[Declude.JunkMail] Alligate

2003-10-10 Thread William Baumbach 
FYI



-Original Message-
From: Brian Milburn [mailto:[EMAIL PROTECTED]
Sent: Friday, October 10, 2003 12:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Alligate Information Request





Hi,



Thanks for your interest in Alligate for IMail.



We have decided we are no longer going to offer an IMail specific version.
The

Declude Add-in is not currently being offered, however should be available

again shortly, probably within a couple of weeks. It is in need of a major

update to bring it up to the same level that our gateway product is.



I would also invite you to look over the documentation for our gateway

version. The gateway version of Alligate requires a dedicated computer,

however it is significantly more powerful than any IMail version and greatly

reduces the load on your mail server. Additionally, the gateway version has

integrated email vulnerability detection which eliminates virtually all

viruses and other email based dangers before they ever get to your mail

server.



The link for the gateway documentation is:



http://www.getalligate.com



Thanks again,



Brian Milburn

Solid Oak Software


Sincerely,

William J. Baumbach II  [EMAIL PROTECTED]
9975 Pennsylvania Ave. Manassas, Va. 20110-2028
Ph: 703-367-7900 ext:1708 Fax: 703-691-0946
-


[ scanned for spam to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 
10/10/2003 at 12:21:21-0500et. ]

This email message is for the sole use of the intended recipient(s) and may contain 
confidential and privileged information. Any unauthorized review, use, disclosure or 
distribution of this email is prohibited. If you are not the intended recipient, 
please contact the sender and destroy all paper and electronic copies of this message.

[ scanned for viruses to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 
10/10/2003 at 12:21:25-0500et. ]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Alligate

2003-10-10 Thread brian 


This is correct. We stopped offering the IMail specific (non Declude) version
of Alligate a couple of months ago. We have also suspended free trials of the
Declude add-in until we can bring it up to date so that the same detection
methods are used by both the Declude version and our gateway version. We are
currently spending too much time maintaining conditional pattern files mainly
for about 8 or 10 registered Declude version users. There is not really that
much interest in this as a Declude test it seems... lots of free trials, but
very few sales. We have far more invested in free trial tech support than the
revenue this has generated.

The Declude version of Alligate is now lacking about 50% if the refinements
and enhancements that we have incorporated into the gateway version. Until we
can bring the code up to date, it just doesn't make sense to continue to offer
free trials and provide free tech support until we are working with the same
code base for both versions of the product.

Brian Milburn
Solid Oak Software

 
On 10/10/2003 12:20pm you wrote...
FYI



-Original Message-
From: Brian Milburn [mailto:[EMAIL PROTECTED]
Sent: Friday, October 10, 2003 12:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Alligate Information Request





Hi,



Thanks for your interest in Alligate for IMail.



We have decided we are no longer going to offer an IMail specific version.
The

Declude Add-in is not currently being offered, however should be available

again shortly, probably within a couple of weeks. It is in need of a major

update to bring it up to the same level that our gateway product is.



I would also invite you to look over the documentation for our gateway

version. The gateway version of Alligate requires a dedicated computer,

however it is significantly more powerful than any IMail version and greatly

reduces the load on your mail server. Additionally, the gateway version has

integrated email vulnerability detection which eliminates virtually all

viruses and other email based dangers before they ever get to your mail

server.



The link for the gateway documentation is:



http://www.getalligate.com



Thanks again,



Brian Milburn

Solid Oak Software


Sincerely,

William J. Baumbach II  [EMAIL PROTECTED]
9975 Pennsylvania Ave. Manassas, Va. 20110-2028
Ph: 703-367-7900 ext:1708 Fax: 703-691-0946
-


[ scanned for spam to: [EMAIL PROTECTED] outgoing
http://www.DcMetroNet.com on 10/10/2003 at 12:21:21-0500et. ]

This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution of this email is prohibited. If you are not
the intended recipient, please contact the sender and destroy all paper and
electronic copies of this message.

[ scanned for viruses to: [EMAIL PROTECTED] outgoing
http://www.DcMetroNet.com on 10/10/2003 at 12:21:25-0500et. ]


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Alligate for Declude?

2003-10-09 Thread Matt Robertson 
I just signed up for the 30-day trial for Alligate (as a Declude
add-in).  I'm stopping more spam but the volume is so great that I need
some outside help.  Imail's anti-spam system is so full of holes I've
had to emasculate the thing.  What was once a 25% effective rate (i.e.
whacks 25% of the mail still around after Declude) is now down to 14%.

Anyone have any thoughts on their false positive rate?  The service in
general?  If Alligate flags it how certain should I be that its spam?

Cheers,


 Matt Robertson   [EMAIL PROTECTED] 
 MSB Designs, Inc.  http://mysecretbase.com



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Alligate

2003-08-28 Thread Mark Smith 
Is anyone using Alligate http://www.alligate.com ?
I'm using message sniffer and was looking at adding alligate also.

I'd appreciate any feedback..

Mark

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate

2003-08-28 Thread John Tolmachoff \(Lists\) 
Yes, many of us are using Alligate.

Please see the discussion from last week:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg10255.html

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Mark Smith
 Sent: Thursday, August 28, 2003 7:09 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Alligate
 
 Is anyone using Alligate http://www.alligate.com ?
 I'm using message sniffer and was looking at adding alligate also.
 
 I'd appreciate any feedback..
 
 Mark
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate

2003-08-28 Thread Robert Grosshandler 
We use both, and like the combination.


Is anyone using Alligate http://www.alligate.com ?
I'm using message sniffer and was looking at adding alligate also.

I'd appreciate any feedback..

