Crew, If I might suggest something that has nothing to do with sniffer directly...
I succesfully reduced the number of spams delivered to our server with 25% by automatically blacklisting the IP adresses which deliver spam. If the weight of an e-mail goes over the "hold" weight, I add the IP address to the list of blocked IP addresses for the next 60 minutes. During that time, connections from these IP's are denied or dropped (don't really know). After that, it's automatically removed. This is something you can do with the MDaemon content filter using the "Add Line To A Text File" action (combined with a script that creates tarpit.sem every minute), don't know if this can be done with Declude or other systems. Drawback is that false positives would generate a temporary blacklisting, but I have not had any problems so far (the rule is in place for two weeks now). Michiel -----Original Message----- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: woensdag 20 september 2006 16:43 To: Message Sniffer Community Subject: [sniffer] Re: Sniffer does not catch as much as it used to. Hello Fox,Thomas, I might ad that for a long while it has been a common recommendation for SNF to be weighted at 70-80% of your "hold" weight. Quite often, some result categories are weighted to hold on their own. These days blackhats are using a burst-mode delivery tactic that makes it virtually certain the IPs they are using are previously unknown and unlisted. As a result, if several IP blacklist hits are required in addition to SNF then you are much more likely to see leakage than in previous months. In testing our new GBUdb engine on our spamtrap servers I can see a constant stream of new IPs sourcing spam and I also see the rate of new IPs spike significantly when new variants of messages arrive. These spikes are much higher than previously measured and continue to grow. Hope this helps, _M PS: GBUdb is a real-time collaborative behavior analysis engine that tracks statistics on good, bad, unknown (ugly), and ignored IPs. The engine will be part of the next release of SNF due shortly. Wednesday, September 20, 2006, 10:02:36 AM, you wrote: > Hi Rick, > I've found that tuning for spam is a constant process. I am always > tweaking settings, changing weights, etc., in response to spam > leakage. > Just yesterday I spent about 2 hours on it. > I (very reluctantly) implemented some phrase filtering, using the > filter function in Declude. I've been reluctant to do phrase filtering > in the past, just because I'm so scared of false positives, but I was > able to work with a phrase list I was pretty sure would be safe. > I also increased the weighting of some of the other Sniffer tests we > use, specifically the tests that scan for porn, get rich quick and > stuff like that. The weighting isn't so high that any one test will > cause the message to fail, but I did set it high enough on a few of > the Sniffer result codes so that it fails that specific Sniffer test > and just one other test, it will fail as spam. > It comes down to, IMHO, how much time you want to spend on it, and how > vigilant you want to be. I'd much rather spend a few hours a month > tweaking settings, than dealing with lusers calling daily because they > got an ad for Viagra. :-) > I'd be happy to share my config files privately if you think it would > help. > Good luck! > Tom >> I just signed my annual renewal for Sniffer but it seems that it used >> to catch lots of the email and now is only catching about 50% of the >> email Why when we are sending in our information does this continue >> to happen? We are getting lots of you won, Pharmacy spelled wrong and >> nonsense emails that sail through both Declude and Sniffer. Between >> the 2 of them that is over $1000 per year for spam/virus/hijack >> protection that seems not be happening like it used to. Any answers >> as to when we will get relief on these? >> >> Rick Hogue > --- > [This E-mail scanned for viruses by Declude Virus] > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <sniffer@sortmonster.com>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
