[sniffer] False
I am finding that most if not all email from Comcast senders are failing Sniffer. Fred This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives.
Pete, Can you send these kinds of emails to Hamed instead of me please. thanks Judy Burnett Everyones Internet, Ltd. 835 Greens Parkway, Suite 150 Houston, TX 77067 713-579-2802 Fax: 713-942-8621 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 09, 2005 6:49 PM To: Chuck Schick Subject: Re: [sniffer] False Positives. On Monday, May 9, 2005, 7:40:00 PM, Chuck wrote: CS I am all of a sudden having all of the mail from one of our hosted domains CS fail the sniffer-phishing. The domain is srinternational.com - could you CS please check on this. All of the emails are different - just from the same CS domain. Responding off list with rule details. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False
On Tuesday, May 10, 2005, 9:35:59 AM, Frederick wrote: FS I am finding that most if not all email from Comcast senders are failing FS Sniffer. Please submit a false positive report to false@ and include matching SNF log entries if possible. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives.
On Tuesday, May 10, 2005, 9:37:29 AM, Judy wrote: JB Pete, JB Can you send these kinds of emails to Hamed instead of me please. JB thanks I have changed your subscription. Please note you can alter your sniffer@ list subscription at any time. Information is on our help page: http://www.sortmonster.com/MessageSniffer/Help/Help.html Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Rule 353039 - .comcast.net
Hello Sniffer Folks, A rule was created today by one of the robots which targets .comcast.net -- This happened when a number of blacklists including SBL listed comcast IPs causing the robot to be convinced that a message in the spamtrap warranted tagging the domain. The rule has been removed and I am pushing out new rulebase compilation as quickly as possible. Please do not rush to download your rulebase file in response to this --- wait for the update notification or else your file is not updated. I believe we've caught this quickly enough that most of you will not be effected. However, if you suspect that you do have the bad rule in your rulebase you can temporarily eliminate the rule by adding 353039 to your Rule-panic entries in your configuration file. The rule cannot be recreated once removed. We are very sorry for the confusion. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rule 353039 - .comcast.net
Whew! Just got done forwarding 90 false positives to mail clients. Sure glad you caught it! Michael Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Tuesday, May 10, 2005 10:27 AM Subject: [sniffer] Rule 353039 - .comcast.net Hello Sniffer Folks, A rule was created today by one of the robots which targets .comcast.net -- This happened when a number of blacklists including SBL listed comcast IPs causing the robot to be convinced that a message in the spamtrap warranted tagging the domain. The rule has been removed and I am pushing out new rulebase compilation as quickly as possible. Please do not rush to download your rulebase file in response to this --- wait for the update notification or else your file is not updated. I believe we've caught this quickly enough that most of you will not be effected. However, if you suspect that you do have the bad rule in your rulebase you can temporarily eliminate the rule by adding 353039 to your Rule-panic entries in your configuration file. The rule cannot be recreated once removed. We are very sorry for the confusion. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rule 353039 - .comcast.net
Thanks for the quick work, Pete. I put in the Rule-panic entry as soon as you sent the email to this list. For what it's worth, I just finished with all my held mail for the last two days, and I had no false positives from messages with a mailfrom that included c o m c a s t. Lots of mail that came from everywhere including ComCast zombies and possibly servers, and contained ComCast email addresses in the body. From the sheer bulk of it, it's no wonder that one of your robots thought c o m c a s t was a good indicator of spam. The only message that that was held, which a subsequent re-scan with Sniffer turned up, was actually a W32/[EMAIL PROTECTED] virus (which I don't expect Sniffer to catch). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, May 10, 2005 7:28 AM To: sniffer@sortmonster.com Subject: [sniffer] Rule 353039 - .comcast.net Importance: High Hello Sniffer Folks, A rule was created today by one of the robots which targets .comcast.net -- This happened when a number of blacklists including SBL listed comcast IPs causing the robot to be convinced that a message in the spamtrap warranted tagging the domain. The rule has been removed and I am pushing out new rulebase compilation as quickly as possible. Please do not rush to download your rulebase file in response to this --- wait for the update notification or else your file is not updated. I believe we've caught this quickly enough that most of you will not be effected. However, if you suspect that you do have the bad rule in your rulebase you can temporarily eliminate the rule by adding 353039 to your Rule-panic entries in your configuration file. The rule cannot be recreated once removed. We are very sorry for the confusion. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rule 353039 - .comcast.net