Mark


===
Rob
www.iGive.com

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Alligate

2003-08-28 Thread bill.maillists 
Im already using Message Sniffer with Declude. What would Alligate do that Message 
Sniffer doesn't?

Thanks,

Bill Newberg
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate

2003-08-28 Thread John Tolmachoff \(Lists\) 
Please see the link to the archives in my earlier post on this.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of bill.maillists
 Sent: Thursday, August 28, 2003 8:28 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Alligate
 
 Im already using Message Sniffer with Declude. What would Alligate do
that
 Message Sniffer doesn't?
 
 Thanks,
 
 Bill Newberg
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

FW: [Declude.JunkMail] Alligate

2003-08-28 Thread Bill Newberg 
John,

I understand you are very pleased with the product. Do you use
MessageSniffer as well? If so, why?

Thanks,

Bill

 
 -- Original Message --
 From: John Tolmachoff \(Lists\) [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date:  Thu, 28 Aug 2003 09:03:45 -0700
 
 Please see the link to the archives in my earlier post on this.
 
 John Tolmachoff MCSE CSSA
 Engineer/Consultant
 eServices For You
 www.eservicesforyou.com
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
  [EMAIL PROTECTED] On Behalf Of bill.maillists
  Sent: Thursday, August 28, 2003 8:28 AM
  To: [EMAIL PROTECTED]
  Subject: [Declude.JunkMail] Alligate
  
  Im already using Message Sniffer with Declude. What would
 Alligate do
 that
  Message Sniffer doesn't?
  
  Thanks,
  
  Bill Newberg

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate

2003-08-28 Thread John Tolmachoff \(Lists\) 
I do not use MessageSniffer at this time, but would if I could.

I like the product. I have evaluated it. It is a very good test to use.

Why would I use both, the broader the scope of the tests, the more chance of
catching all spam with a lesser FP rate.

They both have there strengths, and weaknesses. Their weaknesses is nothing
to detract from them, it is inhearant in any program. 

I just do not have the funds at this time.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Bill Newberg
 Sent: Thursday, August 28, 2003 9:39 AM
 To: [EMAIL PROTECTED]
 Subject: FW: [Declude.JunkMail] Alligate
 
 John,
 
 I understand you are very pleased with the product. Do you use
 MessageSniffer as well? If so, why?
 
 Thanks,
 
 Bill
 
 
  -- Original Message --
  From: John Tolmachoff \(Lists\) [EMAIL PROTECTED]
  Reply-To: [EMAIL PROTECTED]
  Date:  Thu, 28 Aug 2003 09:03:45 -0700
 
  Please see the link to the archives in my earlier post on this.
 
  John Tolmachoff MCSE CSSA
  Engineer/Consultant
  eServices For You
  www.eservicesforyou.com
 
 
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
   [EMAIL PROTECTED] On Behalf Of bill.maillists
   Sent: Thursday, August 28, 2003 8:28 AM
   To: [EMAIL PROTECTED]
   Subject: [Declude.JunkMail] Alligate
  
   Im already using Message Sniffer with Declude. What would
  Alligate do
  that
   Message Sniffer doesn't?
  
   Thanks,
  
   Bill Newberg
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-21 Thread John Tolmachoff \(Lists\) 
 I don't want to knock Alligate, it has some nice functionality,
 especially when used without Declude (auto whitelisting and digest
 notification), and it does what it says, but it has a relatively high
 false positive rate in the default configuration and therefore it can't
 be scored higher than it is on my scale.  If they could get the auto
 whitelisting and digest notification to work with Declude, that might
 make me a buyer.  I'm still looking for more information on Message
 Sniffer within this context.

As Brian stated, and I alluded to, there is more functionality in the full
version, as opposed to the Declude only version. The Declude only version
costs less, but requires more hands on to get it to fit your situation.

On that same note, I will help as much as I can on the list. If you feel you
could use more hands on help, at least to help on the learning curve, I and
others are available on a time basis.

 I've looked at AutoWhite and will probably give it a try, but I can't
 find any information on Match.  Would you care to share a link?

Match never made it out of beta stage, primarly do to time and loss of the
programmer working on it. It is scheduled to be rebuilt in the future.

Basically what it does is it looks for 2 matches. If first checks the from
file to see if the from address is listed. It then checks the to file to see
if the recipient is listed. If it finds a match in both files, it returns a
fail to Declude. You can then weight or action based on that.

It was developed for a major client I have that gets a lot of e-mail that
tends to fail a good number of tests, but is legit. What I do is list the
from domains in the from file and the clients specific addresses in the to
file. This way, I can Whitelist e-mail from a specific domain or user to a
specific domain or user. Yes, there is some overlap with functions in other
programs, but if fits a need.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-21 Thread mail-list 
Hi,

Message sniffer is not so bad as I tested it but have a big problem with
News letter it has a bif False positive rate with them.

Regards
Mehdi Blagui

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Matthew
Bramble
Envoyé : jeudi 21 août 2003 03:32
À : [EMAIL PROTECTED]
Objet : Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?


John,

I just joined the list today, but I found your configuration file from 
back in June and it was very helpful in understanding how to fine tune 
Alligate.  I'm going to study it's logs more closely before I start that

phase though, looking for false positives.  I've turned that test down 
to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of 
failure in order to accommodate it (BADHEADERS for instance).  It seems 
to get most of it's scoring from technical-type stuff instead of the 
heuristics, and if this is the case, I don't think that a scaled test 
would be that much more useful to me.  If I could score the content and 
obfuscation, and just those things, I wouldn't be double counting the 
technicals, and that should reduce some false positives.

