Thanks, Pete. I'm at the recommended logging level and can see the full XML record for GBU for each one of my scans. Despite my new <source> line, the logging shows that the original Received: header line is still being inspected.
Since you're not calling out an obvious typo or thinko on my part, I'll send copies of my originals to support@ ... I think the real issue is that MessageSniffer is calling BS on the order of the headers that AOL webmail is emitting. MessageSniffer is probably acting correctly out of an abundance of caution. Andrew. -----Original Message----- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, October 24, 2011 1:01 PM To: Message Sniffer Community Subject: [sniffer] Re: Training GBUdb on the client IP for aol.com On 10/24/2011 3:47 PM, Colbeck, Andrew wrote: > <s u='20111024192740' m='c:\IMail\spool\spam\D015439194.smd' s='61' > r='4432448'> > <s u='20111024194111' m='c:\IMail\spool\spam\D015439194.smd' s='61' > r='4432448'> > > > C:\MessageSniffer>SNFClient.exe -test 92.231.217.255 Ok, you're working with a different message here (different IP). If you turn on GBUdb data logging then it will tell you what IP it beleived to be the source. http://www.armresearch.com/support/articles/software/snfServer/config/no de/logs/scan/xml.jsp http://www.armresearch.com/support/articles/software/snfServer/logFiles/ activityLogs.jsp#XML example like: <s u='20070508012348' m='/spool/msg0123456789.msg' code='69' error='ERROR_MSG_FILE'/> <s u='20070508012349' m='/spool/msg1123456789.msg' s='48' r='1234567'> <m s='48' r='1234567' i='2394' e='2409' f='m'/> <m s='48' r='2234567' i='2501' e='2515' f='m'/> <m s='48' r='1234567' i='2394' e='2409' f='f'/> <p s='10' t='8' l='3294' d='84'/> <g o='1' i='101.201.31.04' t='u' c='0.12345' p='0.3342983' r='Caution'/> </s> Hope this helps, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>
