Re[2]: [sniffer] Experimental hits on bounce messages
On Monday, June 14, 2004, 1:56:00 AM, Matt wrote: M Pete, M Experimental. If these rules were in a differentcategory, it would M make me feel a lot better about it. I'm guessingmaybe from my M standpoint, Spamware would be the most appropriatecategory for M tagging forged message ID's of this type. This is such alarge M issue presently that it does matter somewhat and I would feelmuch M more comfortable not having to use combo filters with M theExperimental result code. I will move the new rule to the malware group since it detects messages transmitted from a particular worm. The spamware group currently contains rules for messages advertising spam services and resources so putting the forged header rule in that group would be a significant departure from it's current character. M BTW, here's an example of a bounce that I blocked after M includingExperimental in our BOUNCER combo filter. I honestly M can't tell ifthis is legitimate or not, and I can't see any signs M of spam contentwhich makes me think it was the IP that triggered It was an IP rule. I've treated this as a false positive indication and dropped the rule. If you have other false positives then please submit them through the false positive process so that we can process them. This particular rule has been in place since 20040205 with no prior false positive reports and a rule strength of 1.88+. The rule was sourced through our spamtraps indicating strongly that there was some kind of spam or malware delivered through that IP back in February. M the hit, but I'mposting it here so that you might be able to tell M me what rule hit. The log entry is above the source. I'm just M trying to figure out howto tune my system appropriately and M wondering if I need to be on thelookout for legitimate servers M tagged by Experimental which due totheir inclusion now in combo M filters, may cause legitimate E-mail tobounce. If this is a significant problem for you then we can remap some rules to different categories for you. This is expensive for us and makes it difficult to administer and debug your rulebase (since it will be unique) but it can be done if necessary. Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Declude configuration
I am new to Sniffer, and have it up and running with the basic line looking for a nonzero return code. I would now like to start setting different weights for different return codes. Does some one have a example configuration I can use? John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Declude configuration
Here's what I use: My subject tag weight is 100 points. So in general sniffer weighs in at 90%. The greymail (60) needs some taming. I run a greymail whitelist to credit back 42 points to those that I don't consider spam. That's the only code you really need to be wary of. You may tend to get a few more false positives in the experimental (62) category, so if you wanted to weight that one less. On the other hand it is likely to catch the newest spam. I find having return code 0 helps. When I encounter a spam that has the sniffer-notfound in the headers, it gets forwarded to sortmonster. SNIFFER-NOTFOUNDexternal 000 D:\IMail\Declude\Sniffer\sniffer2.exe code 0 0 SNIFFER-TRAVEL external 047 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-INSURANCE external 048 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-AV-PUSH external 049 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-WAREZ external 050 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-SPAMWAREexternal 051 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-SNAKEOILexternal 052 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-SCAMS external 053 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-PORNexternal 054 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-MALWARE external 055 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-ADVERTISING external 056 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-SCHEMES external 057 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-CREDIT external 058 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-GAMBLINGexternal 059 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-GREYMAILexternal 060 D:\IMail\Declude\Sniffer\sniffer2.exe code 42 0 SNIFFER-OBFUSCATION external 061 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-EXPERIMENTALexternal 062 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 SNIFFER-GENERAL external 063 D:\IMail\Declude\Sniffer\sniffer2.exe code 90 0 Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/14/04 11:14AM I am new to Sniffer, and have it up and running with the basic line looking for a nonzero return code. I would now like to start setting different weights for different return codes. Does some one have a example configuration I can use? John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Declude configuration
Here is a sample of what I use: = SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 05 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 SNIFFER-SPAMWAREexternal 051 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 SNIFFER-SNAKEOILexternal 052 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-PORNexternal 054 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 15 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-ADVERTISING external 056 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 SNIFFER-SCHEMES external 057 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-CREDIT external 058 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 07 0 SNIFFER-GAMBLINGexternal 059 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 07 0 SNIFFER-GREYMAILexternal 060 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 05 0 SNIFFER-OBFUSCATION external 061 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 12 0 SNIFFER-EXPERIMENTALexternal 062 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 07 0 SNIFFER-GENERAL external 063 M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode 10 0 = Bill -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: [sniffer] Declude configuration I am new to Sniffer, and have it up and running with the basic line looking for a nonzero return code. I would now like to start setting different weights for different return codes. Does some one have a example configuration I can use? John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