I don't want to knock Alligate, it has some nice functionality, 
especially when used without Declude (auto whitelisting and digest 
notification), and it does what it says, but it has a relatively high 
false positive rate in the default configuration and therefore it can't 
be scored higher than it is on my scale.  If they could get the auto 
whitelisting and digest notification to work with Declude, that might 
make me a buyer.  I'm still looking for more information on Message 
Sniffer within this context.

I've looked at AutoWhite and will probably give it a try, but I can't 
find any information on Match.  Would you care to share a link?

Thanks,

Matt




John Tolmachoff (Lists) wrote:

As one of the earlier testers and helped develop the variable scale of
Alligate, I can understand your position. I have a client that gets a
lot of
e-mail from the Far East and a lot of bcc broadcasts and lists. Many of
these show elements of spam, but are legit. That is what makes it hard.

There are a number of adjustments available in Alligate. You might want
to
look over my config file I posted earlier today.

One thing I do for this specific issue is I use 2 programs. One is
Match,
which is very simple but does need to be revised. The other is
AutoWhite. A
30 demo of AutoWhite is available at
www.eservicesforyou.com/products/autowhite.html. Match is free.

While everyone can have a unique setup, please let me know if you would
like
to spend some time going over the possible configurations in Alligate.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com

  



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-21 Thread Colbeck, Andrew 
 Message sniffer is not so bad as I tested it but have a big problem
 with News letter it has a bif False positive rate with them.

On the home page for MessageSniffer you'll find a Help (QA) section which
is worth your time to read if it's worth your time to implement.

Submit false positives to: [EMAIL PROTECTED]
Submit novel spam to: [EMAIL PROTECTED]

Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-21 Thread Pete (Madscientist) 
Please forward a copy of the newsletter to me
([EMAIL PROTECTED]) as an attachment and I will adjust the rule
base (if appropriate). This is a service we provide by default to each
subscriber, but we also - in general - code the core rule base to avoid
false positives whenever we hear about them and the choice is widely
applicable.

Your assistance is greatly appreciated.

Thanks,
_M

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|[EMAIL PROTECTED]
|Sent: Thursday, August 21, 2003 7:38 AM
|To: [EMAIL PROTECTED]
|Subject: RE : [Declude.JunkMail] Alligate vs. Message 
|Sniffer...opinions?
|
|
|Hi,
|
|Message sniffer is not so bad as I tested it but have a big 
|problem with News letter it has a bif False positive rate with them.
|
|Regards
|Mehdi Blagui
|
|-Message d'origine-
|De : [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] De la part de 
|Matthew Bramble Envoyé : jeudi 21 août 2003 03:32 À : 
|[EMAIL PROTECTED] Objet : Re: [Declude.JunkMail] 
|Alligate vs. Message Sniffer...opinions?
|
|
|John,
|
|I just joined the list today, but I found your configuration file from 
|back in June and it was very helpful in understanding how to fine tune 
|Alligate.  I'm going to study it's logs more closely before I 
|start that
|
|phase though, looking for false positives.  I've turned that test down 
|to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of 
|failure in order to accommodate it (BADHEADERS for instance).  
|It seems 
|to get most of it's scoring from technical-type stuff instead of the 
|heuristics, and if this is the case, I don't think that a scaled test 
|would be that much more useful to me.  If I could score the 
|content and 
|obfuscation, and just those things, I wouldn't be double counting the 
|technicals, and that should reduce some false positives.
|
|I don't want to knock Alligate, it has some nice functionality, 
|especially when used without Declude (auto whitelisting and digest 
|notification), and it does what it says, but it has a relatively high 
|false positive rate in the default configuration and therefore 
|it can't 
|be scored higher than it is on my scale.  If they could get the auto 
|whitelisting and digest notification to work with Declude, that might 
|make me a buyer.  I'm still looking for more information on Message 
|Sniffer within this context.
|
|I've looked at AutoWhite and will probably give it a try, but I can't 
|find any information on Match.  Would you care to share a link?
|
|Thanks,
|
|Matt
|
|
|
|
|John Tolmachoff (Lists) wrote:
|
|As one of the earlier testers and helped develop the variable 
|scale of 
|Alligate, I can understand your position. I have a client that gets a
|lot of
|e-mail from the Far East and a lot of bcc broadcasts and 
|lists. Many of 
|these show elements of spam, but are legit. That is what 
|makes it hard.
|
|There are a number of adjustments available in Alligate. You 
|might want
|to
|look over my config file I posted earlier today.
|
|One thing I do for this specific issue is I use 2 programs. One is
|Match,
|which is very simple but does need to be revised. The other is
|AutoWhite. A
|30 demo of AutoWhite is available at 
|www.eservicesforyou.com/products/autowhite.html. Match is free.
|
|While everyone can have a unique setup, please let me know if 
|you would
|like
|to spend some time going over the possible configurations in Alligate.
|
|John Tolmachoff MCSE CSSA
|Engineer/Consultant
|eServices For You
|www.eservicesforyou.com
|
|  
|
|
|
|---
|[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE : [Declude.JunkMail] Alligate

2003-08-20 Thread Blagui Mehdi 
Hi,

Is Alligate so good ? What about false positive ?

Thanks
Mehdi Blagui

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de John Tolmachoff (Lists)
Envoy : mercredi 20 aot 2003 06:06
 : [EMAIL PROTECTED]
Objet : RE: [Declude.JunkMail] Alligate


Do you mean as a Declude ONLY test?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Keith Johnson
 Sent: Tuesday, August 19, 2003 7:18 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Alligate
 
 Does anyone have any configs they are willing to share that they are using in
 production for Alligate with Declude?  Thanks for the aid.
 
