Hi Pete,
Can you clarify what this .xhdr option is and how
we can enable it? I don't remember anything in the
documentation that describes it. I think there were references to the
config file previously, but there was never anything about it in mine. If
you could give an example of how to enable and use the info it would be greatly
appreciated.
Darin. ----- Original Message -----
From: Pete McNeil
Sent: Monday, October 16, 2006 11:13 PM
Subject: [sniffer] Re: Significant increase in false
positives Hello Matt, Monday, October 16, 2006, 10:03:04 PM, you wrote:
The rule was coded for a binary segment in an image file. Here is the rule information:
I removed the rule as soon as we began receiving reports - about mid-day today.
I have discussed this with Declude and I am hopeful that we will have better integration w/ Declude some time in the future. In the mean time, our next version will include a feature to inject headers into message files. Understand, however, that this is an expensive feature that will substantially increase the I/O requirements on any mail server. Injecting headers requires that the entire message file must be written to disk an additional time. This is not a small consideration-- Where once most spam were tiny text/html files (often less than 5K) today's image spam variants are frequently 5 to 10 times the size of the old spam we used to know. Also- note that this kind of thing can be very buggy on Winx systems -- sometimes changes to files are not reflected immediately between processes. For example, rename operations are not atomic - so when the old message file is deleted and the new version is renamed from it's temp file to the original message file name, other Winx processes that depend on that file may not respond reliably. For all of these reasons and more I've probably not thought of - this feature will be a "use at your own risk / YMMV" option. All that said, there is an existing option in the current version of SNF to produce a .xhdr file for each message. This option is frequently used in *nix systems that use SNF. It would be possible to write a short utility (perhaps even a script) that would modify quarantined messages out-of-band to include the contents of the .xhdr file as X- headers. Such a utility is not currently on our development list, however, and I hallucinate that such a device would tend to evolve into something somewhat system specific. The best option would be for Declude to add a feature that picks up x-headers created by external programs (perhaps in files named <message-file-name>.xhdr) so that they can be added in a single message rewrite along with the headers that Declude already adds. This would solve the I/O problems and standardize the mechanism for any other external programs that might wish to add headers. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> |
- [sniffer] Re: Significant increase in false positiv... Matrosity Hosting
- [sniffer] Re: Significant increase in false positiv... Matrosity Hosting
- [sniffer] Re: Significant increase in false positiv... Robert Grosshandler
- [sniffer] Re: Significant increase in false positiv... Herb Guenther
- [sniffer] Re: Significant increase in false positiv... Pete McNeil
- [sniffer] Re: Significant increase in false positiv... Darin Cox
- [sniffer] Re: Significant increase in false positiv... Matt
- [sniffer] Re: Significant increase in false positiv... Computer House Support
- [sniffer] Re: Significant increase in false positiv... Pete McNeil
- [sniffer] Re: Significant increase in false positiv... Darin Cox
- [sniffer] Re: Significant increase in false positiv... Darin Cox
- [sniffer] Re: Significant increase in false positiv... Matt
- [sniffer] Re: Significant increase in false positiv... Colbeck, Andrew
- [sniffer] Re: Significant increase in false positiv... Pete McNeil
- [sniffer] Re: Significant increase in false positiv... Darin Cox
- [sniffer] Re: Significant increase in false positiv... Pete McNeil
- [sniffer] Re: Significant increase in false positiv... Computer House Support
- [sniffer] Re: Significant increase in false positiv... Greg Evanitsky
- [sniffer] Re: Significant increase in false positiv... Darin Cox