A modern Xeon dual core, also within VMware:
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 1, GenuineIntel
The oldest virtualized CPU is:
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 7, GenuineIntel
Both identify as Xeon E5xxx m
Answer: pretty darn fast for a system that I think is slow anyway
I think my MTA is a busy system, and I know that it's not MessageSniffer
that keeps the server busy. A glance with Task Manager or Process
Explorer shows very little CPU time is spent by MessageSniffer.
I threw some grepping
9 5000187
2 5000186
1 5000170
3 4999799
1 4999618
6 4999419
1 4999415
4 4999088
Andrew 8)
-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Colbeck, Andrew
Sent: Thursday, June 21, 2012 9:15 AM
To:
Via the GnuWin32 tools on my Windows server:
C:\MessageSniffer>grep -P "Match\t" munged.2012062?.log | cut -f7 |
usort | uniq -c | usort -k2 -n -r 2>nul | head
2 4991501
8 4991483
8 4991462
8 4991459
8 4991457
8 4991456
8 4991446
6 4991286
3 49
My two cents: I saw zero hits for this rule.
I count myself lucky, because we see a lot of purchase order emails and
of course, the fake P.O. scams too.
Andrew.
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Pete McNeil
Sent:
>From SNFclient.exe.err I saw these errors repeated for every message
processed:
20120107155711, arg1=C:\IMail\spool\proc\work\D016759002.smd : Could Not
Connect!
The srvany.exe was running, but the SNFserver.exe wasn't, or wasn't
healthy. Each SNFclient.exe had to read the .gbx file itself a
Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Monday, October 24, 2011 1:01 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Training GBUdb on the client IP for aol.com
On 10/24/2011 3:47 PM, Colbeck, Andrew wrote:
> r='4432448&#x
: Message Sniffer Community
Subject: [sniffer] Re: Training GBUdb on the client IP for aol.com
On 10/24/2011 3:21 PM, Colbeck, Andrew wrote:
>
As far as I know that one still works.
_M
--
Pete McNeil
Chief Scientist
ARM Resea
sage Sniffer Community
Subject: [sniffer] Re: Training GBUdb on the client IP for telus.net
On 10/24/2011 3:20 PM, Colbeck, Andrew wrote:
>
Another test, this time to update the X-AOL-IP: header, which in my last
few false-negatives have the standard X-Originating-IP: header ... I
don't know if AOL has deprecated the X-AOL-IP: header or whether it is
used under different client circumstances.
Thanks,
Andrew.
Received: from
ginal Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Colbeck, Andrew
Sent: Monday, October 24, 2011 11:47 AM
To: Message Sniffer Community
Subject: [sniffer] Training GBUdb on the client IP for telus.net
Given the attached header text, would this snipp
Given the attached header text, would this snippet in snf_engine.xml
help me to train GBUdb on the email clients' IP address from this
specific ISP?
I tested by querying:
SNFClient.exe -test 216.218.29.230
And then re-testing the spam, and then querying GBUdb again. The second
test showed that "
Time to thwart a spam run from a fresh IP address: less than 18 minutes.
The first three emails from: 216.223.207.0/25 were allowed past
MessageSniffer but fewer than 18 minutes into the spam run, the content
triggers rule group 60, rule id 4224795.
(It is coupon spam, but probably fake affiliate
On
Behalf Of Pete McNeil
Sent: Monday, May 09, 2011 3:05 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Change in default settings
On 5/9/2011 4:53 PM, Colbeck, Andrew wrote:
> Pete, for
>
> sample on-off='on'
>
> I wrote myself this note...
>
>
>
&g
Pete, for
sample on-off='on'
I wrote myself this note...
... Is it still valid? Your sample and my own configuration have:
passthrough=no
On the balance of it, I suspect my own note is wrong, so it would be
nice if you could verify it one way or the other.
Andrew.
-Original Message---
Pete, now that Microsoft has taken down the Rustock botnet, what's your
telemetry say about spam volumes? Any significant change?
http://blogs.technet.com/b/microsoft_blog/archive/2011/03/18/taking-down
-botnets-microsoft-and-the-rustock-botnet.aspx
http://krebsonsecurity.com/2011/03/rustock-bo
I have seen one hit, and it looks like a false positive to me. Sent as a
sample to the false@ address.