 Keith
 NyuujjrxNrzujryjmrxjqy

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate

2003-08-20 Thread Keith Johnson 
John, 
 We have it as a Declude only test
 
Keith

-Original Message- 
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] 
Sent: Wed 8/20/2003 1:05 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.JunkMail] Alligate



Do you mean as a Declude ONLY test?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Keith Johnson
 Sent: Tuesday, August 19, 2003 7:18 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Alligate

 Does anyone have any configs they are willing to share that they are using in
 production for Alligate with Declude?  Thanks for the aid.

 Keith
 NyuujjrxNrzujryjmrxjqy


winmail.dat

[Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread Matthew Bramble 
I've been a Declude Virus and JunkMail customer for about a year and a 
half now.  At first the spam blocking was just something that only a few 
of my ~250 users (hosting) found beneficial, but in the last 6 months I 
have had to continually push the limits with the tests in order to keep 
it from overwhelming real E-mail.  I've been asked by several customers 
in the last few months if there is anything that I can do about the 
spam...and my reply is that we are already blocking +80% of all E-mail 
coming into the server (no kidding, I've run the stats, Sobig.F is 
making it even worse).

My problem has now become more of an issue with false positives, mostly 
with opt-in advertising, automated information updates and newsletters, 
with the former two being somewhat mission critical for many of my 
customers.  I'm at a point where adjusting the scoring to allow one 
problematic sender in results as many as 100 spams getting through as 
well, and at the same time, the spam that is being sent is getting 
better at passing the tests, maybe because they are using zombie relays.

So I'm looking at heuristics now, Alligate and Message Sniffer, in order 
to help solve the problem.  I've started testing Alligate as of 
yesterday, and frankly, I'm not that impressed when it comes to 
enhancing Declude.  Some of my observations are as follows:

1) Many of the RFC related tests that Declude does seem to be done in 
Alligate as well, but there seems to be no easy way to fine tune them.  
This results for instance in a Base64 message failing two tests instead 
of just one (yes, this is an issue for one sender).  Is it advised to 
turn off similar functionality in Declude and just rely on Alligate?

2) Alligate absolutely hates almost anything that is automated.  Opt-in 
advertising, automated information updates and newsletters are more 
problematic with Alligate as it would appear.  I would think that this 
company would have a whitelist of sorts that covered all the 
medium-large players, but it doesn't appear that way (maybe because it's 
a newer service).

3) I'm using built in IIS 4.0 functionality to generate E-mail from 
scripts (CDONTS), and Alligate pretty much barfed on someone's valid 
resume submission, scoring it a 65 for failing just one test, Bogus 
envelope information.  I'm thinking that this is because the mail is 
sent with the user provided E-mail address, and that shouldn't need to 
be changed.  This is unacceptable.

4) I've noted in going over the rejections that it frequently scores 
messages very high for adult content despite the message having no such 
content.  This worries me about the accuracy and weighting that they are 
using.

So the end result seems that in order to protect from false positives, 
I've had to turn down several scores from the core Declude tests, and 
that doesn't provide any real enhancement.  I would imagine that with 
some fine tuning, removing tests that are repeated, I could improve 
detection slightly, but my gut tells me it isn't worth it at this 
point.  I'm hoping that others here could confirm my observations and 
provide any guidance if you feel it is salvageable.  I have seen the 
recommendation for the variable scale that another member posted, and 
that should help.

I'm also about to start testing Message Sniffer (after Alligate) so that 
I can determine which one of the two if either will be purchased and 
installed.  Any feedback about that application in comparison, the 
accuracy, and the isolation from Declude's own tests would be 
appreciated.  I'm under the belief that pure heuristics with an 
integrated blacklist is really what's needed.

Thanks,

Matt

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread Robert Grosshandler 
We use both.  Between them, plus the Declude tests, our false positive level
is very, very low.

Our scoring is such that if an e-mail triggers both Sniffer and Alligate, we
treat as spam.  If it triggers both, and has other characteristics of spam,
its score is high enough that it gets deleted without even being reviewed.

If it triggers both, but very few other Declude tests, it gets held, and
reviewed once a week.

It's more money, sure, but neither test is perfect.


Rob


Www.iGive.com
Turn shopping into Philanthropy


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread Keith Johnson 
Rob,
If you don't mind sharing, what config settings do you use for
Alligate..

Keith

-Original Message-
From: Robert Grosshandler [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 20, 2003 5:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

We use both.  Between them, plus the Declude tests, our false positive
level
is very, very low.

Our scoring is such that if an e-mail triggers both Sniffer and
Alligate, we
treat as spam.  If it triggers both, and has other characteristics of
spam,
its score is high enough that it gets deleted without even being
reviewed.

If it triggers both, but very few other Declude tests, it gets held, and
reviewed once a week.

It's more money, sure, but neither test is perfect.


Rob


Www.iGive.com
Turn shopping into Philanthropy


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread John Tolmachoff \(Lists\) 
As one of the earlier testers and helped develop the variable scale of
Alligate, I can understand your position. I have a client that gets a lot of
e-mail from the Far East and a lot of bcc broadcasts and lists. Many of
these show elements of spam, but are legit. That is what makes it hard.

There are a number of adjustments available in Alligate. You might want to
look over my config file I posted earlier today.

One thing I do for this specific issue is I use 2 programs. One is Match,
which is very simple but does need to be revised. The other is AutoWhite. A
30 demo of AutoWhite is available at
www.eservicesforyou.com/products/autowhite.html. Match is free.

While everyone can have a unique setup, please let me know if you would like
to spend some time going over the possible configurations in Alligate.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Matthew Bramble
 Sent: Wednesday, August 20, 2003 1:20 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?
 
