[sniffer] Re: Training GBUdb on the client IP for aol.com
Thanks, Pete. I'm at the recommended logging level and can see the full XML record for GBU for each one of my scans. Despite my new line, the logging shows that the original Received: header line is still being inspected. Since you're not calling out an obvious typo or thinko on my part, I'll send copies of my originals to support@ ... I think the real issue is that MessageSniffer is calling BS on the order of the headers that AOL webmail is emitting. MessageSniffer is probably acting correctly out of an abundance of caution. Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, October 24, 2011 1:01 PM To: Message Sniffer Community Subject: [sniffer] Re: Training GBUdb on the client IP for aol.com On 10/24/2011 3:47 PM, Colbeck, Andrew wrote: > r='4432448'> > r='4432448'> > > > C:\MessageSniffer>SNFClient.exe -test 92.231.217.255 Ok, you're working with a different message here (different IP). If you turn on GBUdb data logging then it will tell you what IP it beleived to be the source. http://www.armresearch.com/support/articles/software/snfServer/config/no de/logs/scan/xml.jsp http://www.armresearch.com/support/articles/software/snfServer/logFiles/ activityLogs.jsp#XML example like: Hope this helps, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Training GBUdb on the client IP for aol.com
On 10/24/2011 3:47 PM, Colbeck, Andrew wrote: C:\MessageSniffer>SNFClient.exe -test 92.231.217.255 Ok, you're working with a different message here (different IP). If you turn on GBUdb data logging then it will tell you what IP it beleived to be the source. http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/scan/xml.jsp http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp#XML example like: Hope this helps, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Training GBUdb on the client IP for telus.net
On 10/24/2011 3:36 PM, Colbeck, Andrew wrote: That's a very interesting question, Pete. Are you saying that the section is used to override the normal hop 0 / ordinal 0 IP address? If so, I didn't realize it, I thought this was an an additional IP address for GBU to examine. Yes. The source header directive essentially says, "If you see X, then expect the source IP to be in header Y and don't look anywhere else" Under normal circumstances SNF will attempt to identify the source IP as the first Received [IP] that it does not ignore. I think the answer is "yes", I don't want to inspect the ISP's outbound gateway, and I do want to inspect the "client IP" that originated the email. Looking at these headers, the X-Telus-Outbound-IP: seems to match the deepest Received header (the original source) so I think this will do what you want. I'm a little thrown by the "Outbound-IP:" bit - seems a strange name for the originator, but in this case it seems to line up with the correct header. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Training GBUdb on the client IP for aol.com
That's good to know, Pete, I'll leave the X-AOL-IP: header test intact. But my new test isn't triggering on my sample. I've tried removing the other AOL test, and I've made sure that I've saved my snf_engine.xml and waited a few seconds before testing it again. E.g. C:\MessageSniffer>sniff c:\imail\spool\spam\D015439194.SMD c:\IMail\spool\spam\D015439194.smd sniffer says return code is: 61 SNIFFEREXPAB C:\MessageSniffer>grep -F "D015439194" munged.20111024.log.xml C:\MessageSniffer>SNFClient.exe -test 92.231.217.255 GBUdb Record for 92.231.217.255 Type Flag: ugly Bad Count: 0 Good Count: 0 Probability: 0 Confidence: 0 Range: new Code: 0 Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, October 24, 2011 12:26 PM To: Message Sniffer Community Subject: [sniffer] Re: Training GBUdb on the client IP for aol.com On 10/24/2011 3:21 PM, Colbeck, Andrew wrote: > As far as I know that one still works. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Training GBUdb on the client IP for telus.net
That's a very interesting question, Pete. Are you saying that the section is used to override the normal hop 0 / ordinal 0 IP address? If so, I didn't realize it, I thought this was an an additional IP address for GBU to examine. I think the answer is "yes", I don't want to inspect the ISP's outbound gateway, and I do want to inspect the "client IP" that originated the email. Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, October 24, 2011 12:28 PM To: Message Sniffer Community Subject: [sniffer] Re: Training GBUdb on the client IP for telus.net On 10/24/2011 3:20 PM, Colbeck, Andrew wrote: >
[sniffer] Re: Training GBUdb on the client IP for telus.net
On 10/24/2011 3:20 PM, Colbeck, Andrew wrote:
[sniffer] Re: Training GBUdb on the client IP for telus.net
On 10/24/2011 3:20 PM, Colbeck, Andrew wrote: Which is in the GBUDB/Training/Source section as per: http://www.armresearch.com/support/articles/software/snfServer/config/no de/gbudb/training/source-header.jsp That appears to be correct and appears to have worked correctly. Top Received header would have been picked as source IP (unless you already have it ignored). It appears that you have successfully told SNF to find the source IP in the X-Telus-Outbound-IP: header in this case. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Training GBUdb on the client IP for aol.com
