput. When we see this kind of thing we call it a "lens effect" -- the newer component reshapes the dynamics of the system and brings previously unknown problems "into focus". It's possible the heap problem you experienced was caused by a "lens effect" since the new SNF engine is more efficient and would naturally allow for more messages to be handled concurrently in a burst than the previous version would have allowed. A theory -- the previous version would naturally be constrained by I/O contention since it would need to create, scan, modify, and remove job control files. This would naturally couple performance to other I/O intensive operations such as writing new messages to the spool etc. The new version does not have any of this overhead and so would allow for an unconstrained ramp-up of new instances -- that might lead to a higher number of concurrent tasks and cause heap exhaustion--- after heap exhaustion is achieved additional tasks build up in a failed and partially initialized state. This typically continues until the failed tasks are manually removed -- since none of them is ever properly initialized none of the tasks can time out, fail, or shut down on their own. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Version 3 Install for FreeBSD?
Hello Harry, Sunday, September 28, 2008, 10:39:42 PM, you wrote: I have been using Sniffer for several years with Declude and SmarterMail on Windows. I would like to move Sniffer to my IMGate Mail Gateway (Postfix / FreeBSD). Has anyone installed Version 3 of Sniffer on FreeBSD? The *nix download of Sniffer v 3 doesnt contain a FreeBSD pkg and port like most FreeBSD software. We have just completed work on a new set of control scripts for SNF that cover several pacakages including FreeBSD. We have to rework the distribution and documentation a bit before posting. The *nix distributions we have covered now are: RedHat, SUSE, Ubuntu, FreeBSD, and OpenBSD. I will be happy to send you what we have ready now off list along with some instructions to make sense of it. If all goes according to plan the new *nix distribution will be posted to our site some time this week. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Version 3 Install for FreeBSD?
Hi Pete, Please do send the new FreeBSD control script and doc at your convenience. Thank you, Harry Hello Harry, Sunday, September 28, 2008, 10:39:42 PM, you wrote: I have been using Sniffer for several years with Declude and SmarterMail on Windows. I would like to move Sniffer to my IMGate Mail Gateway (Postfix / FreeBSD). Has anyone installed Version 3 of Sniffer on FreeBSD? The *nix download of Sniffer v 3 doesn't contain a FreeBSD pkg and port like most FreeBSD software. We have just completed work on a new set of control scripts for SNF that cover several pacakages including FreeBSD. We have to rework the distribution and documentation a bit before posting. The *nix distributions we have covered now are: RedHat, SUSE, Ubuntu, FreeBSD, and OpenBSD. I will be happy to send you what we have ready now off list along with some instructions to make sense of it. If all goes according to plan the new *nix distribution will be posted to our site some time this week. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Version 3 Install for FreeBSD?
Hello Harry, Monday, September 29, 2008, 8:11:09 AM, you wrote: Hi Pete, Please do send the new FreeBSD control script and doc at your convenience. Our email are crossing in the ether. Before posting the new distribution prototype I created a README-SETUP file to help pull the process together. If I understand correctly, IMGate uses postfix and postfix allows for more than one filter. The provided filter scripts should get you started. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Helper App? UPDATE
Hello, As an update, the developer (Alexander N. Telegin) spent a number of hours on my server and seems to have sorted the bugs out in eWall. At this time the program is running well and as advertised. It's a nice little light gateway client that has some easy to use scripting features and can really block a mass of unwanted mail before it even gets to the mail server. It ties to the newest Sniffer App quite easily also. Thanks for the alternate suggestions guys and gals. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Sniffer Helper App?
Steve Guluk wrote: snip Any suggestions on what I should consider to help with spam and also use Sniffer. Steve, Do you have the ability to add into your current filtering additional RBLs and/or URI blacklists? I have some good suggestions there! Rob McEwen # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Helper App?
On Jul 1, 2008, at 12:25 PM, Rob McEwen wrote: Steve, Do you have the ability to add into your current filtering additional RBLs and/or URI blacklists? I have some good suggestions there! Rob McEwen Rob, If I move away from eWall I will be left with just iMail till I find something else (purpose of my email). iMail has URL blacklists. eWall has URI Blacklists but I'm still looking for that perfect client to put in-front of my mail server (software based). So you probably have some good suggestions but I still need to get that program that can appreciate them. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Sniffer Helper App?
Steve, What I'm getting is this... the ultimate in low resource spam protection is blocking based on the sending IP using a prolific DNSBL like zen.spamhaus.org that, like zen, has extreme low FPs. Because the message is blocked at the perimeter using just a single lookup on the sender's ip. The incoming spams are swatted down very quickly. To extend this further, if that DNSBL is locally served via rbldnsd, that is even better since the dns lookup times can then go from about 30-60ms to 1ms. (but Zen doesn't catch everything and spamhaus data feeds are expensive! But I have some related suggestions along these lines that my interest you and accomplish all of this and more!) By implementing such a strategy, you might find that your iMail server is suddenly able to handle the load. (really... please don't doubt me on this... hear me out...) I'll contact you off-list with more specifics since this is getting very off-topic to sniffer... and some of my suggestions are free, and disclaimerothers involve a product I sell/disclaimer. So I should probably stop here and quit before I get further behind! Rob McEwen # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Helper App?
Steve; Declude works well, but any comprehensive set of filters will take some horsepower to run. Declude will do the country filtering I think you wanted. Herb Steve Guluk wrote: On Jul 1, 2008, at 12:25 PM, Rob McEwen wrote: Steve, Do you have the ability to add into your current filtering additional RBLs and/or URI blacklists? I have some good suggestions there! Rob McEwen Rob, If I move away from eWall I will be left with just iMail till I find something else (purpose of my email). iMail has URL blacklists. eWall has URI Blacklists but I'm still looking for that perfect client to put in-front of my mail server (software based). So you probably have some good suggestions but I still need to get that program that can appreciate them. Regards, *Steve Guluk* SGDesign (949) 661-9333 ICQ: 7230769 -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Cell (off hours or if out of office) This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
[sniffer] Re: Sniffer Helper App?
If I move away from eWall I will be left with just iMail till I find something else (purpose of my email). iMail has URL blacklists. eWall has URI Blacklists but I'm still looking for that perfect client to put in-front of my mail server (software based). So you probably have some good suggestions but I still need to get that program that can appreciate them. (aside from my other thoughts) here are two free software packages to look at: http://assp.sourceforge.net/ http://www.untangle.com/ Rob McEwen # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Helper App?
Steve, If at all possible, I recommend blocking based on unknown user BEFORE doing ANY content filtering of the message. But, if you must, it is also a good strategy to block based on the sender's IP first. (I'm figuring that you might need to do that since you are trying to reduce mail to your iMail server and only your iMail server knows which recipient addresses are legit and which are dictionary attack spams) here are the dnsbls I recommend for outright blocking based on the sender's IP: zen.spamhaus.org bl.spamcop.net psbl.surriel.com After RBL checking of the sender's IP, try to NOT do ANY content filtering until AFTER spams sent to non-existent users are blocked. This probably means that you should probably abandon using EWALL to call sniffer and only use EWALL to block based on these RBLs... then send all that is left to your iMail server. You should then see if you can get iMail to call sniffer (even if through another app... or another instance of eWall)... so that this could be done AFTER the unknown users are eliminated by iMail. The idea is that the first run EWall.. ONLY checking against RBLs.. but not running sniffer or URI lookups or any other content filtering until AFTER iMail has eliminated spams sent to unknown users. ...THEN see if you can get iMail to call a second instance of eWall (or something else) to THEN use sniffer and URI lookups. Rob McEwen # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Helper App?
Steve, Since this hasn't yet been mentioned, try Alligate (www.alligate.com). It does selective greylisting (only greylists things that look spammy), and also will validate your users' addresses and do things like country blocking/tarpitting/greylisting. Only one zombie spammer survives greylisting, and after you dump all of that plus validate addresses, you will reduce your traffic down to a point where it is only 1/3 spam. If you only reject bad addresses and clear abuse (many bad addresses in one connection for instance), you can do this with 99.% accuracy. I'm not lying about that either. The only things that fail selective greylisting will be black boxes that don't spool E-mail, and if you give a wide retry time, you will likely allow future attempts from a black box that happens to get greylisted. Selective greylisting is far superior to regular greylisting since it is rarely triggered against legitimate E-mail. I dump around 93% of all connections to my servers and I don't need to falsely trust a single source of data such as SpamCop to achieve those results. I then leave the heavy lifting to a secondary filtering system where the heavy lifting is performed. Alligate requires almost no resources, though you should dedicate a box to it so that other things don't step on it's feet. Matt Steve Guluk wrote: Hello, I run iMail 9.0 and would like a program that can do GeoIP to screen foreign countries before they even get to iMail. I used to use MXGuard (still have an active license) but my server could not handle the CPU draw. I moved to eWall which really has some great potential as it is a nice light gateway client that works with Sniffer but it also crashes and has a few other problems (this program also introduced me to GeoIP). Any other suggestions as I am beat after trying to get some decent spam relief as well as relief from an aging server. My server is an AMD 2.0 with Raid and 2 gigs of Ram It's faired well over the last couple years but the spam levels ramping up are starting to take their toll and I don't want to move to a new server just yet. eWalls got me spoiled on the GeoIP feature where it polls a DB for country info based on the incoming IP and can delete emails before they reach iMail. Any suggestions on what I should consider to help with spam and also use Sniffer. Is Declude worth while? Some other light gateway like eWall ? Thanks in advance for any suggestions, *Steve Guluk* SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Sniffer Helper App?