 I've been a Declude Virus and JunkMail customer for about a year and a
 half now.  At first the spam blocking was just something that only a few
 of my ~250 users (hosting) found beneficial, but in the last 6 months I
 have had to continually push the limits with the tests in order to keep
 it from overwhelming real E-mail.  I've been asked by several customers
 in the last few months if there is anything that I can do about the
 spam...and my reply is that we are already blocking +80% of all E-mail
 coming into the server (no kidding, I've run the stats, Sobig.F is
 making it even worse).
 
 My problem has now become more of an issue with false positives, mostly
 with opt-in advertising, automated information updates and newsletters,
 with the former two being somewhat mission critical for many of my
 customers.  I'm at a point where adjusting the scoring to allow one
 problematic sender in results as many as 100 spams getting through as
 well, and at the same time, the spam that is being sent is getting
 better at passing the tests, maybe because they are using zombie relays.
 
 So I'm looking at heuristics now, Alligate and Message Sniffer, in order
 to help solve the problem.  I've started testing Alligate as of
 yesterday, and frankly, I'm not that impressed when it comes to
 enhancing Declude.  Some of my observations are as follows:
 
 1) Many of the RFC related tests that Declude does seem to be done in
 Alligate as well, but there seems to be no easy way to fine tune them.
 This results for instance in a Base64 message failing two tests instead
 of just one (yes, this is an issue for one sender).  Is it advised to
 turn off similar functionality in Declude and just rely on Alligate?
 
 2) Alligate absolutely hates almost anything that is automated.  Opt-in
 advertising, automated information updates and newsletters are more
 problematic with Alligate as it would appear.  I would think that this
 company would have a whitelist of sorts that covered all the
 medium-large players, but it doesn't appear that way (maybe because it's
 a newer service).
 
 3) I'm using built in IIS 4.0 functionality to generate E-mail from
 scripts (CDONTS), and Alligate pretty much barfed on someone's valid
 resume submission, scoring it a 65 for failing just one test, Bogus
 envelope information.  I'm thinking that this is because the mail is
 sent with the user provided E-mail address, and that shouldn't need to
 be changed.  This is unacceptable.
 
 4) I've noted in going over the rejections that it frequently scores
 messages very high for adult content despite the message having no such
 content.  This worries me about the accuracy and weighting that they are
 using.
 
 So the end result seems that in order to protect from false positives,
 I've had to turn down several scores from the core Declude tests, and
 that doesn't provide any real enhancement.  I would imagine that with
 some fine tuning, removing tests that are repeated, I could improve
 detection slightly, but my gut tells me it isn't worth it at this
 point.  I'm hoping that others here could confirm my observations and
 provide any guidance if you feel it is salvageable.  I have seen the
 recommendation for the variable scale that another member posted, and
 that should help.
 
 I'm also about to start testing Message Sniffer (after Alligate) so that
 I can determine which one of the two if either will be purchased and
 installed.  Any feedback about that application in comparison, the
 accuracy, and the isolation from Declude's own tests would be
 appreciated.  I'm under the belief that pure heuristics with an
 integrated blacklist is really what's needed.
 
 Thanks,
 
 Matt
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from

RE: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread Robert Grosshandler 
Glad to.  By the way, we also use Autowhite (I hate the thought of missing
any mail).  Also, our Declude config is near-stock, we hold on 20, delete on
30.

#Alligate for IMail CONFIGURATION FILE (MINIMUM CONFIGURATION)
#PLEASE SEE THE CONFIGURATION INSTRUCTIONS FOR MORE OPTIONS

#GENERAL NOTES
# A # symbol or // symbol at the beginning of the line indicates a
#comment, or when preceeding a configuration value, will undefine that 
#value.


# THE FOLLOWING 2 VALUES MUST BE PROVIDED FOR ALL VERSIONS

LICENSE 

KEY 

# THE FOLLOWING 2 VALUES NEED REFLECT YOUR EMAIL ADDRESSES
# THE POSTMASTER SHOULD BE A NEW, DEDICATED ACCOUNT FOR
# SPAM HANDLING ONLY.

POSTMASTER  
REPORTSTO   xxx

# THE FOLLOWING VALUE NEEDS TO BE USED IF YOU ARE USING Alligate
# WITH IMail ALONE, OR WITH IMail and Declude Virus.

#HANDOFFc:\imail\smtp32.exe

# IF YOUR ARE USING Declude Junkmail, !!DELETE THE LINE ABOVE!!
# AND RUN AlligateAS A Declude TEST.


# DECLUDE SPECIFIC OPTIONS WHEN RUNNING AlligateAS
# A DECLUDE TEST ONLY

DECLUDETESTONLY TRUE

#SPAMMESSAGENONE

#ADULTMESSAGE   NONE


# THE FOLLOWING 4 KEYS NEED TO BE EDITED TO REFLECT YOUR
# PREFERENCES **ONLY** IF YOU ROUTE FAILED MESSAGES
# TO A PARTICULAR ADDRESS FOR REVIEW

#ROUTESPAM  [EMAIL PROTECTED]

#ROUTESPAMSCORE 40

#ROUTEADULT [EMAIL PROTECTED]

#ROUTEADULTSCORE40






# IF NOT RUNNING AS A DECLUDE TEST ONLY THEN THE FOLLOWING
# 2 VALUES SHOULD BE USED

#SPAMMESSAGEDEFAULT

#ADULTMESSAGE   DEFAULT


# IF YOU WANT THE RECIPIENT OF OUTGOING MAIL TO BE ADDED TO THE
# USERS WHITELIST AUTOMATICALLY, CHANGE THE NEXT VALUE TO TRUE