On 10/24/2011 3:21 PM, Colbeck, Andrew wrote: As far as I know that one still works. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Training GBUdb on the client IP for aol.com
Another test, this time to update the X-AOL-IP: header, which in my last few false-negatives have the standard X-Originating-IP: header ... I don't know if AOL has deprecated the X-AOL-IP: header or whether it is used under different client circumstances. Thanks, Andrew. Received: from ims-d13.mx.aol.com [205.188.249.150] by mail.bentallkennedy.com (Alligate(TM) SMTP Gateway v3.11.1.27) with ESMPT id for ; Mon, 24 Oct 2011 07:57:29 -0700 Received: from oms-ma01.r1000.mx.aol.com (oms-ma01.r1000.mx.aol.com [64.12.140.129]) by ims-d13.mx.aol.com (8.14.1/8.14.1) with ESMTP id p9OEsXBo016219; Mon, 24 Oct 2011 10:54:37 -0400 Received: from mtaomg-da05.r1000.mx.aol.com (mtaomg-da05.r1000.mx.aol.com [172.29.51.141]) by oms-ma01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 737A43883; Mon, 24 Oct 2011 10:54:37 -0400 (EDT) Received: from core-dnc002b.r1000.mail.aol.com (core-dnc002.r1000.mail.aol.com [172.29.176.5]) by mtaomg-da05.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id E6EA2E9B; Mon, 24 Oct 2011 10:54:36 -0400 (EDT) To: g...@lawkessler.com, ga...@coastalnet.com, gaum...@uniserve.com, gayanboral...@yahoo.com, gaye@usbank.com, mun...@bentall.com, gcr...@jfbb.com, gcr...@macquarie.com, geanne_blaz...@hodgsonruss.com Content-Transfer-Encoding: quoted-printable Subject: X-MB-Message-Source: WebUI X-MB-Message-Type: User MIME-Version: 1.0 From: ghang...@aol.com Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailer: AOL Webmail 34290-PHONE Received: from 92.231.217.255 by webmail-d011.sysops.aol.com (205.188.180.146) with HTTP (WebMailUI); Mon, 24 Oct 2011 10:54:36 -0400 Message-Id: <8ce6073fbc96840-1fb8-40...@webmail-d011.sysops.aol.com> X-Originating-IP: [92.231.217.255] Date: Mon, 24 Oct 2011 10:54:36 -0400 (EDT) x-aol-global-disposition: S X-SPAM-FLAG:YES X-AOL-SCOLL-SCORE: 0:2:173591936:93952408 X-AOL-SCOLL-URL_COUNT: 0 X-AOL-REROUTE: YES x-aol-sid: 3039ac1d338d4ea57c2c1502 Return-Path: ghang...@aol.com # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Training GBUdb on the client IP for telus.net
On 10/24/2011 2:46 PM, Colbeck, Andrew wrote: would this snippet in snf_engine.xml I don't see the snippet from snf_engine.xml? _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Training GBUdb on the client IP for telus.net
(Whups, I forgot the other important bit) Replying to my own email, here's the snf_engine.xml snippet Which is in the GBUDB/Training/Source section as per: http://www.armresearch.com/support/articles/software/snfServer/config/no de/gbudb/training/source-header.jsp Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Colbeck, Andrew Sent: Monday, October 24, 2011 11:47 AM To: Message Sniffer Community Subject: [sniffer] Training GBUdb on the client IP for telus.net Given the attached header text, would this snippet in snf_engine.xml help me to train GBUdb on the email clients' IP address from this specific ISP? I tested by querying: SNFClient.exe -test 216.218.29.230 And then re-testing the spam, and then querying GBUdb again. The second test showed that "good count" had moved from zero to one and the whole email email scan status was "clean". That tells me the test is good, but I'm not sure it's "right". Thanks, Andrew. # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Training GBUdb on the client IP for telus.net
Given the attached header text, would this snippet in snf_engine.xml help me to train GBUdb on the email clients' IP address from this specific ISP? I tested by querying: SNFClient.exe -test 216.218.29.230 And then re-testing the spam, and then querying GBUdb again. The second test showed that "good count" had moved from zero to one and the whole email email scan status was "clean". That tells me the test is good, but I'm not sure it's "right". Thanks, Andrew. Received: from defout.telus.net [204.209.205.32] by mail.bentallkennedy.com (Alligate(TM) SMTP Gateway v3.11.1.27) with ESMPT id for ; Thu, 20 Oct 2011 08:15:02 -0700 Received: from edmwcm03 ([204.209.205.31]) by priv-edmwes26.telusplanet.net (InterMail vM.8.01.03.00 201-2260-125-20100507) with ESMTP id <20111020151450.MVLG2464.priv-edmwes26.telusplanet.net@edmwcm03> for ; Thu, 20 Oct 2011 09:14:50 -0600 Received: from MASTERMI-C9B95A ([216.218.29.230]) by edmwcm03 with bizsmtp id n3En1h00H4xthAo013EqsP; Thu, 20 Oct 2011 09:14:50 -0600 X-Authority-Analysis: v=1.1 cv=fPvcD3ruMqWSuqnVm9kxnHZRnXao30j++tIggJ+3/0M= c=1 sm=2 a=jl-cCIeRehoA:10 a=LGgl8L9ij00A:10 a=8nJEP1OIZ-IA:10 a=-r7E9uJ4:8 a=W_7C4bVl:8 a=V0IiZUKO:8 a=8YKMQM-z:8 a=fCuKvYZLhw5dZ9t38toA:9 a=fhqZuh9cIv8KtWpwYmgA:7 a=wPNLvfGTeEIA:10 a=tXsnliwV7b4A:10 a=UyoTvL-1vhQzJxZV:21 a=O2mkXwd58PuPZkWQ:21 X-Telus-Outbound-IP: 216.218.29.230 Reply-To: t...@tdcommercialbanking.ca From: "TD Commercial Banking" To: "" Subject: Web Business Banking - System Administrator Notice Sender: "TD Commercial Banking" Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Date: Thu, 20 Oct 2011 15:14:41 GMT Message-ID: <40481453127992097@MASTERMI-C9B95A> X-Originating-IP: 204.209.205.32 Return-Path: t...@telus.net X-OriginalArrivalTime: 20 Oct 2011 15:16:58.0576 (UTC) FILETIME=[4F743500:01CC8F3B] # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to