[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Pete,   Can you clarify what this .xhdr option is and how we can enable it?  I don't remember anything in the documentation that describes it.  I think there were references to the config file previously, but there was never anything about it in mine.  If you could give an example of how to enable and use the info it would be greatly appreciated. Darin.     ----- Original Message ----- From: Pete McNeil To: Message Sniffer Community Sent: Monday, October 16, 2006 11:13 PM Subject: [sniffer] Re: Significant increase in false positives Hello Matt, Monday, October 16, 2006, 10:03:04 PM, you wrote: > Pete, Would you please clarify this a bit.  Declude of course doesn't record the rule in the headers, so this is difficult to figure out.  Knowing the pattern may help identify the problematic messages.  Also knowing the start time and end time of the rule would also help. The rule was coded for a binary segment in an image file. Here is the rule information: Rule - 1174356 Name  image spam binary segment as text !1AQaq"2 Created  2006-10-14 Source  !1AQaq"2 Hidden  false Blocked  false Origin  Spam Trap Type  Simple Text Created By  [EMAIL PROTECTED] Owner  [EMAIL PROTECTED] Strength  3.20638481603822 False Reports  11 From Users  7 Rule belongs to following groups [252] Problematic I removed the rule as soon as we began receiving reports - about mid-day today. > I would be nice too if you talked with Declude about allowing for the insertion of headers, or even if you did this on your own.  I believe the D* file may be editable when the external app is launched.  That would make recovery of this so much easier for me (minutes instead of hours of work). I have discussed this with Declude and I am hopeful that we will have better integration w/ Declude some time in the future. In the mean time, our next version will include a feature to inject headers into message files. Understand, however, that this is an expensive feature that will substantially increase the I/O requirements on any mail server. Injecting headers requires that the entire message file must be written to disk an additional time. This is not a small consideration-- Where once most spam were tiny text/html files (often less than 5K) today's image spam variants are frequently 5 to 10 times the size of the old spam we used to know. Also- note that this kind of thing can be very buggy on Winx systems -- sometimes changes to files are not reflected immediately between processes. For example, rename operations are not atomic - so when the old message file is deleted and the new version is renamed from it's temp file to the original message file name, other Winx processes that depend on that file may not respond reliably. For all of these reasons and more I've probably not thought of - this feature will be a "use at your own risk / YMMV" option. All that said, there is an existing option in the current version of SNF to produce a .xhdr file for each message. This option is frequently used in *nix systems that use SNF. It would be possible to write a short utility (perhaps even a script) that would modify quarantined messages out-of-band to include the contents of the .xhdr file as X- headers. Such a utility is not currently on our development list, however, and I hallucinate that such a device would tend to evolve into something somewhat system specific. The best option would be for Declude to add a feature that picks up x-headers created by external programs (perhaps in files named <message-file-name>.xhdr) so that they can be added in a single message rewrite along with the headers that Declude already adds. This would solve the I/O problems and standardize the mechanism for any other external programs that might wish to add headers. Hope this helps, _M --  Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>