AUTOWHITELIST   TRUE


# THE FOLLOWING 2 VALUES DEFINE WHETHER OR NOT TO SCAN OUTGOING
# MAIL AND WILL CAUSE A REJECTION MESSAGE TO BE SENT TO YOUR
# USER IF THE OUTGOING MESSAGE FAILS

SCANOUTGOINGFALSE

SENDREJECTION   TRUE


# THE BALANCE OF THESE VALUES ARE RECOMMENDED DEFAULTS AND 
# NEED NOT BE CHANGED REGARDLESS OF THE OPTIONS ABOVE

SENDTOTRASH TRUE

ALLOWRELAY  FALSE

NONENGLISH  6

BADROUTING  12

THRESHOLD   4

PATMATCHES  2

SATURATION  5

LOGALLFAILURES  TRUE

ADULTSCORE  18

ADULTKILLSCORE  45

SPAMSCORE   18

SPAMKILLSCORE   65

EXITCODESCORE   20

KILLSCORE   75

ADULTSUBJECT[ADULT]

#SPAMSUBJECT[SPAM]

LOGDETAIL   DEBUG



---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread Matthew Bramble 
I'd also like to share my configuration.  We have about 50 E-mail 
domains with about 250 users, with many addresses listed in who-is 
records and on Web sites, along with nobody alias redirection for all 
domains.  This results in a lot of garbage coming our way.  We are 
definitely capturing 95%-97% of all the spam currently and our false 
reject rate is less than 1-3 in 1000, most of which is automated 
delivery messages, with user exceptions being mostly of the variety of 
open relay users or that one person that uses Base64 encoding from a 
poorly configured server.  Unfortunately some addresses get litterally 
hundreds of spams a day, often it's their own fault, but they need more 
relief than I have been giving them.

I don't have the time to constantly monitor rejected mail (about ~15,000 
a week), so we generally kill it at a score of 10 unless we tweak the 
settings, in which case we monitor it as I am doing now.  I think our 
setup even without the Alligate is quite solid after a year of playing 
with it occasionally, but it needs more than RFC and blacklist tests to 
close the gap that's left.  This BONDEDSENDER thing also looks like it 
has promise as I found 19 examples today of E-mail that was saved, 
probably all of it was ad-related, and some I would probably consider 
spam, but not the brutal idiotic stuff that goes to harvested 
addresses.  I'm going to capture those messages for review since I can 
only see the senders now.  Anyway, here's teh beef of my config file:

--8
SBLip4rsbl.spamhaus.org
127.0.0.2100
OSSOFTip4rrelays.osirusoft.com
127.0.0.6100
SPAMCOPip4rbl.spamcop.net
127.0.0.2100
FIVETEN-BULKip4rblackholes.five-ten-sg.com
127.0.0.4100
MAILPOLICE-BULKip4rbulk.rhs.mailpolice.com
127.0.0.2100
MAILPOLICE-PORNip4rporn.rhs.mailpolice.com
127.0.0.2100
OSSRCip4rrelays.osirusoft.com
127.0.0.470
EASYNET-DNSBLip4rblackholes.easynet.nl127.0.0.2 
   70
EASYNET-PROXIESip4rproxies.blackholes.easynet.nl
127.0.0.2 70
FIVETEN-SPAMSUPPORTip4rblackholes.five-ten-sg.com
127.0.0.770
FIVETEN-MISCip4rblackholes.five-ten-sg.com
127.0.0.970
BLITZEDALLip4ropm.blitzed.org*
   70
DSBLip4rlist.dsbl.org*
   50
MONKEYPROXIESip4rproxies.relays.monkeys.com*
   50
OSFORMip4rrelays.osirusoft.com
127.0.0.850
OSPROXYip4rrelays.osirusoft.com
127.0.0.950
FIVETEN-SPAMip4rblackholes.five-ten-sg.com
127.0.0.250
FIVETEN-MULTISTAGEip4rblackholes.five-ten-sg.com
127.0.0.550
FIVETEN-SINGLESTAGEip4rblackholes.five-ten-sg.com
127.0.0.650
FIVETEN-FREEip4rblackholes.five-ten-sg.com
127.0.0.1250
MONKEYFORMMAILip4rformmail.relays.monkeys.com*
   40
ORDBip4rrelays.ordb.org*
   40
OSDULip4rrelays.osirusoft.com
127.0.0.340
OSRELAYip4rrelays.osirusoft.com
127.0.0.240
OSSMARTip4rrelays.osirusoft.com
127.0.0.540
V6NETip4rspammers.v6net.org
127.0.0.240
OSLISTip4rrelays.osirusoft.com
127.0.0.720
DSNrhsbldsn.rfc-ignorant.org
127.0.0.210
NOABUSErhsblabuse.rfc-ignorant.org
127.0.0.410
NOPOSTMASTERrhsblpostmaster.rfc-ignorant.org
127.0.0.310
BONDEDSENDERip4rquery.bondedsender.org
127.0.0.10-200

MAILFROMenvfromxx70
ROUTINGspamroutingxx70
HELOBOGUShelovalidxx50
SPAMHEADERSspamheadersxx50
BADHEADERSbadheadersxx30
BASE64base64xx30
PERCENTpercentxx20
IPNOTINMXipnotinmxxx0-2
ALLIGATEexternalnonzero
C:\IMail\Alligate\NoXMail.exe30

WEIGHT10weightxx100
--8
I believe some of these tests are not catching anything and could be 
removed.  Comments and questions are welcome.