Thanks for the heads-up, Darin.
Andrew.
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Darin Cox
Sent: Tuesday, August 17,
reasonable, that the text could look like this:
"GBUdb Cloud Truncate c > 0.2, p > 0.9 for [205.188.84.131]"
I'll send the whole header to support@ in case you are interested in
this particular IP.
Andrew.
-Original Message-
From: Message Sniffer Community [mailt
I looked at the effectiveness of this test and I like what I'm seeing.
The volume isn't high, but it is making a difference in the "edge cases"
that are close to my "hold weight".
In particular, I'm finding that it is triggering on pump and dump DKIM
spam from fresh netblocks that would otherwise
I'm not seeing any spike in inbound connections or accepted message
counts.
Actually, it's lower than Friday's volume and about the same as
Thursday.
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Peer-to-Peer (Support)
Sent: Mo
For what it is worth, there are zero hits on my two servers for this
Rule. I looked back through the last 7 days.
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Darin Cox
Sent: Tuesday, April 06, 2010 9:48 AM
To: Message Sniffe
All clear here, Pete.
Thanks for both of the notices,
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, November 26, 2009 8:45 AM
To: Message Sniffer Community
Subject: [sniffer] Bad rule alert: 2784910
The scores over here for the messages that trigger on rule 2654821
today:
spam that hit the rule: 4
... and were porn: 0
ham that was held by my weight system: 5
ham that was allowed by my weight system: 3
subsequent panic log lines: 139
Thanks for the heads up, Darin.
I was able to re-queue
Niiice, Pete.
Andrew 8)
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Wednesday, July 29, 2009 2:51 PM
To: Message Sniffer Community
Subject: [sniffer] SNFMilter released and a few other updates...
Hello Sniffer
Checking my logs, I see two failures with subsequent retries which were
successful after 10 minutes and 13 minutes respectively. That's far
better than my previous bespoke script!
Mon 07/06/2009 0:27:45.64 getRulebase.cmd called by SNFServer.exe due
to presence of UpdateReady.txt file
Mon 07/0
Thanks for the heads-up, Pete.
For what it's worth, I had a hit on only one message on each of my
gateways, from different senders.
The "Sniffer General" result code wasn't weighted high enough on my
Declude system to hold either message because they came from senders
with "clean" implementations
Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, April 30, 2009 1:14 PM
To: Message Sniffer Community
Subject: [sniffer] Re: overriding the GBUdb
Colbeck, Andrew wrote:
I recently used snfclient.exe to "whitelist" the IP address
(actuall
I recently used snfclient.exe to "whitelist" the IP address (actually a
whole /24) of a mailing list manager that my users deem to be
trustworthy.
snfclient.exe -set 64.62.197.53 good - -
You might argue the merits of this IP address, but that's not why I'm
writing...
I deliberately left alon
It works for me. Thanks, Pete!
I used the documentation here:
http://www.armresearch.com/support/articles/software/snfServer/config/au
toUpdates.jsp
I wanted a simplified system that more closely reflected what the vendor
ships, so I've stopped using my home-grown wget based script which was
m: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Friday, July 18, 2008 8:31 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning
I also have hit this. A single hit, also from AOL.
I also have hit this. A single hit, also from AOL.
Andrew.
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Darin Cox
Sent: Friday, July 18, 2008 6:37 AM
To: Message Sniffer Community
Subject: [sniffer] Problem with Sniffer-Porn rule th
Congratulations on shipping, Pete!
Andrew 8)
p.s. Hey, I love the new mascot. Much cuter than the old SortMonster...
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Thursday, June 26, 2008 12:24 PM
To: Message Sniffer Commun
Thanks, Pete.
I had four actual false positives on one server, versus 324 unique hits
for the bad rule.
So yes, I'd say that the autopanic feature worked quite well.
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Tu
Thanks, Pete.
I had very few actual hits; I have lots of lines that indicate the rule
panic in place, but the number of actual hits is quite small.