Pete, Is this in the beta/free release of Sniffer rules? Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, May 10, 2005 6:20 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Rule 353039 - .comcast.net Thanks for the quick work, Pete. I put in the Rule-panic entry as soon as you sent the email to this list. For what it's worth, I just finished with all my held mail for the last two days, and I had no false positives from messages with a mailfrom that included c o m c a s t. Lots of mail that came from everywhere including ComCast zombies and possibly servers, and contained ComCast email addresses in the body. From the sheer bulk of it, it's no wonder that one of your robots thought c o m c a s t was a good indicator of spam. The only message that that was held, which a subsequent re-scan with Sniffer turned up, was actually a W32/[EMAIL PROTECTED] virus (which I don't expect Sniffer to catch). Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, May 10, 2005 7:28 AM To: sniffer@sortmonster.com Subject: [sniffer] Rule 353039 - .comcast.net Importance: High Hello Sniffer Folks, A rule was created today by one of the robots which targets .comcast.net -- This happened when a number of blacklists including SBL listed comcast IPs causing the robot to be convinced that a message in the spamtrap warranted tagging the domain. The rule has been removed and I am pushing out new rulebase compilation as quickly as possible. Please do not rush to download your rulebase file in response to this --- wait for the update notification or else your file is not updated. I believe we've caught this quickly enough that most of you will not be effected. However, if you suspect that you do have the bad rule in your rulebase you can temporarily eliminate the rule by adding 353039 to your Rule-panic entries in your configuration file. The rule cannot be recreated once removed. We are very sorry for the confusion. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rule 353039 - .comcast.net
Warning! When you add a RulePanic entry and are running Sniffer in persistent mode, you have to restart the service for it to take effect. I changed this earlier and it had no effect until I restarted the service on my box. Maybe I'm wrong about this, but just changing my config file had no effect on it's own. Pete, when you send out these notifications, would you please add a few instructions to them, including the file name that needs to be modified, i.e. RuleBaseID.cfg, the format of the line, and the instructions to restart the service. Another important piece of information would be the time that the bad rule was created, otherwise we need to search our logs for it. My first hit on this was yesterday at 9 p.m. EST, but some probably hit it earlier by up to a couple of hours I would imagine. Thanks, Matt Pete McNeil wrote: Hello Sniffer Folks, A rule was created today by one of the robots which targets .comcast.net -- This happened when a number of blacklists including SBL listed comcast IPs causing the robot to be convinced that a message in the spamtrap warranted tagging the domain. The rule has been removed and I am pushing out new rulebase compilation as quickly as possible. Please do not rush to download your rulebase file in response to this --- wait for the update notification or else your file is not updated. I believe we've caught this quickly enough that most of you will not be effected. However, if you suspect that you do have the bad rule in your rulebase you can temporarily eliminate the rule by adding 353039 to your Rule-panic entries in your configuration file. The rule cannot be recreated once removed. We are very sorry for the confusion. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rule 353039 - .comcast.net
Mail from Comcast is still getting caught, even with the panic rule in place. Any suggestions? Mike Stein This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Rule 353039 - .comcast.net
On Tuesday, May 10, 2005, 12:31:18 PM, Erik wrote: E Pete, E Is this in the beta/free release of Sniffer rules? It may not be --- it's new enough that it may have been excluded from the demo rulebase. To make sure you should make a quick scan of your SNF log file for that rule number. In any case it will be gone from all rulebases shortly. Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rule 353039 - .comcast.net
See my message below...restart your Sniffer service and it should work. Matt Computer House Support wrote: Mail from Comcast is still getting caught, even with the panic rule in place. Any suggestions? Mike Stein This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Rule 353039 - .comcast.net
On Tuesday, May 10, 2005, 12:45:53 PM, Computer wrote: CHS Mail from Comcast is still getting caught, even with the panic rule in CHS place. Any suggestions? * be sure you have updated rulbase.cfg * be sure your entry is in the correct format. You will find examples at the bottom of your .cfg file with each example commented out. The easiest way to make the entry is to change the number in one of the examples and remove the # and any spaces in front of it. An active rule-panic entry will being on the first character of the line. The persistent engine should reload and pick up your change within no more than 10 minutes unless you have altered your timing settings. For immediate results you should issue rulebase.exe reload from your command line, Or you could restart your persistent instance service. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Rule 353039 - .comcast.net
On Tuesday, May 10, 2005, 12:41:42 PM, Matt wrote: M Warning! M When you add a RulePanic entry and are running Sniffer in persistent M mode, you have to restart the service for it to take effect. You can also issue license.exe reload snip/ M Pete, when you send out these notifications, would you please add a M few instructions to them, including the file name that needs to be M modified, i.e. RuleBaseID.cfg, the format of the line, and the M instructions to restart the service. Those are good ideas --- this is so rare that I'm making up the procedure on the fly and I skipped those parts. I've posted another message with these details. M Another important piece of M information would be the time that the bad rule was created, M otherwise we need to search our logs for it. My first hit on this M was yesterday at 9 p.m. EST, but some probably hit it earlier by up M to a couple of hours I would imagine. I will hunt that down shortly. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rule 353039 - .comcast.net
Matt, Restarting the sniffer service seems to have done the trick. Thank you for the suggestion! Michael Stein Computer House [EMAIL PROTECTED] - Original Message - From: Matt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, May 10, 2005 12:46 PM Subject: Re: [sniffer] Rule 353039 - .comcast.net See my message below...restart your Sniffer service and it should work. Matt Computer House Support wrote: Mail from Comcast is still getting caught, even with the panic rule in place. Any suggestions? Mike Stein This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
