Here are the headers... How this can be caught with Declude ?? 12:05 00:32 SMTPD(06E400CC) [00000640] <mail.fanosa.com> VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:32 SMTPD(06E400CC) [00000640] <mail.fanosa.com> VALIDATION: (MAIL FROM) <[EMAIL PROTECTED]> user does not exist on remote system 12:05 00:33 SMTPD(06E500CC) [00002292] <mail.fanosa.com> VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:33 SMTPD(06E500CC) [00002292] <mail.fanosa.com> VALIDATION: (MAIL FROM) <[EMAIL PROTECTED]> user does not exist on remote system
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, December 04, 2003 11:40 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. <[EMAIL PROTECTED]> since hotmail.com is a valid Domain, then the message pass the test Is there a test like the "Mailfrom" of Imail that test that the user really exists on the remote server ?? <[EMAIL PROTECTED]> (In Imail this will fail...) Thanks.. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, December 04, 2003 5:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer FYI, I believe the demo consolidates everything into two separate tests: General & Malware. However, it will still give you a very good idea of the overall effectiveness of running Sniffer with Declude. Bill ----- Original Message ----- From: "T. Bradley Dean" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 04, 2003 4:02 PM Subject: RE: [Declude.JunkMail] sniffer >Declude is optimized to run the external test only once That was going to be my next question, it looked terribly in-efficient at first! Thanks for the responses guys. I just installed the demo. ~Brad -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 03, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be "tuned" for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: >Brad, Sniffer does message based pattern matching (Pete, correct me if >I am wrong). If you opt to separate the 20 or so tests that Sniffer >currently supports, then you can set whatever weight you want to each >individual test. Here is how I currently have the individual Sniffer >tests defined in my global.cfg (License ID and Authentication Code >obscured): > >SNIFFER-WHITELIST external 000 >"M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" -5 0 >SNIFFER-TRAVEL external 047 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 07 0 >SNIFFER-INSURANCE external 048 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-AV-PUSH external 049 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 07 0 >SNIFFER-WAREZ external 050 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-SPAMWARE external 051 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-SNAKEOIL external 052 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-SCAMS external 053 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-PORN external 054 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 12 0 >SNIFFER-MALWARE external 055 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 12 0 >SNIFFER-ADVERTISING external 056 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-SCHEMES external 057 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-CREDIT external 058 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-GAMBLING external 059 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 10 0 >SNIFFER-GREYMAIL external 060 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 07 0 >SNIFFER-OBFUSCATION external 061 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 12 0 >SNIFFER-SPAM external 062 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 07 0 >SNIFFER-GENERAL external 063 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe >AuthenticationCode" 12 0 > >You would need to adjust the weights to fit your own needs. However, >this will at least give you a starting point. > >Bill > >----- Original Message ----- >From: "T. Bradley Dean" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Wednesday, December 03, 2003 6:43 PM >Subject: RE: [Declude.JunkMail] sniffer > > >How does Sniffer work? > >Their web page says: > >"In the best implementations allow you to assign a weight to each >possible result code. Declude, mxGuard, and SpamAssassin are all good >examples of systems that allow weights to be assigned to the result >codes from Message Sniffer." > >So if Sniffer says an email is porn spam then it gets a weight of 10, >but if it's web hosting spam then it's 8? Does the weight differ >depending on how confident Sniffer is? > >What do these rules look like in Global.cfg on $Default$.junkmail? > >~Brad > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith >Sent: Tuesday, December 02, 2003 7:54 AM >To: [EMAIL PROTECTED] >Subject: RE: [Declude.JunkMail] sniffer > > >Sniffer's well worth the $300.00 per year. >That breaks down to less than $1.00 per day. > >It catches content that some RBLs don't catch. > >Mark > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Keith > > Anderson > > Sent: Tuesday, December 02, 2003 10:28 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.JunkMail] sniffer > > > > > > It's not worth paying the subscription fee, in my opinion. I have a > > client that's paying for it, and it doesn't catch very much that > > isn't already caught somewhere else. > > > > > I am considering Maps too. But it's $1500/yr. Anyone using them? > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >"unsubscribe Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >"unsubscribe Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >"unsubscribe Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.