I will have to second this. I've moved off Imail to other Windows based Email servers (MailEnable and Smartermail) and no regrets in the past. If you are looking to block based on countries you can still use the Reverse DNSBLs that are country specific. However, this will only work well if you selectively block a few countries because if you have a long list of countries to block it would add to your overall processing time Cheers -Matt From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Moore Sent: Wednesday, July 02, 2008 7:03 AM To: Message Sniffer Community Subject: [sniffer] Re: Sniffer Helper App? I MOVED FROM Imail 8 to SmarterMail 4.3 and then 5.1, best thing I ever did ( the cost of an Imail maintenance contract for Enterprise unlimited users / domains). SmarterMail has grey listing built in so 90-95% spam gets killed at source the other spam is handled out of the box by SpamAssassin. I do have mXGuard and Sniffer full licences but as yet I haven't had to enable them. (mainly because I have only just installed SmarterMail v5.1) Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve Guluk Sent: Wednesday, 2 July 2008 5:18 AM To: Message Sniffer Community Subject: [sniffer] Sniffer Helper App? Hello, I run iMail 9.0 and would like a program that can do GeoIP to screen foreign countries before they even get to iMail. I used to use MXGuard (still have an active license) but my server could not handle the CPU draw. I moved to eWall which really has some great potential as it is a nice light gateway client that works with Sniffer but it also crashes and has a few other problems (this program also introduced me to GeoIP). Any other suggestions as I am beat after trying to get some decent spam relief as well as relief from an aging server. My server is an AMD 2.0 with Raid and 2 gigs of Ram It's faired well over the last couple years but the spam levels ramping up are starting to take their toll and I don't want to move to a new server just yet. eWalls got me spoiled on the GeoIP feature where it polls a DB for country info based on the incoming IP and can delete emails before they reach iMail. Any suggestions on what I should consider to help with spam and also use Sniffer. Is Declude worth while? Some other light gateway like eWall ? Thanks in advance for any suggestions, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Sniffer Win32 command line output
Make a bat fil like this: -- @echo off echo syntax batfilenavn.bat messagefil to test SNFclient.exe %1 echo %errorlevel% pause -- If it display zero the message is clean. Hello, I am evaluating Message Sniffer beta version but I am totally confused. :-) If I am in a MSDOS Window and I type: SNFClient.exe junkmsg.txt there is a very fast pause and I am returned to the command prompt. I can go into the log and see this: s u='20080110191039' m='junkmsg.txt' s='54' r='9649' m s='54' r='9649' i='383' e='391' f='m'/ p s='0' t='0' l='1577' d='39'/ /s So I know everything is working like it should be. But how do I get the result code for the spam message to output back to the command prompt? If I try to call SNFClient.exe from my C# code, I still cannot get a result code returned to me. I can get a result code if I do this: SNFClient.exe -test xx.xx.xx.xx but SNFClient.exe does not return the result code when I am passing a filename to be tested. Can someone point me in the right direction on how to see this result code via my C# software code or command prompt box? Thanks, Shawn -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Win32 command line output
Hello Shawn, Thursday, January 10, 2008, 2:16:24 PM, you wrote: Hello, I am evaluating Message Sniffer beta version but I am totally confused. :-) snip/ But how do I get the result code for the spam message to output back to the command prompt? If I try to call SNFClient.exe from my C# code, I still cannot get a result code returned to me. I can get a result code if I do this: SNFClient.exe -test xx.xx.xx.xx but SNFClient.exe does not return the result code when I am passing a filename to be tested. Can someone point me in the right direction on how to see this result code via my C# software code or command prompt box? I'm not sure how C# behaves when it calls an external program and how it handles that progam's result code -- I'll do some looking. However, most programs that call SNFClient do so explicitly to get the result code so I know it works ;-) One thing that you might try that will improve your performance since you're rolling your own C# code: Check out the XCI interface. The SNFClient uses it to talk to the SNFServer instance. You should be able to write a quick bit of code to use XCI to talk to SNFServer also. The basics are (per scan request): 1. Connect to 9001 on localhost via TCP 2. Transmit your request string (XML using the XCI examples as a guide) 3. Read the response string (XML again) 4. Close the connection Making your own XCI request saves the step of launching yet another program to do it for you. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Win32 command line output
Hello Shawn, Following up a bit... Most likely you're using a Process object to call the SNFClient. If I've read the MS docs correctly you will want to get the "exit code" once SNFClient finishes. http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.exitcode(VS.71).aspx Hope this helps, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Win32 command line output
Pete, That is exactly what I needed. You rock. Thanks so much. Shawn On Jan 10, 2008 11:56 AM, Pete McNeil [EMAIL PROTECTED] wrote: Hello Shawn, Following up a bit... Most likely you're using a Process object to call the SNFClient. If I've read the MS docs correctly you will want to get the exit code once SNFClient finishes. http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.exitcode(VS.71).aspx Hope this helps, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer codes
The Ugly value returned by the beta Message Sniffer you're using with the Good, Bad and Ugly database has a result code of 40, and this code is missing from your list. (The White value overlaps with result code 0, which internally to Message Sniffer will mask any other spam result code on your system. The White return value also indicates did not find a reason to call this spam, so do not use a return value of zero to reward an email with negative points in your weighting system... because zero means it wasn't hammy, it does not mean that it was hammy). (The Bad value replaces the existing return value 63, which is experimental IP). I suggest you re-read the descriptions for the return values and adjust your test names for values 60 to 63. The documentation for the return values in the production version of Message Sniffer is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes And the supplementary documentation for the return values in the beta version of Message Sniffer is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.GBUdb You should find that your total for the test SNIFFER which triggers on all non-zero values equals the total of all the other non-zero tests (e.g. the count of return value 40 plus the counts for each of the return values for values 47 through 63). If not, then there are errors for the command line or with writing to the Message Sniffer logfile (return values 65 and 66). Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Friday, November 09, 2007 4:49 PM To: Message Sniffer Community Subject: [sniffer] Sniffer codes Hi I have many messages failling Sniffer (0) but not any of the others meaning i'm missing some codes Suggestions ? TIA SNIFFER external nonzero E:\snfsrv\snfClient.exe 0 0 SNIFWHTLST external 000 E:\snfsrv\snfClient.exe 0 0 SNIFFER-TRAVEL external 047 E:\snfsrv\snfClient.exe 12 0 SNIFFER-INSUR external 048 E:\snfsrv\snfClient.exe 15 0 SNIFFER-AVPUSH external 049 E:\snfsrv\snfClient.exe 12 0 SNIFFER-WAREZ external 050 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SPMWRE external 051 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SNAKEO external 052 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SCAMS external 053 E:\snfsrv\snfClient.exe 15 0 SNIFFER-PORN external 054 E:\snfsrv\snfClient.exe 17 0 SNIFFER-MALWARE external 055 E:\snfsrv\snfClient.exe 17 0 SNIFFER-Toner external 056 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SCHEMES external 057 E:\snfsrv\snfClient.exe 15 0 SNIFFER-CREDIT external 058 E:\snfsrv\snfClient.exe 15 0 SNIFFER-GAMBL external 059 E:\snfsrv\snfClient.exe 15 0 SNIFFER-GREYM external 060 E:\snfsrv\snfClient.exe 14 0 SNIFFER-OBFUS external 061 E:\snfsrv\snfClient.exe 17 0 SNIFFER-SPAM external 062 E:\snfsrv\snfClient.exe 12 0 SNIFFER-GENERAL external 063 E:\snfsrv\snfClient.exe 17 0
[sniffer] Re: Sniffer as passthrough filter
Just to add: whatever you do in regards to this, make sure that you do recipient address validation at your gateway. If you do not, your mail server will relay all messages for the gateway'd domain to the destination server, which has the effective impact of enabling a catch-all account on a domain and then forwarding all the mail to a remote system. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Thursday, March 08, 2007 11:44 PM To: Message Sniffer Community Subject: [sniffer] Re: Sniffer as passthrough filter Yes, it is called email gateway service and many of us do that and it is fairly straightforward to setup but there are a number of steps. John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of K Mitchell Sent: Thursday, March 08, 2007 6:16 PM To: Message Sniffer Community Subject: [sniffer] Sniffer as passthrough filter I've been running Message Sniffer here with IMail and mxGuard for a number of the domains we service. I have another customer that runs their own Exchange server, and wishes to continue doing so, but inquired as to the possibility of us doing pass-through filtering for them. Is this possible with the setup I have? Thanks, -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer as passthrough filter
Yes, it is called email gateway service and many of us do that and it is fairly straightforward to setup but there are a number of steps. John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of K Mitchell Sent: Thursday, March 08, 2007 6:16 PM To: Message Sniffer Community Subject: [sniffer] Sniffer as passthrough filter I've been running Message Sniffer here with IMail and mxGuard for a number of the domains we service. I have another customer that runs their own Exchange server, and wishes to continue doing so, but inquired as to the possibility of us doing pass-through filtering for them. Is this possible with the setup I have? Thanks, -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
I'm using 000, isnt that right ? not sure how we can check logs when we call sniffer from declude Pete, why keep the confusion ? why not have a different code than 0 or 000 ? something like -1, or 100 - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 7:49 PM Subject: [sniffer] Re: Sniffer White List Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
posted this before getting pete's post please disregard - Original Message - From: Serge [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 8:11 PM Subject: [sniffer] Re: Sniffer White List I'm using 000, isnt that right ? not sure how we can check logs when we call sniffer from declude Pete, why keep the confusion ? why not have a different code than 0 or 000 ? something like -1, or 100 - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 7:49 PM Subject: [sniffer] Re: Sniffer White List Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...
Hello Pete, Thursday, June 8, 2006, 9:41:55 AM, you wrote: It does look a little weird. Sometimes it's normal though. I'll see if I can identify anything odd in the settings. _M I've changed the settings. I hope this response works ok. _M Testing. Sorry for the extra trafic - only way to debug it. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...