Matt



Keith Johnson wrote:

Rob,
   If you don't mind sharing, what config settings do you use for
Alligate..
Keith
 

---
[This E-mail

Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread Matthew Bramble 
John,

I just joined the list today, but I found your configuration file from 
back in June and it was very helpful in understanding how to fine tune 
Alligate.  I'm going to study it's logs more closely before I start that 
phase though, looking for false positives.  I've turned that test down 
to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of 
failure in order to accommodate it (BADHEADERS for instance).  It seems 
to get most of it's scoring from technical-type stuff instead of the 
heuristics, and if this is the case, I don't think that a scaled test 
would be that much more useful to me.  If I could score the content and 
obfuscation, and just those things, I wouldn't be double counting the 
technicals, and that should reduce some false positives.

I don't want to knock Alligate, it has some nice functionality, 
especially when used without Declude (auto whitelisting and digest 
notification), and it does what it says, but it has a relatively high 
false positive rate in the default configuration and therefore it can't 
be scored higher than it is on my scale.  If they could get the auto 
whitelisting and digest notification to work with Declude, that might 
make me a buyer.  I'm still looking for more information on Message 
Sniffer within this context.

I've looked at AutoWhite and will probably give it a try, but I can't 
find any information on Match.  Would you care to share a link?

Thanks,

Matt



John Tolmachoff (Lists) wrote:

As one of the earlier testers and helped develop the variable scale of
Alligate, I can understand your position. I have a client that gets a lot of
e-mail from the Far East and a lot of bcc broadcasts and lists. Many of
these show elements of spam, but are legit. That is what makes it hard.
There are a number of adjustments available in Alligate. You might want to
look over my config file I posted earlier today.
One thing I do for this specific issue is I use 2 programs. One is Match,
which is very simple but does need to be revised. The other is AutoWhite. A
30 demo of AutoWhite is available at
www.eservicesforyou.com/products/autowhite.html. Match is free.
While everyone can have a unique setup, please let me know if you would like
to spend some time going over the possible configurations in Alligate.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread Pete McNeil 
At 10:31 PM 8/20/2003 -0400, you wrote:

snip

I don't want to knock Alligate, it has some nice functionality, especially 
when used without Declude (auto whitelisting and digest notification), and 
it does what it says, but it has a relatively high false positive rate in 
the default configuration and therefore it can't be scored higher than it 
is on my scale.  If they could get the auto whitelisting and digest 
notification to work with Declude, that might make me a buyer.  I'm still 
looking for more information on Message Sniffer within this context.
One thing you will find with the registered version of Message Sniffer is 
that the heuristics are divided into categories. Within Declude you can 
assign different weights to each category depending upon your needs. This 
is particularly helpful with the Gray Hosting category (Group 60).

It's important to note that this is not available in the demo rule base. 
Although the demo rule base is now updated as frequently as registered 
versions, the categories are not differentiated and new rules are slightly 
delayed.

You can find details about the result codes and the heuristics categories 
at the following URL:

http://www.sortmonster.com/MessageSniffer/Help/ResultCodesHelp.html

You can always download the evaluation and a fresh demo rule base file at:

http://www.sortmonster.com/MessageSniffer/Try-It.html

(there is no limit on the evaluation period)

Another important thing about Message Sniffer is that your subscription 
includes customizing your rule base to fit your needs - including ongoing 
adjustments for missed spam and false positives, as well as white, black, 
and blocking rules upon request.

While Message Sniffer regularly scores 93-95% capture rates out of the box 
(see prior statistics posted by Scott) the fine-tuned rates tend to be much 
better and the false positive rates tend toward very low fractions of a % 
after a very short tuning period (6-15 days on average). The rapid update 
process (several updates per day) also tends to weed out newer spam very 
quickly.

If you have any specific questions please feel free to contact me off list 
at [EMAIL PROTECTED]

Hope this helps,
_M
Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief Sortmonster (www.sortmonster.com)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread brian 
Hi Matt, I guess I'll chime in here...
 
On 08/20/03 10:31pm you wrote...

I just joined the list today, but I found your configuration file from 
back in June and it was very helpful in understanding how to fine tune 
Alligate.  I'm going to study it's logs more closely before I start that 
phase though, looking for false positives.  I've turned that test down 
to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of 
failure in order to accommodate it (BADHEADERS for instance).  It seems 
to get most of it's scoring from technical-type stuff instead of the 
heuristics, and if this is the case, I don't think that a scaled test 
would be that much more useful to me.  If I could score the content and 
obfuscation, and just those things, I wouldn't be double counting the 
technicals, and that should reduce some false positives.

You are correct that Alligate will accumulate scores on many of the same
things as Declude will. This is basically the same engine as we use on the
gateway product, but it is 100% stand alone so it must do everything. The
technical violations are some of the best spam indicators there are, however,
you are racking up double scores.

You can rely more on the heuristics by decreasing the values of certain
Alligate tests or setting them to 0 (zero). Most of the hard penalty tests
support this, as well as most of the heuristic tests where the score is
variable depending on the degree of failure.

I don't want to knock Alligate, it has some nice functionality, 
especially when used without Declude (auto whitelisting and digest 
notification), and it does what it says, but it has a relatively high 
false positive rate in the default configuration and therefore it can't 
be scored higher than it is on my scale.  If they could get the auto 
whitelisting and digest notification to work with Declude, that might 
make me a buyer.  I'm still looking for more information on Message 
Sniffer within this context.

The full IMail version does everything and will work in Declude as well. But
it costs more. Many Declude version users wanted scaled down, more affordable
Declude test only version, so that's we we did. Alligate really depends on
training to achieve the best results. This involves automatic whitelisting and
users responses to digests. Unfortunately, using it as a test in Declude
limits it's full functionality, however properly adjusted, it will still
provide several features that don't exist in any other product. You just need
to figure out what features are important to your flow, and which aren't and
adjust the configuration accordingly.

