Hey Pete, Is there a hook to use Sniffer in SmarterMail 6? I just had to move to SmarterMail rather than pay over $3k to upgrade iMail to run on a 64bit windows box. I'm using eWall at this point for Message Sniffer but may retire that with iMail.
On Feb 4, 2010, at 1:57 PM, Pete McNeil wrote: > Hello Sniffer Folks, > > I thought I would drop you a note to let you know some things we're doing > behind the scenes to improve filtering accuracy and prevent false positives. > > Unqualified false positive candidates: > > In partnership with our larger customers we have created a new system to > proactively review captured messages that _might_ be unreported false > positives (usually they are spam, but some aren't). Through this review > process we are able to remove and modify pattern rules that cause occasional > low-level false positives that would otherwise not be reported. This system > is already allowing us to recode or remove dozens of rules per day to make > them more accurate; and to update our rule coding practices and support > systems to further improve our accuracy moving forward. > > Real-time rule / IP conflict analysis: > > Today we have completed a new false-positive early-warning system. This > system monitors conflicts between IP reputations and pattern rule matches > across the entire fleet of Message Sniffer installations in real-time. Any > time a pattern match is in disagreement with a source IP's reputation that > information is analyzed and pumped through a sophisticated collection of > filters and data-mining tools. The resulting analysis is displayed in > real-time in our spam-weather center so that our staff can respond > immediately (24x365) if there is any sign of a "bad rule". > > Since we launched this new system and operating protocols earlier today we > have already had several "events" -- All of them turned out to be valid > anti-spam rules capturing content from bot nets that had previously sent > *berserkers to improve their IP reputations, or where some of the campaigns > in question had leaked sufficiently to produce temporary positive IP > reputations on some systems. This information itself is very interesting now > that we can see it more clearly and we are already working on ways to > identify these cases and reduce the leakage associated with them. > > As always your comments, ideas, and suggestions are both welcome and > encouraged. > > Best, > > _M > > PS: *berserkers - Blackhats sometimes send messages that are random and/or > carry no payload. These "berserkers", sometimes sent by accident by broken > bots or broken spam scripts, have the effect of improving the IP reputations > of the systems that send them because there is no sufficient content to > filter against. In addition these messages are often sent at such low rates > that most adaptive filtering systems fail to respond to them--- if those > systems were to be (conventionally) sensitized to the berserkers they would > also significantly increase their false-positive rates. > > We call these berserkers based on the practice of old Norse warriors who, in > an uncontrollable state (chaotic, berserk (in a fit of madness), and with the > belief they are immune to weapons), would charge directly into the enemies > ranks fearlessly attacking anything and everything (friend or foe). > > http://en.wikipedia.org/wiki/Berserker > > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <sniffer@sortmonster.com>. > This list is for discussing Message Sniffer, > Anti-spam, Anti-Malware, and related email topics. > For More information see http://www.armresearch.com > To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> > To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> > To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> > Send administrative queries to <sniffer-requ...@sortmonster.com> > > Regards, Steve Guluk SGDesign (949) 661-9333