Hello Pete, Thursday, June 8, 2006, 9:42:42 AM, you wrote: Hello Pete, Thursday, June 8, 2006, 9:41:55 AM, you wrote: It does look a little weird. Sometimes it's normal though. I'll see if I can identify anything odd in the settings. _M I've changed the settings. I hope this response works ok. _M Testing. Sorry for the extra trafic - only way to debug it. _M This seems to be working ok, Thanks for your patience. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
Thunderbird and Netscape just takes the full original source and attaches it as a message/rfc822 attachment. I forwarded this message back to the list by just pressing Forward. Interesting that they include the headers with a simple forward, without specifying forward as attachment. I haven't ever seen that behaviour before in a mail client. Seems like a few forwards would create a very bloated message with all of the old headers. I'm pretty sure that Outlook Express works simply by just pressing Forward As Attachment, or at least it gives me enough of the original, including the full headers, to determine how to block the spam. Yes it does. However you've missed the point. The issue is not how to get the headers. It is how to keep an email client from encoding the message and headers differently, so that Sniffer can properly identify the rule that caught the message. Please excuse me for wanting more detail about the Outlook attachment trick, but would you mind attaching this message to a response so that I could look at the headers and such? Sorry, I don't use Outlook. But I can tell you the steps to take in Outlook 2003 (other versions are almost exactly the same). I have my Outlook users follow these with no problem. 1. Create a new email message 2. Click the arrow beside the paperclip icon, select item instead of file from the dropdown 3. Browse mailboxes from the popup dialog to select the message to attach. 4. Viola, original message and headers attached. There was a discussion about Outlook's behavior with Scott some time ago. Apparently Microsoft was pressured by customers to remove headers when forwarding because they felt that they were a security/privacy risk. No one told them that Outlook was a security/privacy risk on it's own :) ...but that's another story. I would probably feel different if I had the need for groupware though, but digs at Microsoft are irresistible sometimes. I don't remember that discussion, and am not sure we're talking about the same thing. If you attach the original message via the steps above, you get the full original message, headers and body. We have a number of customers who send spam reports this way, mostly on Outlook 2002 and 2003. Darin # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
Darin, Thunderbird allows you to choose the default forwarding method as either inline or as attachment. It might actually default to inline, I can't remember, but whenever it does message/rfc822 attachments, it is as a whole unlike some other clients that edit it down to the bare minimum of what the consider to be useful like addressing, subject date and MIME stuff if appropriate. I'm definitely guilty of being a Netscape diehard, and I'm very happy that the Mozilla project brought things back to life again. I fully understand the attachment trick with Outlook thanks to the confirmations. This will be easier than having people cut and paste the headers in. This doesn't happen much, but there is nothing worse than getting a spam report without header info. I also understand the encoding issues with forwarding in Outlook/OE. It's a shame that this happens. Maybe having a copy of Thunderbird around for this purpose might fit in where this is an issue. Sounds like adding Sniffer headers would be the best solution for this issue on a wider basis since you definitely can't convince every admin not to submit using Outlook/OE. Soon I'm going to code up my Sniffer FP reports to be automatically triggered when a message is reprocessed from my spam review system, so I won't have to even bother with the source any more. That should only take a couple of hours, and it would be time well spent. I always fix issues and whitelist locally where appropriate, but I also report to Sniffer for the benefit of all in addition to making sure that a FP rule will not tag something outside of the scope of what I whitelisted, and I have to report in order to be able to see what the content of the rule was. Customers do most of the reprocessing now, I just do the back end stuff. Matt Darin Cox wrote: Thunderbird and Netscape just takes the full original source and attaches it as a message/rfc822 attachment. I forwarded this message back to the list by just pressing "Forward". Interesting that they include the headers with a simple forward, without specifying forward as attachment. I haven't ever seen that behaviour before in a mail client. Seems like a few forwards would create a very bloated message with all of the old headers. I'm pretty sure that Outlook Express works simply by just pressing Forward As Attachment, or at least it gives me enough of the original, including the full headers, to determine how to block the spam. Yes it does. However you've missed the point. The issue is not how to get the headers. It is how to keep an email client from encoding the message and headers differently, so that Sniffer can properly identify the rule that caught the message. Please excuse me for wanting more detail about the Outlook attachment trick, but would you mind attaching this message to a response so that I could look at the headers and such? Sorry, I don't use Outlook. But I can tell you the steps to take in Outlook 2003 (other versions are almost exactly the same). I have my Outlook users follow these with no problem. 1. Create a new email message 2. Click the arrow beside the paperclip icon, select item instead of file from the dropdown 3. Browse mailboxes from the popup dialog to select the message to attach. 4. Viola, original message and headers attached. There was a discussion about Outlook's behavior with Scott some time ago. Apparently Microsoft was pressured by customers to remove headers when forwarding because they felt that they were a security/privacy risk. No one told them that Outlook was a security/privacy risk on it's own :) ...but that's another story. I would probably feel different if I had the need for groupware though, but digs at Microsoft are irresistible sometimes. I don't remember that discussion, and am not sure we're talking about the same thing. If you attach the original message via the steps above, you get the full original message, headers and body. We have a number of customers who send spam reports this way, mostly on Outlook 2002 and 2003. Darin # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
Hello Andrew, Thursday, June 8, 2006, 11:32:47 AM, you wrote: Ditto. I advise people to use Insert, Item. Far easier than explaining how to drag and drop (or tie shoelaces). It might be nice to have a SnagIt of that process to share w/ users. I've noticed that whether the headers survive when they are sent to another Exchange+Outlook company are a crap shoot. Generally speaking, if the message is handled by Outlook, it's not the same message anymore. For example, a BASE64 encoded message becomes plain text, and attached graphics don't show up at all in the View Source version. I just had an interesting FP case like this. By the time the match record got to me along with what was supposed to be the original message, there were at least 9K bytes missing - including the bytes that presumably contained the rule match. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...
Pete, My understanding was that Declude treats different arguments to an executable as just being other forms of that executable so it only processes it once. I'm not positive one way or another. It's worth testing though. Matt Pete McNeil wrote: Hello Matt, Wednesday, June 7, 2006, 11:52:56 PM, you wrote: Pete, Just two more cents for the masses... If people use this for two different external tests in Declude, they need to create two differently named executables because Declude will assume the calling executable to be part of the same test and only run it once (or possibly create an error depending on one's configuration). This may not be necessary if you have different test types defined, i.e. nonzero, weight, external, and bitmask, but better safe than sorry. I think this might not be correct. IIRC, the design spec for that feature was that if the command line was different in the test then it would be executed again and if the command line was identical it would not. This was to allow for calling the same program with different parameters. I'm pretty sure that's how it works --- it might be worth a few tests if you're sure it's not that way, but I strongly suspect that if one of the parameters are different in the test line (inside the quotes) then it will be executed again as a different test. Also, I noted that the Subjects on this list are being repeated. I saw that you changed to a new server, but I also noted that there is no space after "[sniffer]" in the Subject and thought that maybe this is what is throwing things off. Maybe adding that space will correct the issue??? It does look a little weird. Sometimes it's normal though. I'll see if I can identify anything odd in the settings. _M
Re: [sniffer]FP suggestions
The one issue with this I have is 1) Forward full original source to Sniffer with license code. If we could do it without the license code, it would be much easier to automate on our end. I already have a process in place to copy and reroute false positives by rewriting the Q file. I'm hesitant to alter the message itself to add the license code. If we could authenticate the FP report via some other means it would help greatly. How about connecting IP instead? Darin. - Original Message - From: Matt To: Message Sniffer Community Sent: Wednesday, June 07, 2006 12:59 AM Subject: Re: [sniffer]FP suggestions Pete,Regarding suggestions for easing the reporting process, I would recommend the following possible modifications: 1) An E-mail submission tool similar to the one now, but replies would be automated2) Send back links or rather an HTML form with checkboxes in an E-mail auto-response allowing one to block rules.3) Make blocked rules automatic for the submitter, but throw them into a queue for manual review by Sniffer folk in order to determine whether the blocks should become applied to all rulebases.4) Have automatic triggers that lower rule strengths based on users blocking rules regardless of direct Sniffer action.The gist of this is to make it more point and click. The fact that you need full source is cumbersome, so the above recommendations seek ways to make the process easier for both the customer and for Sniffer while dealing with the need to send the full source. No direct customer interaction would be necessary in most cases, and you would have a queue full of items to review and make a determination about that customers have preened for you. To the customer, the process would look like the following: 1) Forward full original source to Sniffer with license code.2) Seconds later there would be an automated reply received in HTML format with a check box for every rule failed (or note that no active rules were found), a text box for optional comments, and submit button.3) Customer checks the boxes for the rules he wants to block, adds notes in a text field if they feel like it, and they press submit. End of story.You could also add a Web interface for this if you wanted to, but E-mail seems the most appropriate for most.I don't think it would be beneficial to rehash a lot of things involving how FP's occur, at least on this list. I know from my system where my customers have single-click reprocessing capability, that they miss about 97% of all FP's either because they don't bother to do review, or they don't bother to reprocess anything but personal E-mail that may get blocked. I would imagine that Sniffer sees a similar rate of customer reported FP's due in part to the difficulty, and in part for the same reasons that relate to my own users.The three biggest sources of false positives are obscure foreign domains/IP's, rules generated from bulk mailings that are too broadly targeted, and things reported to Sniffer that are advertising, but not spam. All three of these things are difficult and time consuming to deal with, particularly the last two. Here's some stats for Sniffer FP's on my system going back about 15 months: SNIFFER-GENERAL 283SNIFFER-EXPERIMENTAL 167 * Excluded 79 FP's from bad rule event on 1/17 - 1/18/2006SNIFFER-IP 61SNIFFER-PHISHING 52SNIFFER-GETRICH 29 * Excluded 115 FP's from bad rule event on 4/18 - 4/19/2006SNIFFER-PHARMACY 25SNIFFER-PORN 24SNIFFER-TRAVEL 13SNIFFER-INSURANCE 7SNIFFER-OBFUSCATION 6SNIFFER-DEBT 6SNIFFER-MALWARE 4SNIFFER-AVSOFT 3SNIFFER-CASINO 2SNIFFER-INK 1SNIFFER-MEDIA 1SNIFFER-SPAMWARE 0It is quite notable how high the FP's are with SNIFFER-GENERAL which is where most bulk-mailers and customer reported spam rules are tagged. This is also what my numbers show even though my customers are much less likely to reprocess bulk mail, and of course they only reprocess a small fraction of my overall FP's. This is almost all customer reported stuff. I score SNIFFER-GENERAL at 53% of my Hold weight. SNIFFER-IP is another standout. I only score SNIFFER-IP at 38% of my Hold weight and it hits less than 2% of all Sniffer hits, yet it scored comparably high so that is worth noting. The FP rate on SNIFFER-IP hasn't really changed since you made adjustments. SNIFFER-EXPERIMENTAL is a top category that caught a lot of zombie spam which is important to many systems, but it did seem to have a high FP rate. SNIFFER-PHISHING was worse for me until around January or February. It seemed to have a lot of FP's on security related newsletters and chain letters. I have mixed feelings about those things. Maybe more efforts on white rules would help with that stuff, and I'm not totally sure if it is appropriate to block chain letters even though I detest this stuff myself.Most FP's do