How I found my hits:
cd /d C:\MessageSniffer
gawk "($6 == \"Final\") && ($7 == 1940812)" *.20080617.log
Andrew.
-Original Message-
Fr
Pete, if we have a significant number of hits, they'll be from all kinds
of IP sources.
Should we dump the GBUdb? If so, how?
The documentation is perfectly clear on how to tweak an IP or dump an IP
in the GBUdb, but doesn't mention a wholesale clearing of it.
Andrew.
-Original Message-
... and it also means that OCR based spam filtering is succesful enough
for the spammers to adopt CAPTCHA-style text-obfuscation-in-images as an
evasion method.
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Wednesday
pong ...
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of John T
Sent: Monday, May 26, 2008 9:08 AM
To: Message Sniffer Community
Subject: [sniffer] Test
Ping
Testing as I have not received any list messages for a while.
John T
eService
I've never used it, Pete.
My first reaction was... don't go to a third party (XYNTService, SrvAny,
FireDaemon) just make the executable a full fledged Windows Service.
I do realize that you'd be reluctant to do that given the additional
complexity of the code, none of which is portable to the *ni
Paul, since you're working in a Windows world, check out Alligate from
alligate.com as a Windows platform based email gateway.
I've put Alligate in front of my Declude setup and it drastically
reduced the number of emails I had scan for content and sender in
Declude, and gained back a lot of disk
Thanks for the response, Pete!
I was using both parameters in my scheduled pattern download script,
which would tell Sniffer that there was a new pattern, and would rotate
the logs before uploading them back to you.
With the new (beta) version, both extras have become redundant, so I've
removed
It appears that both the "reload" and the "rotate" options in the
sniffer executable are still accepted by SNFClient.exe but are
deprecated, as neither parameter appears in the help or in the
contextual help when SNFClient.exe is run without parameters.
Andrew.
_
For what it's worth, it is working for my two licences.
I received email update notifications at:
90 minutes ago
3 18 minutes ago
4 38 minutes ago
6 hours 13 minutes ago
Andrew 8)
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL PROTECTED] On Behalf Of Frederi
The Ugly value returned by the beta Message Sniffer you're using with
the "Good, Bad and Ugly" database has a result code of 40, and this code
is missing from your list.
(The White value overlaps with result code 0, which internally to
Message Sniffer will mask any other "spam" result code on you
Pete, one of the questions I had right away when I looked at the
documentation accompanying the software package was about the
communication channel.
The documentation clearly pointed out that ports 25 is the default and
that 80 is selectable, but didn't go further. I just answered my own
question
Thanks for reporting this, Pete!
My numbers were more extreme than Pi-Web's.
That bad rule triggered on 18,023 messages yesterday.
Due to the rest of my spam software, two-thirds were either passed (as
presumed ham) or deleted (as very spammy).
So the one-third that was held, I re-scanned toda
See this article at the Internet Storm Center:
http://isc.sans.org/diary.html?storyid=3012
Pump and dump scams now in PDF
Published: 2007-06-20,
Last Updated: 2007-06-20 21:33:39 UTC
by Maarten Van Horenbeeck (Version: 1)
Apparently the groups behind what we know as pump and dump spam have
foun
Hey, Pete!
Here's Steve Linford's posting about the most-recent Denial of Service
against SpamHaus:
http://groups.google.ch/group/news.admin.net-abuse.email/msg/28d49877cc8
dbc2d
Meanwhile, the SARE and URIBL seem to be responsive now while suffering
under the same campaign, but their website
Thanks for the update, Pete.
Over on the Declude JunkMail support mailing list, it's like déjà vu all over
again.
Andrew 8)
p.s. For the many of us here that don't subscribe to that list... The small
number of recently active messages have been re-queued to the list several
times.
> -
My last upload averaged a lame 6 KB/s.
My last download varied widely in the speed obtained:
0K .. .. .. .. .. 17.85
KB/s
50K .. .. .. .. ..9.58
KB/s
100K .. .. .. .. ...
Thanks for the heads up, Pete.
