[sniffer] Re: New SPAM pain
Besides the one I sent to the list instead of to spam@, many of the ones getting through are simple, text-based things that REALLY look like regular emails. Probably one of the worst kinds to sniff out. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, 26 July 2006 2:52 PM To: Message Sniffer Community Subject: [sniffer] Re: New SPAM pain Hello John, Wednesday, July 26, 2006, 1:57:18 PM, you wrote: I'm dying to start a thread and talk about Sniffer's stance on CommTouch, but I can resist. Me too. Instead, I would like to point out that eight clearly spam messages have made it through to my Inbox [or Outlook Junk Folder] so far this week that appear to have skinned clear through Sniffer. First ones I've seen in ages. Are we undergoing a new phase or campaign that I can make adjustments for? There has been some impressive activity in new spam campaigns this week, but nothing is consistently getting past us that I am aware of. There have been a number of very broken spam campaigns that gave us some trouble, and a few image spam campaigns that were more complex than most. Is there anything special you notice about the ones you've mentioned? _M PS: I was recently asked where image spam rules go so that a customer could ramp up the weight on that rule group. The vast majority of image spam rules are abstracts of message structures and occasionally image file fragments. These rules go in group 61 (Experimental / Abstract). This group has very low false positive rates as a rule (judging from FP submissions which are low in general). -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New SPAM pain
Thanks, Darrell, that's the first actual mileage data I've seen. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, 26 July 2006 3:32 PM To: Message Sniffer Community Subject: [sniffer] Re: New SPAM pain (*) Please keep in mind this is for one of the systems I maintain - who has a very wide diverse set of mail. Your mileage may vary. Here are some stats gathered with DLAnalyzer on Zerohour. ***This is only a one day analysis. * Triggered on 42,013 messages out of 99,842 total messages * 40K of the 42K hits were on messages already considered spam and held. * Out of the 42K Zerohour detections 39K of those were also detected by Sniffer. * DLAnalyzer's test quality rates Zerohour as .95. (SEE EXPLANATION BELOW ON THIS) * Zerohour triggered on 1,020 hams. In my visual those hams a good portion were false positives on bulk solicited mail (Home Depot, Marta Stewart, USDA, GOP Senators, Democratic National Committee, etc). I can go into more detail on this if anyone wants more info offline. For those that do not use DLAnalyzer it has a built in test quality report. The test quality score is based on a -1 to 1 scale where -1 indicates HAM and 1 indicates spam. The closer to 1 the more likely the test is at detecting SPAM and the closer to -1 indicates HAM. Other Test's Test Quality Scores Message Sniffer - .99 invURIBL - .99 Zerohour - .95 Spamcop - .94 MxRate Black - .93 Fiveten - .92 Sorbs Spam - .71 At this point I have not evaluated CommTouch's false positive reporting. That portion of my testing will come very soon. Are any of my results scientific - no. Will I be dropping Message Sniffer - Absolutly not. Will I continue using CommTouch - yes - as I think it has a place on my system. Will your results and conclusions vary - absolutly. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Pete McNeil writes: Hello Darrell, That's fine. _M Wednesday, July 26, 2006, 2:43:27 PM, you wrote: If Pete doesn't mind I will post my observations in regards to the product. I run both products (CommTouch and Sniffer). Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: I'm dying to start a thread and talk about Sniffer's stance on CommTouch, but I can resist. Instead, I would like to point out that eight clearly spam messages have made it through to my Inbox [or Outlook Junk Folder] so far this week that appear to have skinned clear through Sniffer. First ones I've seen in Are we undergoing a new phase or campaign that I can make adjustments for? -- John # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E
RE: [sniffer] auto update tmp files
Sorry I'm late. I had trouble for a while with the "del %1" functionality, but I had a problem with the script running in the wrong directory. I believe I added a "cd \sniffer2" type line and it worked thereafter like a charm. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HorneSent: Monday, 19 September 2005 11:29 AMTo: sniffer@SortMonster.comSubject: RE: [sniffer] auto update tmp files I have tried to delete %1, but it never seemed to work. I ended up putting a "del *.tmp" at the end of my script and haven't had any problems. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Monday, September 19, 2005 9:22 AMTo: sniffer@SortMonster.comSubject: [sniffer] auto update tmp files Hi, Ok, I had auto update pretty much in the air. Seems all I needed was a program alias that fired the script. ;-) There's just one thing, I end up with alot of "tmpID.tmp" files in my spool directory. Any way of deleting those automagically? I could simply delete all tmp.tmp files in my midnight run. Would that be a problem? The only program alias I have is the sniffer update. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool toerisme en hospitality julianalaan 9 / 7553 ab hengelo t 074 255 06 10 / f 074 255 06 16 [EMAIL PROTECTED] / www.tio.nl
RE: [sniffer] Automatic update snafu
I'll give that a shot. I'm testing by forcing unscheduled at jobs with the scheduler. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shaun Sturby, MCSE Optrics Engineering Sent: Wednesday, August 18, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Automatic update snafu Hello John, I have built a similar script using WGET and the only big difference I can see is that I use wget -N http://www.sortmonster.net You can try putting the -N right after wget and see if it works better for you. How are you testing? Do you copy an older snf file over to compare with? Shaun Sturby, MCSE Manager - Technical Services Optrics Engineering -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Shacklett Sent: Wednesday, August 18, 2004 7:33 AM To: [EMAIL PROTECTED] Subject: [sniffer] Automatic update snafu I'm using an automatic update script to keep my rulebase up to date. This script runs periodically through the day and it also runs in response to the emails that come when the rulebase gets updated by the SortMonster. All hail the SortMonster! Anyway. The heavy lifting in that script is a line like: c:\winnt\wget.exe http://www.sortmonster.net/Sniffer/Updates/mysnfcode.snf -N -O mysnfcode.new.gz --header=Accept-Encoding:gzip --http-user=sniffer --http-passwd=password -o snfupd.txt I'm doing something wrong. Everytime the script fires it pulls the file, even if it isn't newer. I thought the -N parameter was supposed to limit that. What am I missing? -- John Shacklett _ IMail Server has scanned this e-mail for Viruses and SPAM using Declude Virus Declude Junkmail available from www.Optrics.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