Re: [sniffer]Re[2]: [sniffer]FP suggestions
Hi Pete, Can I interpret this as email address and matching source IP are sufficient if the correct email address is used to submit? If not, do you have any suggestions on how you would like to see us inserting the license ID in the D file? Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, June 07, 2006 8:25 AM Subject: [sniffer]Re[2]: [sniffer]FP suggestions Hello Darin, Wednesday, June 7, 2006, 7:31:29 AM, you wrote: The one issue with this I have is 1) Forward full original source to Sniffer with license code. If we could do it without the license code, it would be much easier to automate on our end. I already have a process in place to copy and reroute false positives by rewriting the Q file. I'm hesitant to alter the message itself to add the license code. If we could authenticate the FP report via some other means it would help greatly. How about connecting IP instead? At the moment that is how it's done: a combination of email address and source IP are matched with the license ID. The reason we ask for the license ID is because folks submitting false positives occasionally forget that we authenticate on their registered email address and use some other address. -- The rule is that if the system can't match the email address it should/may drop the message rather than evaluating it. We get a lot of spam and attempts to game the system at our false@ address... so when it's heavy we do drop messages that can't be properly identified. However, in an effort to provide the best service possible, if the license ID is present and we have the time we will look to see if it could be a legit FP submission by researching the source and domain - and if we think it is likely to be legitimate we will process the FP and respond with an additional code reminding the submitter that they must use their registered email address or an authorized alias. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]FP suggestions
Pete, An X-Header would be very, very nice to have. I understand the issues related to waiting to see if something comes through, and because of that, I would maybe suggest moving on your own. Sniffer doesn't need to be run on every single message in a Declude system. Through weight based skipping, many administrators (especially the ones that could make the most use of this) could skip processing Sniffer once a certain weight is reached, and in turn that would save enough load that it should easily make up for needing to re-write the message to the disk with the modified headers. On external tests that allow for weight skipping on my system, I was skipping around 50% of messages before lightening the load with pre-scanning. Sniffer could do weight skipping with Declude by accepting the %WEIGHT% variable in the command line. SNIFFER-IP external 063 "C:\IMail\Declude\Sniffer\customer-code.exe license-code WH=26 WL=-5 CW=%WEIGHT%" 5 0 ...etc. The WH setting says don't run if equal to or greater than, the WL says don't run if equal to or less than, and the CW passes in the weight from Declude at the time of calling Sniffer. It still launches Sniffer, but it could be stopped immediately before any heavy lifting is done. The best solution of course would be for Declude to allow for weight-based skipping in the config without calling the executable, but I started asking about that back in the Scott days and I am not holding out hope for that happening soon considering. The most realistic option would seem to then have Sniffer do the heavy lifting of rewriting itself, and save some CPU and disk I/O by improving efficiencies with something as simple as weight-based skipping. I'm pretty sure the net result would be less CPU and disk I/O overall if both were done. Another alternative may be to create a separate executable (with weight-based skipping) that would only deal with adding headers from the text file that Sniffer drops in the directory. There would be less benefit overall to keeping this all in one app, but it would target the primary need. This could easily be written by one of us in _vbscript_ as a proof of concept. I have considered doing this before, but it isn't at the top of my priorities. BTW, you could maybe even encode links in the headers for FP reporting through a Web interface, completely removing the forwarding mechanism from the mix, though you wouldn't have the opportunity to see the messages which may not be good as a whole. Matt Pete McNeil wrote: Hello Scott, Wednesday, June 7, 2006, 10:08:58 AM, you wrote: For me the pain of false positives submissions is the research that happens when I get a "no rule found" return. I then need to find the queue-id of the original message and then find the appropriate Sniffer log and pull out the log lines from there and then submit it. Almost always in these cases, a rule is removed. If this process could be improved that would really be a time saver. This depends on the email system you are using. On some systems (MDaemon, and postfix, for example) X- headers from SNF can be emitted into the message. When we see these we can identify the rules directly without asking for the extra research. It would be nice if Declude would offer a mechanism to pick up the optional .xhdr file SNF can generate and include it in the X headers that it already adds to the message. I know this begs the question, why not have SNF add the headers for SmarterMail and IMail platforms, and the reason is that it would require writing an additional copy of the message to disk. Since these systems tend to be io bound already (Declude/IMail anyhow) the performance penalty would be prohibitive. If Declude picks up .xhdr from SNF directly then it can be included in the ONE rewrite Declude makes anyway. I've asked them about this and other improved integration opportunities for a while now (many months), and I get favorable responses, but no action so far. I guess we will see :-) _M
Re: [sniffer]FP suggestions
Oh, I assumed the rule had been removed. Are you saying there was a rule in place, but the FP processing somehow failed to find it? If so, I'd say that is a major failing on the part of the FP processing. There's no way thatwe can find time to go through the Sniffer logs after this bounces back with "no rule found". This would have to be automated to have any chance of occurring, but again I would say the FP processing needs to be corrected to identify the rule the message failed since the complete message, headers and body, are included in the report. Darin. - Original Message - From: Scott Fisher To: Message Sniffer Community Sent: Wednesday, June 07, 2006 10:08 AM Subject: Re: [sniffer]FP suggestions For me the pain of false positives submissions is the research that happens when I get a "no rule found" return. I then need to find the queue-id of the original message and then find the appropriate Sniffer log and pull out the log lines from there and then submit it. Almost always in these cases, a rule is removed. If this process could be improved that would really be a time saver.
Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
(sniff) Aw, cut it out, Matt. You're making me all weepy. p.s. Pete, that's pretty darned amazing! From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Pete,I think that you just broke Scott's record with his two hour feature request with your own a two hour program :)Anyone remember those days???Thanks,MattPete McNeil wrote: Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited. I don't want to mix delimiters... everything so far is using spaces, so it makes sense to continue that way IMO. Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight. I haven't seen any bugs with %WEIGHT% since shortly after it was introduced, but you never know. I have seen some issues with other Declude inserted variables though. Well, errors are always a possibility, but in this case it _should_ be reasonably safe. For example, if this is used to gate SNF, then a missing %WEIGHT% would result in trying to launch a program with the same name as the authentication string, and it is highly unlikely that would be found, so the result would be the "program not found" error code. That's not perfect because it's a nonzero result, but it is safe in that it is not likely to launch another program. One other thing that I came across with the way that Declude calls external apps...you can't delimit the data with things like quotes. There is no mechanism for escaping a functional quote from a quote that should appear in the data that you pass to it...so don't use quotes as delimiters :) Not a problem... I just whipped together a utility called WeightGate.exe that can be downloaded here (for now): http://www.messagesniffer.com/Tools/WeightGate.exe Suppose you wanted to use it in Declude to skip running SNF if your weight was already ridiculously low (perhaps white listed) or already so high that you want to save the extra cycles. Then you might do something like this: SNF external nonzero "c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0 (hopefully that didn't wrap, and if it did you will know what I meant ;-) To test this concept out you might first create a copy of WeightGate.exe callled ShowMe.exe (case matters!) and then do something like this: SNF external nonzero "c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0 The result of that would be the creation of a file c:\ShowMe.log that contained all of the parameters ShowMe.exe was called with -- that way you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS returns zero, so this _should_ be safe ;-) If you run WeightGate on the command line without parameters it will tell you all about itself and it's alter ego ShowMe.exe. That description goes like this (I may fix the typo(s) later): WeightGate.exe (C) 2006 ARM Research Labs, LLC. This program is distributed AS-IS, with no warranty of any kind. You are welcome to use this program on your own systems or those that you directly support. Please do not redistribute this program except as noted above, however feel free to recommend this program to others if you wish and direct them to our web site where they can download it for themselves. Thanks! www.armresearch.com. This program is most commonly used to control the activation of external test programs from within Declude (www.declude.com) based on the weigth that has been calculated thus far for a given message. As an added feature, if you rename this program to ShowMe.exe then it will emit all of the command line arguments as it sees them to a file called c:\ShowMe.log so that you can use it as a debugging aid. If you are seeing this message, you have used this program incorrectly. The correct invocation for this program is: WeightGate low weight hight program arg 1, arg 2,... arg n Where: low = a number representing the lowest weight to run progra. weight = a number representing the actual weight to evaluate. high = a number representing the highest weight to run program. program = the program to be activated if weight is in range. arg 1, arg 2, ... arg n = arguments for program. If weight is in the range [low,high] then WeightGate will run program and pass all of arg 1, arg 2,... arg n to it. Then WeightGate will collect the exit code of program and return it as WeightGate's exit code. If WeightGate gets the wrong number of parameters it will display this message and return FAIL_SAFE (zero) as it's exit code. If weight is not in range (less than low or greater than high) then WeightGate will NOT
Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Awesome. Great job, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, June 07, 2006 6:49 PM Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited. I don't want to mix delimiters... everything so far is using spaces, so it makes sense to continue that way IMO. Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight. I haven't seen any bugs with %WEIGHT% since shortly after it was introduced, but you never know. I have seen some issues with other Declude inserted variables though. Well, errors are always a possibility, but in this case it _should_ be reasonably safe. For example, if this is used to gate SNF, then a missing %WEIGHT% would result in trying to launch a program with the same name as the authentication string, and it is highly unlikely that would be found, so the result would be the program not found error code. That's not perfect because it's a nonzero result, but it is safe in that it is not likely to launch another program. One other thing that I came across with the way that Declude calls external apps...you can't delimit the data with things like quotes. There is no mechanism for escaping a functional quote from a quote that should appear in the data that you pass to it...so don't use quotes as delimiters :) Not a problem... I just whipped together a utility called WeightGate.exe that can be downloaded here (for now): http://www.messagesniffer.com/Tools/WeightGate.exe Suppose you wanted to use it in Declude to skip running SNF if your weight was already ridiculously low (perhaps white listed) or already so high that you want to save the extra cycles. Then you might do something like this: SNF external nonzero c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 (hopefully that didn't wrap, and if it did you will know what I meant ;-) To test this concept out you might first create a copy of WeightGate.exe callled ShowMe.exe (case matters!) and then do something like this: SNF external nonzero c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 The result of that would be the creation of a file c:\ShowMe.log that contained all of the parameters ShowMe.exe was called with -- that way you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS returns zero, so this _should_ be safe ;-) If you run WeightGate on the command line without parameters it will tell you all about itself and it's alter ego ShowMe.exe. That description goes like this (I may fix the typo(s) later): WeightGate.exe (C) 2006 ARM Research Labs, LLC. This program is distributed AS-IS, with no warranty of any kind. You are welcome to use this program on your own systems or those that you directly support. Please do not redistribute this program except as noted above, however feel free to recommend this program to others if you wish and direct them to our web site where they can download it for themselves. Thanks! www.armresearch.com. This program is most commonly used to control the activation of external test programs from within Declude (www.declude.com) based on the weigth that has been calculated thus far for a given message. As an added feature, if you rename this program to ShowMe.exe then it will emit all of the command line arguments as it sees them to a file called c:\ShowMe.log so that you can use it as a debugging aid. If you are seeing this message, you have used this program incorrectly. The correct invocation for this program is: WeightGate low weight hight program arg 1, arg 2,... arg n Where: low = a number representing the lowest weight to run progra. weight = a number representing the actual weight to evaluate. high = a number representing the highest weight to run program. program = the program to be activated if weight is in range. arg 1, arg 2, ... arg n = arguments for program. If weight is in the range [low,high] then WeightGate will run program and pass all of arg 1, arg 2,... arg n to it. Then WeightGate will collect the exit code of program and return it as WeightGate's exit code. If WeightGate gets the wrong number of parameters it will display this message and return FAIL_SAFE (zero) as it's exit code. If weight is not in range (less than low or greater than high) then WeightGate will NOT launch program and will return FAIL_SAFE (zero) as it's exit code. As a deubgging aid, I was called with the following arguments: arg[0] me = WeightGate -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed
Re: [sniffer]Re[2]: [sniffer]FP suggestions
Unfortunately, by the time the message gets to us it is sometimes just different enough that the original pattern cannot be found. There are some folks who consistently have success, and some who occasionally have problems, and a few who always have a problem. Different in what way? Is the mail client encoding differently in the forwarding process? If so, do you know what clients are altering the messages and how? If there's one that's better for this, we could always use it for forwarding since we currently send it to ourselves first, then forward. If we rewrite the Q file and queue directly from IMail, encoding shouldn't change, correct? If that avoids this issue, we could do that instead. The best solution is to include the headers during the scan since they will travel with the message. What do you mean? The XHDR? We would love that for more several reasons, but Declude is not the same company anymore. The next best is to automate matching the log entries with the message so they can be included with the submission (some do this to prevent the second trip). Yeah, we'd have to automate it. I can't imagine taking the time to manually match for each occurrence of no rule found. Another item for the automation list. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]FP suggestions
Of course I'm sending the full message as an attachment. You can do that with Outlook byattaching and item, then browsing your mail folders for the message to attach. And yes, that's how you do it with Outlook Express as well. I don't use Thunderbird or Netscape mail, but I would assume you still need to attach the original message to avoid the headers being lost. What I was referring to was a little more involved than that... namely the possibility of it not matching a rule because the attachment was encoded differently. For example, I've seen mail go throughthat baes64 encoded an attached email that was not originally base64 encoded. From Pete's responses, it sounded like "no rule found" really did mean no rule was matched. Especially since he has a separate code for "rule already removed". FPs we send are always from same day, or, at the very least, within 24 hours. Darin. - Original Message - From: Matt To: Message Sniffer Community Sent: Wednesday, June 07, 2006 11:46 PM Subject: Re: [sniffer]FP suggestions Darin,Outlook will strip many of the headers when forwarding. Outlook Express needs to forward the messages using "Forward As Attachment" in order to insert the full original headers. Thunderbird/Netscape Mail will work just by forwarding. If you paste the full source in a message, you should send as plain text.I have many FP's that come back as having no rules found, but these are more likely to be from rules that were already removed. So I wouldn't jump to a conclusion that the rule was not found because of formatting unless you are not sending the full unadulterated original message source. I would imagine that it would mostly be IP rules that aren't found when not forwarding the full original source.MattDarin Cox wrote: It is unclear - we receive FPs that have traveled through all sorts of clients, quarantine systems, changed hands various numbers of times, or not (to all of those)... Right now I don't want to make that research project a high priority. Understood. That's true it wouldn't change, but submitting the message directly would not be correct - the dialogue is with you, and in any case, additional trips through the mail server also modify parts of the header and sometimes parts of the message (tag lines, disclaimers, etc)... Hmmm... with attaching the original message, I guess it still makes more sense to deliver to us first for now. Just looking for an alternative that gets you the message as close as possible to the original form as possible. Maybe we'll write a script to copy and forward the D*.SMD file as an attachment to you for FPs at some point in the future. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer][Fwd: Re: [sniffer]FP suggestions]
Darin, Thunderbird and Netscape just takes the full original source and attaches it as a message/rfc822 attachment. I forwarded this message back to the list by just pressing Forward. I'm pretty sure that Outlook Express works simply by just pressing Forward As Attachment, or at least it gives me enough of the original, including the full headers, to determine how to block the spam. I have been telling Outlook users to copy and paste the headers into a forwarded message. Please excuse me for wanting more detail about the Outlook attachment trick, but would you mind attaching this message to a response so that I could look at the headers and such? There was a discussion about Outlook's behavior with Scott some time ago. Apparently Microsoft was pressured by customers to remove headers when forwarding because they felt that they were a security/privacy risk. No one told them that Outlook was a security/privacy risk on it's own :) ...but that's another story. I would probably feel different if I had the need for groupware though, but digs at Microsoft are irresistible sometimes. Matt ---BeginMessage--- Of course I'm sending the full message as an attachment. You can do that with Outlook byattaching and item, then browsing your mail folders for the message to attach. And yes, that's how you do it with Outlook Express as well. I don't use Thunderbird or Netscape mail, but I would assume you still need to attach the original message to avoid the headers being lost. What I was referring to was a little more involved than that... namely the possibility of it not matching a rule because the attachment was encoded differently. For example, I've seen mail go throughthat baes64 encoded an attached email that was not originally base64 encoded. From Pete's responses, it sounded like "no rule found" really did mean no rule was matched. Especially since he has a separate code for "rule already removed". FPs we send are always from same day, or, at the very least, within 24 hours. Darin. - Original Message - From: Matt To: Message Sniffer Community Sent: Wednesday, June 07, 2006 11:46 PM Subject: Re: [sniffer]FP suggestions Darin,Outlook will strip many of the headers when forwarding. Outlook Express needs to forward the messages using "Forward As Attachment" in order to insert the full original headers. Thunderbird/Netscape Mail will work just by forwarding. If you paste the full source in a message, you should send as plain text.I have many FP's that come back as having no rules found, but these are more likely to be from rules that were already removed. So I wouldn't jump to a conclusion that the rule was not found because of formatting unless you are not sending the full unadulterated original message source. I would imagine that it would mostly be IP rules that aren't found when not forwarding the full original source.MattDarin Cox wrote: It is unclear - we receive FPs that have traveled through all sorts of clients, quarantine systems, changed hands various numbers of times, or not (to all of those)... Right now I don't want to make that research project a high priority. Understood. That's true it wouldn't change, but submitting the message directly would not be correct - the dialogue is with you, and in any case, additional trips through the mail server also modify parts of the header and sometimes parts of the message (tag lines, disclaimers, etc)... Hmmm... with attaching the original message, I guess it still makes more sense to deliver to us first for now. Just looking for an alternative that gets you the message as close as possible to the original form as possible. Maybe we'll write a script to copy and forward the D*.SMD file as an attachment to you for FPs at some point in the future. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] ---End Message--- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Concerned about amount of spam going through
I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Michiel Prins Sent: 06 June 2006 08:11 To: Message Sniffer Community Subject: [sniffer]Concerned about amount of spam going through Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to 70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? Groet, Michiel # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
We just use a single test, we don't categorise. If SNIFFER returns a result we weight it. However, SNIFFER oftens returns a zero result when the email is obviously junk i.e. SNIFFER returns a positive result (spam) in about 30% of all identified junk mail. SNIFFER external nonzero \declude\sniffer\sniffer.exe 23 0 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 11:17 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 23 2 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 41 41 0605SNIFFER-EXP-A 450 0 0 36 7 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail
Re: [sniffer]Numeric spam
Hello Markus, Tuesday, June 6, 2006, 3:27:32 AM, you wrote: Mabe people at Sniffer are already aware of this new type of spam. Not the malformed mailfrom one but this with the short number and nothing else in subject and body) Thanks for those samples... I've coded an additional abstract for the ones you sent. There is also another type of spam (stock spam now with attached png image) this morning passing our filters. Here too some tests has had positive results (see mail headers of attached samples) but sniffer has also completely missed. It took a bit of work to generalize the pattern for the png stock spam but I've got a new family of rules in place for it now... I'm waiting on results to tally but I believe the rules will be effective. If not we will continue to work on them. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]A design question - how many DNS based tests?
Hi _M, Do you mean like reverse PTR records, or HELO lookups, etc..? --Paul R. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 9:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]A design question - how many DNS based tests?