I use MessageSniffer as part of a weighting system with Declude.
I had 69 total hits on Monday and Tuesday for these two rule IDs.
Of those I had:
27 being Deleted as very spammy
4 being Passed as very hammy
31 total not held
Of the 38 that were held,
... Not in my neck of the network.
Andrew.
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support
> Sent: Monday, March 19, 2007 3:19 PM
> To: Message Sniffer Community
> Subject: [sniffer] Re: SPAM Storm?
>
> Is it me,
> Would it be a good idea in a future version to delete files
> that are older than a certain date automatically?
I disagree.
Having MessageSniffer delete the old files would hide the problem. With
the messages left behind, you have a valuable symptom that something is
wrong with your infrastru
Postini posts some statistics here, but their conclusions can lag by
months:
http://www.postini.com/stats/index.php
"global spam traffic" is a big concept... Postini did however process
over 650 million messages in the last 24 hours.
Andrew.
> -Original Message-
> From: Message Sniffer
Harry, you change your email notifications by sending an email to the
support@ address and requesting it.
The Wiki has documentation for setting up the automatic download based
on these notifications here, for Ipswitch IMail:
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDeta
Serge, what return value are you using for this snifferwhitelist?
The official and current list of return codes is here:
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai
ls.ResultCodes
If you're using "0", then don't do that, because zero is also used for
"no result". Ac
> If you don't mind, does WeightGate add any noticeable
> CPU cycles to run on top of running Sniffer? Thanks for the aid.
On a 100,000 emails per day on a 2.8 GHz Xeon, no, it doesn't.
Andrew 8)
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL PROTECTED] On
This diary entry over at the Internet Storm Center points to an
increased volume of traffic from probable zombies, and they posit that
the increase in this traffic would coincide with the spam increase that
people are seeing.
http://isc.sans.org/diary.php?storyid=1828
Their graph shows a sharp ra
I like your new sig, John.
How's this for an addendum?
"Experience is that which you acquire, just after you
needed it."
Andrew 8)
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of John T
(Lists)Sent: Thursday, October 26, 2006 8:13 AMTo:
Message
For another organization's graph of spam trends as received by them,
check out the updated graphs at TQM cubed:
http://tqmcube.com/tide.php
Their graph shows a sharp uptick at the end of June 2006.
Andrew 8)
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL PROT
That's good news, Pete.
And with the WeightGate executable and source thrown in at no extra
charge!
Andrew 8)
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
> Sent: Monday, October 23, 2006 9:26 AM
> To: Message Sniffer Com
I had a similar problem with Hotmail once upon a time; the
details were different, but the remedy was the same.
I run a caching DNS server on my outbound DNS host, so I
simply added a DNS zone for Yahoo.com on it, and populated only enough
MX record information so that I could reliably get
I'm attaching an old message to this list which may come in
handy. It's from my perspective, which is using Declude and IMail, with
the spam messages in d:\imail\spool\spam and needing to be moved to
d:\imail\spool to be re-scanned. Now that I use a newer version of
Declude, my paths are d
Column 7 is the one that contains the rule that was hit. In this case,
it was 1100444.
Column 8 is the one that contains the group. In this case, it was 60
"Ungrouped Black Rules" (Sniffer General).
Andrew 8)
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL P
Would that be the "Laugh" in the subject line pharmaceutical spam
campaign?
That was mentioned by Dave Doherty on the Declude.JunkMail mailing list,
and when I checked my logs I found many hundreds with clear variations
on the keywords in the text, e.g. there is a joke about lawyers and they
are u
The last thing before I leave for the weekend...
I finally got around to updating my download/upload script so that I can
upload compressed logs.
In the course of doing that, I found that my upgraded version of wget
has changed its behaviour; as of the 1.10.x series, if you specify -O to
specify
FWIW I take the belt and suspenders
approach.
The rulebase notification by email does trigger a Message
Sniffer update script on my system, but I don't rely on it solely. In
addition, I also use an "at" schedule every four hours.
