RE: [Declude.JunkMail] Sniffer Integration - Bad snf_engine.xml
Yes you are correct this was reported to us . The file should have been updated with this release. I will ensure this is resolved. To correct this. In the snf_engine.xml change node/ To /node From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 05, 2010 8:57 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Sniffer Integration - Bad snf_engine.xml Importance: High Dave, Pete has helped me figure out that your XML samples, e.g.: http://interim.declude.com/41048/Scanners/SNF/snf_engine.xml is NOT a valid XML file. Specifically, the closing tag for the node element is invalid. It MUST be: /node (Currently it is node/). Consequently, opening this file with an xml parser (even just IE) will result in parser errors. I suppose everyone should double-click that XML file and see if it actually opens (assuming that this bug has been there since day 1). Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Hi Dave (just in case this got overlooked - or I missed the answer), Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation - which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF. rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? Since there is some possible overhead between: SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) - and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking with the SNF rules (which already has exit codes 20 and 63) will reduce the Sniffer overhead by 2/3? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business
Re: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Title: Release 4.10.42 On 5/5/2010 3:24 PM, Andy Schmidt wrote: Hi Dave (just in case this got overlooked or I missed the answer), Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? If I may -- I'm not completely sure what you are asking -- but if your concern is that the test for SNFIP and SNFIPREPS represent additional overhead then I can answer that. The amount of code that is run to execute these tests is vanishingly small. You should consider the overhead required to run all three tests as being no more than running the SNF pattern scan. The other two (SNFIP and SNFIPREPS) require so little work that their overhead is virtually impossible to measure. _M -- President MicroNeil Research Corporation www.microneil.com ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Thanks Pete. Hopefully these discussions (and seeing your responsiveness) will convince more folks decide to give Sniffer a try! I'm not completely sure what you are asking The golden rule for external tests and for RBLs is - if you have multiple lines using the SAME command (e.g., the 18 SNF lines), or referring to the same external program (e.g., 5 invURIBL lines), or referring to the same blacklist (10 lines checking different return values), THEN only the FIRST line will actually run the test against that resource (e.g., run the external program, lookup the IP in the RBL). The OTHER lines will just evaluate the return code differently without rerunning the test. Now with the internal Sniffer implementation, we have three DIFFERENT commands (SNF, SNFIP, SNFIPREP). So it's worthwhile confirming whether the same golden rule applies here even though these are NOT multiple lines of the SAME command. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Wednesday, May 05, 2010 3:47 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes On 5/5/2010 3:24 PM, Andy Schmidt wrote: Hi Dave (just in case this got overlooked - or I missed the answer), Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation - which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF. rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? If I may -- I'm not completely sure what you are asking -- but if your concern is that the test for SNFIP and SNFIPREPS represent additional overhead then I can answer that. The amount of code that is run to execute these tests is vanishingly small. You should consider the overhead required to run all three tests as being no more than running the SNF pattern scan. The other two (SNFIP and SNFIPREPS) require so little work that their overhead is virtually impossible to measure. _M -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Title: Release 4.10.42 On 5/5/2010 4:05 PM, Andy Schmidt wrote: snip/ The golden rule for external tests and for RBLs is if you have multiple lines using the SAME command (e.g., the 18 SNF lines), or referring to the same external program (e.g., 5 invURIBL lines), or referring to the same blacklist (10 lines checking different return values), THEN only the FIRST line will actually run the test against that resource (e.g., run the external program, lookup the IP in the RBL). The OTHER lines will just evaluate the return code differently without rerunning the test. Now with the internal Sniffer implementation, we have three DIFFERENT commands (SNF, SNFIP, SNFIPREP). So its worthwhile confirming whether the same golden rule applies here even though these are NOT multiple lines of the SAME command. The same rule applies --- Run the test once, use the results of the test many times. However in the case of SNFIP and SNFIPREP the cost of the test is so small that it cannot be measured. The IP reputation database is local (in memory) and immediately accessible (there is no delay or network traffic involved). The only work that gets done is a little bit of math. Best, _M -- President MicroNeil Research Corporation www.microneil.com ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Hi Dave (just in case this one got lost), Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation - which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF. rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? Since there is overlap between: SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) - and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking with the SNF rules (which already has exit codes 20 and 63) would further reduce the Sniffer overhead by 2/3? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration
SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com , April 30, 2010 1:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 9:54 AM To: declude.vi...@declude.com; declude.junkmail@declude.com; declude.relea...@declude.com Subject: [Declude.JunkMail] Release 4.10.42 Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email. JM ADD Integrated Message Sniffer with Declude. Will use Declude rulebase. (If you are a current Message Sniffer user this does not apply to you unless you want toswitch and use the Declude rulebase) To configure the SNF files need to be edit by the user, where the [PATH] needs to be the actual path on your server. getRulebase.cmd SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\ Snf_engine.xml file log path='[PATH]\declude\scanners\SNF\'/ rulebase path='[PATH]\declude\scanners\SNF\'/ workspace path
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com , April 30, 2010 1:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com , April 30, 2010 1:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
Thanks for clearing up that it doesn't work for the 2nd variable (I'm aware that it is an internal and not and external test, and that it is the SECOND variable, and that it only executes once, etc.) As a suggestion, you might consider enabling the nonzero option for the second variable as well. The reasons for preferring one nonzero exit code of (currently 18) individual exit codes are a) The config file will be more compact, b) Fewer lines mean few chances of errors/omissions c) No need to keep worrying about missing the announcement for a new exit code whenever Peter decides to extend the list From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
I have already added it to the dev list as an idea. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 11:52 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Thanks for clearing up that it doesn't work for the 2nd variable (I'm aware that it is an internal and not and external test, and that it is the SECOND variable, and that it only executes once, etc.) As a suggestion, you might consider enabling the nonzero option for the second variable as well. The reasons for preferring one nonzero exit code of (currently 18) individual exit codes are a) The config file will be more compact, b) Fewer lines mean few chances of errors/omissions c) No need to keep worrying about missing the announcement for a new exit code whenever Peter decides to extend the list From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
So what's the difference between the SNIFFER test as Internal vs External? Is one faster than the other? Assuming you did not want to check the individual tests (ie SNIFFER-TRAVEL) is there an advantage to using one over the other? Internal: SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 External SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe12 0 -Jim From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com , April 30, 2010 1:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
Speed (and stability) and additional test options. The external test runs as a command line, each email is a new instance that needs an environment to be instantiated and later broken down. On top of that, it burns up some of that not-well documented heap memory for command line programs - which CAN cause stability problems in some problems if one runs several command line tools in Declude (although there are some registry settings in Windows to allocate some extra heap). The internal test offers additional tests (such as the reputation test) and other IP based tests that the external test does not - and it runs as part of Declude (not by starting another command line session for each email). From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Jim Comerford Sent: Friday, April 30, 2010 12:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? So what's the difference between the SNIFFER test as Internal vs External? Is one faster than the other? Assuming you did not want to check the individual tests (ie SNIFFER-TRAVEL) is there an advantage to using one over the other? Internal: SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 External SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe12 0 -Jim From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test
RE: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Hi Dave, Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation - which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF. rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? Since there is some possible overhead between: SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) - and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking with the SNF rules (which already has exit codes 20 and 63) will reduce the Sniffer overhead by 2/3? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar
RE: [Declude.JunkMail] Sniffer Integration
Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 9:54 AM To: declude.vi...@declude.com; declude.junkmail@declude.com; declude.relea...@declude.com Subject: [Declude.JunkMail] Release 4.10.42 Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email. JM ADD Integrated Message Sniffer with Declude. Will use Declude rulebase. (If you are a current Message Sniffer user this does not apply to you unless you want toswitch and use the Declude rulebase) To configure the SNF files need to be edit by the user, where the [PATH] needs to be the actual path on your server. getRulebase.cmd SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\ Snf_engine.xml file log path='[PATH]\declude\scanners\SNF\'/ rulebase path='[PATH]\declude\scanners\SNF\'/ workspace path='[PATH]\declude\scanners\SNF\'/ update-script on-off='on' call='[PATH]\declude\scanners\SNF\getRulebase.cmd' guard-time='180'/ Global.cfg SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 IPREPUTATIONSNFIP x 5 10 -5 SNIFFER-TRAVEL SNF x 47 10 0 SNIFFER-INSURANCE SNF x 48 10 0 SNIFFER-AV-PUSH SNF x 49 10 0 SNIFFER-WAREZ SNF x 50 10 0 SNIFFER-SPAMWARESNF x 51 10 0 SNIFFER-SNAKEOILSNF x 52 12 0 SNIFFER-SCAMS SNF x 53 10 0 SNIFFER-PORNSNF x 54 10 0 SNIFFER-MALWARE SNF x 55 10 0 SNIFFER-ADVERTISING SNF x 56 10 0 SNIFFER-SCHEME SNF x 57 10 0 SNIFFER-CREDIT SNF x 58 10 0 SNIFFER-GAMBLINGSNF x 59 10 0 SNIFFER-GENERAL SNF x 60 10 0 SNIFFER-SPAMSNF x 61 10 0 SNIFFER-OBFUSCATION SNF x 62 10 0 SNIFFER-IP-RULESSNF x 63 10 0 SNFTRUNCATE SNF x 20 10 0 EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting HJ ADD