In our gateway version the false positive rate is usually in the area of 1 in
3000 messages after about 30 days of training. In the gateway version this
is all done without administrator intervention, but the same results should be
possible in the Declude version, except you have to do the training. And,
you save lots of money :)

You will find this list to be extremely helpful. As I am sure Scott would
agree, there are people here that know the products almost better than we do
ourselves. They have this down to a fine science, and the advice you can get
here will help you get the most for the least. Most Declude users I have
worked with are hands on people and know their business.

Brian

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Alligate

2003-08-19 Thread Keith Johnson 
Does anyone have any configs they are willing to share that they are using in 
production for Alligate with Declude?  Thanks for the aid.
 
Keith
áŠÁj)pjËjyÞuú+¾*î±ëÈ7œ–ç^V*î²m§ÿðÃ^r[yÊN¬f¢•yúèšØ^
ç%¹ºyj)fj)bž b²Ôèº{.nÇ+‰·£ºËlzwZœIšŠ[hŠf¢–Êïuç%¹¢f§vzé®Þ
ç%¹ºyj)S…æ«r¯zǝ·Ÿ¢éÝjØm¶ŸÿÃj)Z­Èb½ç(

RE: [Declude.JunkMail] Alligate

2003-08-19 Thread John Tolmachoff \(Lists\) 
Do you mean as a Declude ONLY test?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Keith Johnson
 Sent: Tuesday, August 19, 2003 7:18 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Alligate
 
 Does anyone have any configs they are willing to share that they are using in
 production for Alligate with Declude?  Thanks for the aid.
 
 Keith
 NyuujjrxNrzujryjmrxjqy
#Alligate for IMail CONFIGURATION FILE (MINIMUM CONFIGURATION)
#PLEASE SEE THE CONFIGURATION INSTRUCTIONS FOR MORE OPTIONS

#GENERAL NOTES
# A # symbol or // symbol at the beginning of the line indicates a
#comment, or when preceeding a configuration value, will undefine that 
#value.


# THE FOLLOWING 2 VALUES MUST BE PROVIDED FOR ALL VERSIONS

LICENSE x

KEY xx

# THE FOLLOWING 2 VALUES NEED REFLECT YOUR EMAIL ADDRESSES
# THE POSTMASTER SHOULD BE A NEW, DEDICATED ACCOUNT FOR
# SPAM HANDLING ONLY.

POSTMASTER  
REPORTSTO   x

# THE FOLLOWING VALUE NEEDS TO BE USED IF YOU ARE USING Alligate
# WITH IMail ALONE, OR WITH IMail and Declude Virus.

#HANDOFFc:\imail\smtp32.exe

# IF YOUR ARE USING Declude Junkmail, !!DELETE THE LINE ABOVE!!
# AND RUN AlligateAS A Declude TEST.


# DECLUDE SPECIFIC OPTIONS WHEN RUNNING AlligateAS
# A DECLUDE TEST ONLY

DECLUDETESTONLY TRUE

SPAMMESSAGE NONE

ADULTMESSAGENONE


# THE FOLLOWING 4 KEYS NEED TO BE EDITED TO REFLECT YOUR
# PREFERENCES **ONLY** IF YOU ROUTE FAILED MESSAGES
# TO A PARTICULAR ADDRESS FOR REVIEW

#ROUTESPAM  [EMAIL PROTECTED]

#ROUTESPAMSCORE 40

#ROUTEADULT [EMAIL PROTECTED]

#ROUTEADULTSCORE40


# IF NOT RUNNING AS A DECLUDE TEST ONLY THEN THE FOLLOWING
# 2 VALUES SHOULD BE USED

#SPAMMESSAGEDEFAULT

#ADULTMESSAGE   DEFAULT


# IF YOU WANT THE RECIPIENT OF OUTGOING MAIL TO BE ADDED TO THE
# USERS WHITELIST AUTOMATICALLY, CHANGE THE NEXT VALUE TO TRUE

AUTOWHITELIST   FALSE


# THE FOLLOWING 2 VALUES DEFINE WHETHER OR NOT TO SCAN OUTGOING
# MAIL AND WILL CAUSE A REJECTION MESSAGE TO BE SENT TO YOUR
# USER IF THE OUTGOING MESSAGE FAILS

SCANOUTGOINGTRUE

SENDREJECTION   FALSE


# THE BALANCE OF THESE VALUES ARE RECOMMENDED DEFAULTS AND 
# NEED NOT BE CHANGED REGARDLESS OF THE OPTIONS ABOVE

SENDTOTRASH FALSE

ALLOWRELAY  TRUE

NONENGLISH  6

BADROUTING  12

THRESHOLD   4

PATMATCHES  2

SATURATION  5

LOGALLFAILURES  TRUE

ADULTSCORE  18

#ADULTKILLSCORE 45

SPAMSCORE   18

#SPAMKILLSCORE  65

EXITCODESCORE   22

#KILLSCORE  75

#ADULTSUBJECT   [ADULT]

#SPAMSUBJECT[SPAM]

LOGDETAIL   DEBUG

MAXSUBJECTSCORE 10

GOODSPAMMER 6

KNOWNSPAMMER8

HIGHASCII   5

SIGNATURE   4

DOHOSTLOOKUPTRUE

REPEATIP4

REPEATHOST  4

CHECKREPEATSPAMMERS TRUE

MAXREPEATSPAMMERS   500

TRASHBADENCODINGFALSE

REPEATSPAMSCORE 30

REPEATADULTSCORE30

LOGFILEPATH E:\Alligate