As in Markus' (and Bill's) sample, I use the -N parameter
Harry, there is a "standard" script that Bill Landry shepherded into
being. Check out the info at the Message Sniffer Wiki here:
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai
ls.AutoUpdates
The description of what a good download script should do is there, plus
a zip f
That's good news, Bill.
Can I be the first to point out that in your example, you're still
calling ShowMe.exe and not WeightGate.exe so you will be appending to
c:\ShowMe.log with every call?
And for those new to the party, I'll explain that what Bill is doing
with his modified configuration is t
Pete, I plan to use it or something similar in non-production once I set
up a new test system.
A quick test with a batch file worked fine.
Although I'm no programmer, I have reviewed the source and saw no
obvious logical problems or coding flaws.
Rigorous testing on the command line showed that
It was broken code in the latest Bagel/Beagle:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.ht
ml
Andrew 8)
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe,
Ditto.
I advise people to use Insert, Item. Far easier than explaining how to
drag and drop (or tie shoelaces).
I've noticed that whether the headers survive when they are sent to
another Exchange+Outlook company are a crap shoot.
Generally speaking, if the message is handled by Outlook, it's n
(sniff) Aw, cut it out, Matt.
You're making me all weepy.
p.s. Pete, that's pretty darned
amazing!
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of MattSent:
Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer
CommunitySubject: Re: [sniffer]Re[2]: [
Right... quotes are no good. That came to light in
the context of passing long file names (with spaces); the 8.3 format would be
preferred.
I've designed my folder structure such that none of the
folders had spaces in them; that just happened to be the way it turned
out and I'm glad I stu
Both of which are reasonable, particularly given the recent
Blue Security debacle that showed that it was possible for the spammers as well
as the spammees to coordinate their information. It might be in a
spammer's best interest to pursue either of your
suggestions.
However, I still thin
> So no one has any idea what
the purpose of these emails
are?
The bad guys aren't telling. The good guys have lots
of theories, such as:
http://isc.sans.org/diary.php?storyid=1384
and also:
http://www.f-secure.com/weblog/archives/archive-062006.html#0894
which
in turn points
I use just shy of 60 DNS based tests against the sender, both IP4R and
RHSBL.
Perhaps 10-12 matter.
Due to false positives, I rate most of them relatively low and have
built up their weights as a balancing act. That act is greatly assisted
by using a weighting system and not "reject on first hit
David,
Are you using the free version of sniffer? Or did you deliberately change your
.exe name in your posting to sniffer.exe to hide your licence number?
I certainly expect that the rulebase lag with the free version will result in
lower Message Sniffer hit rates.
I've seen the free version
oint are
> the Paypal DNS servers queried?
>
> John T
> eServices For You
>
> "Seek, and ye shall find!"
>
>
> > -Original Message-
> > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
> > Behalf
> Of
> > Colbeck,
> customer, they could easily set rDNS to whatever they wanted.
> Aol.com, paypal.com, ebay.com, chase.com ...
>
> -Jay
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
> Sent: Wednesday, May
It's really from PostDirect.com aka YesMail.com ...
You can tell that it's authorized because the reverse DNS which ends in
PayPal.com (ok, that does set off alarm bells when it's someone else's
netblock) matches the forward lookup of the resulting address at PayPal.
Therefore, PayPal is delibera
> Certainly, submitting samples to spam@ (or preferably your
> local spam submission point polled by our bots) will put
> these messages in front of us if we have not already created
> rules for them.
I've just manually submitted the ~35 messages that my filters triggered
on for phishing that d
Thanks, Pete!
For what it's worth, the rule 963461 hit 647 times here, and after
putting in the Rule Panic entries, stopping and starting my persistent
sniffer, and then re-queuing my messages held with this rule hit, 216 of
the messages were still deemed spam and were held by Declude (and maybe
M
Pete,
One of these was EarthLink [207.217.120.227], and one of these was
Google Mail [64.233.166.182].
SpamBag lists the EarthLink address as a source of bogus bounces, and I
posit that this would be the source of the mail to the spamtraps that
would trigger the F001 bot.
I would like to state t
Joe,
Are you using MDLP to autotune your weights in
Declude? If so, you can exclude invURIBL and other tests which you don't
want to change, whether because you think the weight is perfect, or because
their randomness doesn't fit MDLP's idea of a weighting
system.
