Re: [sniffer]FP suggestions

[Darin Cox]

Of course I'm sending the full message as an attachment.  You can do that with Outlook by attaching and item, then browsing your mail folders for the message to attach.  And yes, that's how you do it with Outlook Express as well.  I don't use Thunderbird or Netscape mail, but I would assume you still need to attach the original message to avoid the headers being lost.   What I was referring to was a little more involved than that... namely the possibility of it not matching a rule because the attachment was encoded differently.  For example, I've seen mail go through that baes64 encoded an attached email that was not originally base64 encoded.   From Pete's responses, it sounded like "no rule found" really did mean no rule was matched.  Especially since he has a separate code for "rule already removed".  FPs we send are always from same day, or, at the very least, within 24 hours. Darin.     ----- Original Message ----- From: Matt To: Message Sniffer Community Sent: Wednesday, June 07, 2006 11:46 PM Subject: Re: [sniffer]FP suggestions Darin, Outlook will strip many of the headers when forwarding.  Outlook Express needs to forward the messages using "Forward As Attachment" in order to insert the full original headers.  Thunderbird/Netscape Mail will work just by forwarding.  If you paste the full source in a message, you should send as plain text. I have many FP's that come back as having no rules found, but these are more likely to be from rules that were already removed.  So I wouldn't jump to a conclusion that the rule was not found because of formatting unless you are not sending the full unadulterated original message source.  I would imagine that it would mostly be IP rules that aren't found when not forwarding the full original source. Matt Darin Cox wrote: It is unclear - we receive FPs that have traveled through all sorts of clients, quarantine systems, changed hands various numbers of times, or not (to all of those)... Right now I don't want to make that research project a high priority. Understood. That's true it wouldn't change, but submitting the message directly would not be correct - the dialogue is with you, and in any case, additional trips through the mail server also modify parts of the header and sometimes parts of the message (tag lines, disclaimers, etc)... Hmmm... with attaching the original message, I guess it still makes more sense to deliver to us first for now. Just looking for an alternative that gets you the message as close as possible to the original form as possible. Maybe we'll write a script to copy and forward the D*.SMD file as an attachment to you for FPs at some point in the future. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>