Hi Pete, Pete McNeil wrote: How many DNS based tests do you use in your filter system? approx 100 How many of them really matter? depends :) I generally weight them all very low; its the combination of several that make each 'matter'. As I review held mail I remove ones that are blatant fp's; double up on some by considering the last hop as a preference over any hop, etc. -Nick Thanks! _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Concerned about amount of spam going through
Hello Michiel, Tuesday, June 6, 2006, 3:10:52 AM, you wrote: Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to 70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? IMO, the spam storm explanation is certainly applicable today - we've seen a few spikes, this time bunched together in an unusual - nearly continuous chain... still working on a theory for that. In general, the image based spam trend has given everyone more challenges.. I'm working on engine upgrades that will be out soon to help with those and future threats. Another thing that may have effected the last few days is that our primary spam-trap processor ate itself causing large backlogs and heavy fragmentation. There were a few hours (off-and-on) where the box was not processing traffic so we were delayed responding with new rules. I've changed the software on that box and cleaned up the damage and it is now happily sustaining ~900 msgs/minute so I don't expect further problems from it in the short term. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam topic change to png stock spam
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS HH HS SH SA
SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547
The regex alone will fp; I score it with a 3 [hold on 10; delete on 24]
The png combo I just did it last night when I first saw the spam. So
far I have not see any fp. [ I combo it (the regex) with other tests as
well - which makes it much more reliable.]
-Nick
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=""moz-txt-link-freetext" href="">cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]A design question - how many DNS based tests?
I use about 100 dnsbl/rbl/rhsbl list of varying weights and reliabilities. How many matter... I'd have to say the shining star is CBL. Hits 45% of the spam with a very low false positive rate. The relay RBLs days are way behind them, The proxy RBLs most useful days are behind them The DUL RBLs I don't think have ever been comprehensive/correct enough to be as useful as they should be in the day of the spam zombie. The spam source RBL's (other than CBL) are a little over-zealous to me causing me some false positives problems, thus lower than weight. They seem to be on the downtrend too. Oddly Fiveten Spam (127.0.0.2) has had a big jump in the last two months catching 60% of the spam although with a 1 % false positive rate. I have 2 1/4 years of my spam test results posted at All tests: http://it.farmprogress.com/declude/Testsbymonth.html Spam tests: http://it.farmprogress.com/declude/spamtestbymonth.html ham tests: http://it.farmprogress.com/declude/hamtestsbymonth.html - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 06, 2006 8:26 AM Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose?On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. Regards, Steve GulukSGDesign(949) 661-9333ICQ: 7230769
Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. I've seen the free version with hit rates as low as 10% on the remaining messages that have been already filtered by a gateway, which I thought was still decent because these were the messages that had already evaded the blacklist tests. And free is good. On the same system, I noted that this made Sniffer about half as effective as fresh SURBL/URIBL testing, but I had no way to compare their overlap. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Waller Sent: Tuesday, June 06, 2006 5:46 AM To: Message Sniffer Community Subject: Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through We just use a single test, we don't categorise. If SNIFFER returns a result we weight it. However, SNIFFER oftens returns a zero result when the email is obviously junk i.e. SNIFFER returns a positive result (spam) in about 30% of all identified junk mail. SNIFFER external nonzero \declude\sniffer\sniffer.exe 23 0 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 11:17 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages Date TestSS SH HH HSIMP 0605 SNIFFER-TRAVEL 12 0 0 23 2 0605 SNIFFER-INSUR 4 0 0 0 0 0605 SNIFFER-AV 0 0 0 0 0 0605 SNIFFER-MEDIA 13450 0 0 8 0605 SNIFFER-SWARE 73 0 0 0 0 0605 SNIFFER-SNAKE 83860 0 0 9 0605 SNIFFER-SCAMS 138 0 0 2 3 0605 SNIFFER-PORN908 0 0 1 3 0605 SNIFFER-MALWARE 12 0 0 2 3 0605 SNIFFER-INK 2 0 0 0 0 0605 SNIFFER-RICH28650 0 2 219 0605 SNIFFER-CREDIT 363 0 0 0 1 0605 SNIFFER-CASINO 300 0 0 0 0 0605 SNIFFER-GENERAL 28810 0 41 41 0605 SNIFFER-EXP-A 450 0 0 36 7 0605 SNIFFER-OBFUSC 4 0 0 5 0 0605 SNIFFER-EXP-IP 28 0 0 8 5 SSSniffer says spam, final result too SHSniffer says spam, final result not HHSniffer says ham, final result too HSSniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries
Re: [sniffer]A design question - how many DNS based tests?
I use just shy of 60 DNS based tests against the sender, both IP4R and RHSBL. Perhaps 10-12 matter. Due to false positives, I rate most of them relatively low and have built up their weights as a balancing act. That act is greatly assisted by using a weighting system and not reject on first hit, and furthered by being able to do combo tests such as the example Nick offered on a different thread this morning. SPAMHAUS XBL (CBL and the Blitzed OPM), SPAMCOP, FIVETEN, MXRATE-BL are consistent good performers for me. Tests that I try out tend to stay in my configuration after they've become inutile as long as they do no harm. I groom the lists perhaps four times per year. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 6:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Because a small amount of weight is added, it is still sufficient for
tilting the scales on more occurrences than other image types.
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:44 AM
Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock
spam
Hello Jonathan,
I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar
attempts in the past.
Is there more to this than the two elements I just described -
something I'm not seeing?
_M
Tuesday, June 6, 2006, 10:19:36 AM, you wrote:
Nick, very good method. I have added that to my configuration as well
now.
- Original Message -
From: Nick Hayer [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:05 AM
Subject: Re: [sniffer]Numeric spam topic change to png stock spam
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png
image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose?On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:I started seeing these messages Monday (yesterday) morning EDT. The fromand to are the same (ie you sent it to yourself). I am tagging it butthere is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are?Random numbers for no apparent reason...?Regards, Steve GulukSGDesign(949) 661-9333ICQ: 7230769
Re: [sniffer]Numeric spam
So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to this UseNet thread: http://groups.google.com/group/Gmail-Problem-solving/browse_thread/thread/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2 which has a rather low signal to noise ratio. Suffice it to say that in that thread, they eventually come up with "spammers fake the from address on a regular basis, yes, even yours" and "hey, we don't know what this is". The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain. (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addressesat one go byusing the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up. Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view. No payload in the numeric spam means no commercial gain.) The only theories thatIcan get behindrevolve around information-gathering. Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies. That would only give them partial information and would require that they co-ordinate the data back from their many zombies. And it supposes that the bad guys care about list scrubbing. The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run. I think they just screwed up again. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
You know we are dealing with some pretty sick puppies when it comes to these spammers. It would be ironic if one is just doing this to play with our heads. John C -- Original Message -- From: Colbeck, Andrew [EMAIL PROTECTED] Reply-To: Message Sniffer Community sniffer@sortmonster.com Date: Tue, 6 Jun 2006 16:07:25 -0700 So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to this UseNet thread: http://groups.google.com/group/Gmail-Problem-solving/browse_thread/threa d/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2 which has a rather low signal to noise ratio. Suffice it to say that in that thread, they eventually come up with spammers fake the from address on a regular basis, yes, even yours and hey, we don't know what this is. The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain. (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addresses at one go by using the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up. Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view. No payload in the numeric spam means no commercial gain.) The only theories that I can get behind revolve around information-gathering. Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies. That would only give them partial information and would require that they co-ordinate the data back from their many zombies. And it supposes that the bad guys care about list scrubbing. The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run. I think they just screwed up again. Andrew 8) _ From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve Guluk Sent: Tuesday, June 06, 2006 3:46 PM To: Message Sniffer Community Subject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
I thought that having an SPF record would prevent a
spammer from forging your domain name, but our SPF record did not seem to help
with these odd numeric E-mails which appear to be coming from our
owndomain.
Does anyone have any info about SPF records and if they
really work to combat this type of junkmail?
Michael SteinComputer House
- Original Message -
From:
Colbeck,
Andrew
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 7:37
PM
Subject: Re: [sniffer]Numeric spam
Both of which are reasonable, particularly given the
recent Blue Security debacle that showed that it was possible for the spammers
as well as the spammees to coordinate their information. It might be in
a spammer's best interest to pursue either of your
suggestions.
However, I still think it is more credible to assume that
this is a case of the spammer being simple-stupid instead of
uber-clever.
Andrew 8)
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of John T
(Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message
Sniffer CommunitySubject: Re: [sniffer]Numeric
spam
My thought is
they are either building a db of valid names or testing delivery
techniques.
John
T
eServices For
You
"Seek, and ye
shall find!"
-Original
Message-From: Message
Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06,
2006 3:46
PMTo: Message Sniffer
CommunitySubject: Re:
[sniffer]Numeric spam
On Jun 6, 2006, at 7:51 AM, Steve
Guluk wrote:
We're
getting the same and today it started hitting a different account
(Domain).
What are these
things? I thought exploratory, maybe looking for replies to build a DB for a
later spam wave? Their not malicious in content and look likesomeone's
virus working incorrectly. But, I doubt they are really so
benign.
Any understand
their purpose?
On
Jun 6,
2006, at
6:32
AM, Goran Jovanovic
wrote:
I started seeing
these messages Monday (yesterday) morning EDT. The
from
and to are the
same (ie you sent it to yourself). I am tagging it
but
there is not
enough stuff to push it into DELETE
territory.
So no one has
any idea what the purpose of these emails are?
Random numbers
for no apparent reason...?
Regards,
Steve
Guluk
SGDesign
(949)
661-9333
ICQ:
7230769
Re: [sniffer]Numeric spam
They do, but you have to both specify that email
for your domains only comes from your mail servers AND use a test in your spam
filtering that checks SPF and pushes fails over your hold limit.
Darin.
- Original Message -
From: Computer
House Support
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 8:07 PM
Subject: Re: [sniffer]Numeric spam
I thought that having an SPF record would prevent a
spammer from forging your domain name, but our SPF record did not seem to help
with these odd numeric E-mails which appear to be coming from our
owndomain.
Does anyone have any info about SPF records and if they
really work to combat this type of junkmail?
Michael SteinComputer House
- Original Message -
From:
Colbeck,
Andrew
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 7:37
PM
Subject: Re: [sniffer]Numeric spam
Both of which are reasonable, particularly given the
recent Blue Security debacle that showed that it was possible for the spammers
as well as the spammees to coordinate their information. It might be in
a spammer's best interest to pursue either of your
suggestions.
However, I still think it is more credible to assume that
this is a case of the spammer being simple-stupid instead of
uber-clever.