Check out this snippet
Goran,
When you issue a reload you can tell that the new rulebase is being used
because the *.svr file's date and time will change to the current time.
Andrew 8)
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
> Sent: Friday, F
nd see how my system reacts.
>
> Goran Jovanovic
> Omega Network Solutions
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Colbeck, Andrew
> > Sent: Thursday, February 23, 2006 11:39 AM
> > To: sniffe
Goran, I'd be interested in Pete's technical answer, too.
The practical answer is that you should always go with the persistent
instance of Message Sniffer. From reading Pete's previous screeds and
monitoring the list here in the last year and from having my own
troubles, it's pretty clear to me
Goran, this is pretty much what I did to get to
re-queuing:gawk "$0 ~ /Final\t828931/ {print
substr($3,2,16)}" gxamq2kt.log.20060207* >msgids.txtThe
file msgids.txt will now contain just the GUID part of the D[guid].SMD from
column 3 in the tab delimited Message Sniffer log files.I then use
Goran, this is pretty much what I did to get to re-queuing:
gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}"
gxamq2kt.log.20060207* >msgids.txt
The file msgids.txt will now contain just the GUID part of the
D[guid].SMD from column 3 in the tab delimited Message Sniffer log
files.
I then used
Thanks for the update, Pete.I also appreciate that
you expanded on how that rule went wild. I can see that the intent was
good but the unintended consequences were not so good.Here's how it
played out on my server:How many messages hit the FP rules: 2,042How
many messages Declude decided we
Thanks for the update, Pete.
I also appreciate that you expanded on how that rule went wild. I can
see that the intent was good but the unintended consequences were not so
good.
Here's how it played out on my server:
How many messages hit the FP rules: 2,042
How many messages Declude decided we
By the way, Pete, thank you very much for publicly posting the URL where
we could download FPSigIDs.csv so that we could work on recovering our
own false positives.
I was able to use this information to selectively re-test all of the
messages detected by those rules. That was 2,449 messages. Mo
Thank you, Pete.
In my spelunking, I've found too many rules to put in as panic entries
my .cfg file, and this morning I dropped the weight for my experimental
class tests to low values, and heavily edited my "combo" tests that
build on Sniffer hits.
I'm attaching a report showing the number of h
Jonathan, Google is quite good at filtering spam, so you may find that:
1) There is less for the Message Sniffer bot to pick up because Google
is filtering it.
2) Your mailserver may get get blacklisted because you're forwarding
spam to that mailbox; how would GMail know that you have the best of
Thanks,
Pete.
That answers my question
and makes good sense. I've been testing my own trap reporting and Scott's
timing couldn't have been better.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete
McNeilSent: Monday, December 05, 2005 2:21 PMT
(nuts, to fast on the "Send" button).
... plus, future hits on spam that is already detected can
accumulate hits on, say, SNIFFEREXPIP that weren't already hitting.
Therefore, trying to save bandwidth and processing power over at sortmonster.com
by submitting less spam is not helpful.
Pe
I had the same question, but more
specifically:
Is is helpful for sniffer trap (spam and user trap)
submissions to skip, or to include messages on which sniffer already
hits.
I imagine that all trap hits are useful, and that duplicate
submissions reinforce the rule strength for a given h
Thanks, Dave!
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave
KoontzSent: Thursday, October 27, 2005 8:39 AMTo:
sniffer@SortMonster.comSubject: RE: [sniffer] OT: MDaemon HELO
greeting
Find or add the following Section to your MDaemon.ini
file,
Can anybody give me the short and sweet "how-to" change the
HELO in MDaemon without changing the hostname of the mail
server?
I don't use MDaemon, I'm trying to help someone
else.
Thanks,
Andrew 8)
> This brings to mind a technique with optional adaptive
> delay - enabled by the user. Each mail is assigned a
> 'triplicate'
http://projects.puremagic.com/greylisting/
Andrew 8)
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mike Nice
>
1 - 100 of 158 matches
Mail list logo