Andrew 8)
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of John T
(Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message
Sniffer CommunitySubject: Re: [sniffer]Numeric
spam
My thought is
they are either building a db of valid names or testing delivery
techniques.
John
T
eServices For
You
"Seek, and ye
shall find!"
-Original
Message-From: Message
Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06,
2006 3:46
PMTo: Message Sniffer
CommunitySubject: Re:
[sniffer]Numeric spam
On Jun 6, 2006, at 7:51 AM, Steve
Guluk wrote:
We're
getting the same and today it started hitting a different account
(Domain).
What are these
things? I thought exploratory, maybe looking for replies to build a DB for a
later spam wave? Their not malicious in content and look likesomeone's
virus working incorrectly. But, I doubt they are really so
benign.
Any understand
their purpose?
On
Jun 6,
2006, at
6:32
AM, Goran Jovanovic
wrote:
I started seeing
these messages Monday (yesterday) morning EDT. The
from
and to are the
same (ie you sent it to yourself). I am tagging it
but
there is not
enough stuff to push it into DELETE
territory.
So no one has
any idea what the purpose of these emails are?
Random numbers
for no apparent reason...?
Regards,
Steve
Guluk
SGDesign
(949)
661-9333
ICQ:
7230769
Re: [sniffer]Numeric spam
Hi Darin, Thanks for your reply. Sure wish I understood what you're saying Michael SteinComputer House - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:10 PM Subject: Re: [sniffer]Numeric spam They do, but you have to both specify that email for your domains only comes from your mail servers AND use a test in your spam filtering that checks SPF and pushes fails over your hold limit. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:07 PM Subject: Re: [sniffer]Numeric spam I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]SPF
What's your hold weight? If spam is only failing SPF and nothing else, then the message doesn't get held, so you don't see it. Also, I do not recommend negative weighting SPFPASS. Spammers have SPF records, too, so you're giving them an opportunity to exploit it. Lastly, I think you may be confused on your SPF records. They should not have the "name" portion. There is only one SPF record per domain. So, for computerhouse.com, your SPF record should simply be v=spf1 mx -all which tells it your MX is allowed to send mail for your domain (the "mx" part) , but all others should fail ( the "-all" part). Please keeprelated communication on the list for others' benefit as well. Darin. - Original Message - From: Computer House Support To: [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 9:40 PM Subject: SPF Hi Darin, Thanks for your offer to help. I am E-mailing you off-list. We do use Declude. The entry in our $default$.junkmail filelooks like this: SPFFAILWARNSPFPASSWARNSPFUNKNOWNWARN However, I have never seen an "SPF Failure"in the header of a spam mail. Global.cfg: SPFFAILspffailx30SPFPASSspfpassx-10 Our SPF Record looks like this: computerhouse.com. IN TXT "v=spf1 mx mx:mail.computerhouse.com"mail.computerhouse.com. IN TXT "v=spf1 a -all" Your insight is appreciated. Michael SteinComputer House - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 9:30 PM Subject: Re: [sniffer]Numeric spam What do you use for spam filtering? Declude has the ability to test SPF, for example. Also, what is your SPF record for the domain in question? Darin.
Re: [sniffer]Sniffer updates down?
John: We are able to download updates fine. Could be some routing issues. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, June 02, 2006 3:23 PM To: Message Sniffer Community Subject: [sniffer]Sniffer updates down? I am getting errors since late last night that host can not be found. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Sniffer updates down?
Connecting to www.sortmonster.net[207.97.229.114]:80... connected. As of 1 minute ago. Shaun Sturby, MCSE Manager - Technical Services Optrics Engineering - Solution Partners Network Specialists Email: [EMAIL PROTECTED] Website: www.Optrics.com United States: 1740 S 300 West #10 Clearfield, UT, 84015 Phone: 1-877-430-6240 Fax: (801) 705-3150 Canada: 6810 104 St. Edmonton, AB Canada T6H 2L6 Phone: 1-877-463-7638 Fax: (780) 432-5630 Optrics Engineering and FundSoft are divisions of Optrics Inc. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists) Sent: Friday, June 02, 2006 3:23 PM To: Message Sniffer Community Subject: [sniffer]Sniffer updates down? I am getting errors since late last night that host can not be found. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Sniffer updates down?
Hi John, I got my Sniffer update at 5:03 pm no problem from Toronto Goran Jovanovic Omega Network Solutions -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, June 02, 2006 5:23 PM To: Message Sniffer Community Subject: [sniffer]Sniffer updates down? I am getting errors since late last night that host can not be found. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Sniffer updates down?
Well, I figured out what the problem is, sort of. This last Monday I finally reconfigured the network at my Data Center for using 2 Internet connections. For some reason, DNS queries going out the secondary connection are timing out. Fun Fun Fun. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 02, 2006 3:57 PM To: Message Sniffer Community Subject: Re: [sniffer]Sniffer updates down? Hi John, I got my Sniffer update at 5:03 pm no problem from Toronto Goran Jovanovic Omega Network Solutions -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, June 02, 2006 5:23 PM To: Message Sniffer Community Subject: [sniffer]Sniffer updates down? I am getting errors since late last night that host can not be found. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Sniffer updates down?
Hello John, Friday, June 2, 2006, 5:22:45 PM, you wrote: I am getting errors since late last night that host can not be found. I checked your license record and finding no problems successfully downloaded your rulebase file from the expected URL. Not sure what could be going on but it seems it must be local based on what I've seen so far. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Viagra Spam
Hello Ali, Wednesday, May 31, 2006, 2:44:28 AM, you wrote: How is everyone managing to deal with the upsurge of viagra spam mail. Sniffer does not seem to pick it up? Just so you know we are on this... There are a set of abstracts coded and we are collecting domain on this one as well. It is a new variant of the one that started yesterday. It has quite a bit of bandwidth behind it as well. Rate Graph Image attached. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. msgperhour48.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Spam Storm - It's a big one.
Hi Pete, Watch out for today's spam storm -- it's a lot bigger than we've seen in a long while. 48 hour image attached. This has low priority but. I've tried to find a live version of that graph you've sent but I cannot find it at http://kb.armresearch.com/index.php?title=Message_Sniffer.LiveReports which would seem to be the logical place. Is it nowhere live to be found or am I looking at the wrong place? Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
Disregard my last post. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 9:38 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
The owner of a domain need not authorize a reverse DNS PTR record in any way, shape or form. If the netblock was owned, or the netblock owner had delegated rDNS to a malicious customer, they could easily set rDNS to whatever they wanted. Aol.com, paypal.com, ebay.com, chase.com ... -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 12:38 PM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
That is what has me worried. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Wednesday, May 24, 2006 9:51 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing The owner of a domain need not authorize a reverse DNS PTR record in any way, shape or form. If the netblock was owned, or the netblock owner had delegated rDNS to a malicious customer, they could easily set rDNS to whatever they wanted. Aol.com, paypal.com, ebay.com, chase.com ... -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 12:38 PM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
But how is PayPal's DNS involved in this as at what point are the Paypal DNS servers queried? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 9:38 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
John, I think my last post answered that. FWIW, also check out the SPF record: nslookup -type=TXT email.paypal.com Which allows postdirect.com as a mailer. In this case, it's not needed, because they also allow SPF from the PTR records that match. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:45 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing But how is PayPal's DNS involved in this as at what point are the Paypal DNS servers queried? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 9:38 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]spam storm
Nothing too out of the ordinary here - ~17,000 blocked messages between 10-11 AM EST. Yesterday same time frame was ~16,000. - greg -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, May 23, 2006 10:35 AM To: Message Sniffer Community Subject: [sniffer]spam storm Dear Sniffer Friends, Our servers are really getting slammed with spam. Is anyone else seeing a hugh spam storm right now? Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]spam storm
For a couple days I have seen a increase in general spam (lots of male enhancements), but particularly Nigerian letters. John C -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, May 23, 2006 9:35 AM To: Message Sniffer Community Subject: [sniffer]spam storm Dear Sniffer Friends, Our servers are really getting slammed with spam. Is anyone else seeing a hugh spam storm right now? Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]spam storm
Tuesday, May 23, 2006, 10:35:01 AM, you wrote: Dear Sniffer Friends, Our servers are really getting slammed with spam. Is anyone else seeing a hugh spam storm right now? Hello Michael Sniffer Folks, http://reports.messagesniffer.com/Performance/FlowRates.jsp Logs since about 0523.0100 have shown a spike and a heavy increase. I was also called in on a new image spam wave early this morning (about 6 hours ago), and there is a new snake-oil spam going around - just text about canadian drugs and a link - but prolific, lots of bandwidth, and an inexhaustible supply of domains (luckily that's not all we use). Today seems a stair step up from the previous spam storm alert a few days ago. 48 hour image attached. Note: We've throttled back one of our heaviest spamtraps to keep our sampling more current (the increased volume was causing some queueing). As a result, the peaks on the graph are lower than they might normally be... the shape of the graph is the important part of the image. The flow rates analysis (link at top) shows the shelf starting at 0100 and building. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. getchart.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]possibly moving to new os
Hello steve, Saturday, May 20, 2006, 4:51:10 PM, you wrote: Hi, We are a current Imail/sniffer/declude customer. We are thinking of moving away from our current Imail setup to one using postfix. I downloaded the 30 trial. Is it possible to transfer our license to the new setup after we finish testing? Yes. If you have a valid license and you move to a new platform you can take that license with you. One license per MTA is all that we require. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Ebay Phishing Emails getting through
We have not noticed any today. Michael Stein Computer House - Original Message - From: Jim Matuska Jr. [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, May 17, 2006 2:46 PM Subject: [sniffer]Ebay Phishing Emails getting through Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. Thank You, Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Ebay Phishing Emails getting through
I've gotten one myself. The pharmacy ones, are still coming through too for that matter. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Herb Guenther Sent: Wednesday, May 17, 2006 3:03 PM To: Message Sniffer Community Subject: Re: [sniffer]Ebay Phishing Emails getting through I have not see any. Herb Jim Matuska Jr. wrote: Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. Thank You, Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Ebay Phishing Emails getting through
Hello Jim, Wednesday, May 17, 2006, 2:46:48 PM, you wrote: Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. ot Ah... So the list is working :-) I'll have to update the signup instructions... I can check that off the list. /ot Today, starting at about 0100 E, the blackhats really took it up a notch. I know because I was on duty making rules at the time. One of the things I saw a lot of were new phishing attacks - all varieties and variants. I know the team has been pushing hard on these, but some are bound to get through on the first few passes. Another thing we've noticed in the grand scheme is that localized phishing attacks are becoming more common. These are less likely to hit our spamtraps since the target lists used are highly regional -- so if we don't have a spamtrap in that geography our view of the spam may be delayed. We're working on this problem on a number of fronts.. Ideas, as always, are welcome. Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Ebay Phishing Emails getting through
Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. I've just manually submitted the ~35 messages that my filters triggered on for phishing that didn't trigger Message Sniffer today but ended up in my HOLD folder anyway due to their total spamminess. Most of them are against eBay and came from Germany. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, May 17, 2006 12:53 PM To: Message Sniffer Community Subject: Re: [sniffer]Ebay Phishing Emails getting through Hello Jim, Wednesday, May 17, 2006, 2:46:48 PM, you wrote: Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. ot Ah... So the list is working :-) I'll have to update the signup instructions... I can check that off the list. /ot Today, starting at about 0100 E, the blackhats really took it up a notch. I know because I was on duty making rules at the time. One of the things I saw a lot of were new phishing attacks - all varieties and variants. I know the team has been pushing hard on these, but some are bound to get through on the first few passes. Another thing we've noticed in the grand scheme is that localized phishing attacks are becoming more common. These are less likely to hit our spamtraps since the target lists used are highly regional -- so if we don't have a spamtrap in that geography our view of the spam may be delayed. We're working on this problem on a number of fronts.. Ideas, as always, are welcome. Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
RE: [sniffer] Test
Pong John T eServices For You Seek, and ye shall find! -Original Message- From: sniffer@sortmonster.com [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 15, 2006 10:12 PM To: sniffer@sortmonster.com Subject: Test Hello sniffer, Just testing. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Test
pong... Pete McNeil wrote: Hello sniffer, Just testing. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Test
Message received... Sharon Portage College |-+-- | | Pete McNeil| | | [EMAIL PROTECTED]| | | search.com| | | Sent by: | | | [EMAIL PROTECTED]| | | r.com | | | | | | | | | 05/15/2006 11:12 PM| | | Please respond to | | | sniffer| |-+-- --| | | | To: sniffer@sortmonster.com | | cc: | | Subject: Test | --| Hello sniffer, Just testing. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] zipping log files
On February 9, 2006 Pete wrote: I expect to be able to accept compressed log files within the next few days if all goes as planned. I will announce that ability on this list when we are ready. Is it possible now? Roger This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] zipping log files
Hello Pete, Friday, May 12, 2006, 1:48:00 PM, you wrote: Hello Sniffer Folks, I expect to be able to accept compressed log files within the next few days if all goes as planned. I will announce that ability on this list when we are ready. Is it possible now? Roger Sorry for the odd way of posting this response, I'm in the middle of changing mail servers and the old one is a bit confused. Roger, Go ahead and post logs that are zipped using the following rules: snip/ It's not set up yet (I've been distracted working on other SNF stuff) but I will have scripting in place to handle the above within a few minutes. The code is now in place and has been tested. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Lot of Drugs Spam getting through sniffer....
Here too. -- Daniel Bayerdorffer [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. PO Box 187 Sangerville, ME 04479 USA TEL 207-876-3541 FAX 207-876-3566 www.numberall.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, May 05, 2006 10:34 AM To: sniffer@sortmonster.com Subject: [sniffer] Lot of Drugs Spam getting through sniffer The last few days tons on Drus spam is coming in and sniffer is catching none of it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Lot of Drugs Spam getting through sniffer....
I have been getting them here also and have forwarded some to [EMAIL PROTECTED] I guess to get past the filters the spammers misspell key words throughout the email with new web links. It is misspelled so badly that I cannot really make sense of it. Are there actual people out there that would buy this stuff from a spam email like that? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bayerdorffer Sent: Friday, May 05, 2006 9:38 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer Here too. -- Daniel Bayerdorffer [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. PO Box 187 Sangerville, ME 04479 USA TEL 207-876-3541 FAX 207-876-3566 www.numberall.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, May 05, 2006 10:34 AM To: sniffer@sortmonster.com Subject: [sniffer] Lot of Drugs Spam getting through sniffer The last few days tons on Drus spam is coming in and sniffer is catching none of it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Lot of Drugs Spam getting through sniffer....
The more interesting fact is that Outlook's generic spam filter is catching 1 to 7 spam messages per day for me. John Back Baldwin School -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, May 05, 2006 10:34 AM To: sniffer@sortmonster.com Subject: [sniffer] Lot of Drugs Spam getting through sniffer The last few days tons on Drus spam is coming in and sniffer is catching none of it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Bad Rule Alert: 963461 follow up.
Peter, I have taken over the network administration for Neptune Chemical Pump Co. Could I get a manual for the sniffer software. That is how to use set up and confirm it is still configured correctly. Thank you, Jeff Alexander Neptune Chemical Pump Network Administrator - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Tuesday, April 18, 2006 12:07 PM Subject: [sniffer] Bad Rule Alert: 963461 follow up. Hello Sniffer Folks, Regarding rule 963461 - the rule was coded for a short sequence of nbsp;nbsp;nbsp; (3x). It was misinterpreted and/or miscopied as part of obfuscation. The rule was coded at 20060417.1929 E and removed at approximately 20060418.1000 E. There was one additional rule pulled (963533) which was coded for a binary segment of an image file. No hits have been reported on the second rule at this time. Best, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer application
On Wednesday, April 19, 2006, 11:05:15 AM, Jeff wrote: JA Peter, JA I have taken over the network administration for Neptune Chemical Pump Co. JA Could I get a manual for the sniffer software. That is how to use set up JA and confirm it is still configured correctly. You can find the root of our documentation here: http://kb.armresearch.com/index.php?title=Main_Page And the Message Sniffer specific part begins here: http://kb.armresearch.com/index.php?title=Message_Sniffer We have been reorganizing and expanding our documentation. To ensure that it will be as good as possible, we are allowing people to edit the documentation online when they feel something could be added or improved. If you would like to have an account for the wiki please send a note to support@ and we will set you up. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Message loop
On Wednesday, April 19, 2006, 7:20:01 PM, Matt wrote: M M Pete, M M I tried replying to some FP reports and I received back some loop reports from your gateway: M M M M M Failed to deliver to '[EMAIL PROTECTED]' M mail loop: too many hops (too many 'Received:' header fields) I'm aware of the problem. It's actually a problem on our partners' servers. They are making a transition and the destination server is unhappy about the number of hops required to get there through our forwarding chain. I believe they have adjusted these settings this afternoon to compensate. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False positive processing
Nope. None of them. I haven't heard back from the replies to a couple of false positives on the 10th, and we haven't heard anything from our submissions on the 16th (6) and 17th (2). I don't remember if we've heard anything from those on the 15th (4). Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Tuesday, March 21, 2006 11:21 AM Subject: Re: [sniffer] False positive processing On Tuesday, March 21, 2006, 9:38:46 AM, Darin wrote: DC DC DC Hi Pete, DC DC DC DC Are you getting behind on false positive processing? We have DC gotten a response in a few days, and are still forwarding false DC positives for an FP report that we asked for a while rule on the 10th. I'm not behind. Did the message get tagged on it's way out of your system? Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Updates slow
On Monday, March 20, 2006, 3:58:03 PM, John wrote: JTL It seems today that updates have been slow to retrieve, the last one being JTL averaging 54 Kbps. Updates are triggered on the e-mail update notice. I just retrieved your rulebase at an average of 267K/sec via my DSL. My DL rate is 3Mbps - so that's just about full bandwidth. Occasionally there are high bursts of traffic - perhaps you met one of those. Another possibility is that your specific network path may have, or have had an issue --- on the previous report of slow downloads it turned out that RackSpace was working on a network problem that seemed to effect only some paths into the server(s). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New Web Site!
http://www.google.com/search?q=what+is+a+wiki http://wiki.org/wiki.cgi?WhatIsWiki Wiki is a piece of server software that allows users to freely create and edit Web page content using any Web browser. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 17, 2006 9:15 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] New Web Site! What is a wiki? Harry Vanderzand inTown Internet Computer Services 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, March 17, 2006 11:07 AM To: sniffer@sortmonster.com Subject: [sniffer] New Web Site! Hello Sniffer Folks, Today we are making a major transition. The old Message Sniffer web site will be torn down and replaced with a new WIKI: http://kb.armresearch.com/index.php?title=Message_Sniffer The top Message Sniffer page will retain it's index for a while but instead of sending you to the original pages the links will take you to appropriate pages in the new WIKI. Also - if you try to go directly to an old page you will be redirected automatically to the appropriate new page. The WIKI requires that you create an account and log-in before making any changes. We know there are blackhats out there so we will be watching very closely... If we find there is abuse, we will disable the ability to create accounts and you will need to contact us at support@ if you want the ability to post -- let's hope it doesn't come to that. We will continue to update, improve, and correct the wiki - it will, in fact, be under constant development. Have fun! Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New Web Site!
What is the purpose of using a WIKI site? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, March 17, 2006 8:07 AM To: sniffer@sortmonster.com Subject: [sniffer] New Web Site! Hello Sniffer Folks, Today we are making a major transition. The old Message Sniffer web site will be torn down and replaced with a new WIKI: http://kb.armresearch.com/index.php?title=Message_Sniffer The top Message Sniffer page will retain it's index for a while but instead of sending you to the original pages the links will take you to appropriate pages in the new WIKI. Also - if you try to go directly to an old page you will be redirected automatically to the appropriate new page. The WIKI requires that you create an account and log-in before making any changes. We know there are blackhats out there so we will be watching very closely... If we find there is abuse, we will disable the ability to create accounts and you will need to contact us at support@ if you want the ability to post -- let's hope it doesn't come to that. We will continue to update, improve, and correct the wiki - it will, in fact, be under constant development. Have fun! Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
