[sniffer] Re: How to incorporate a white list?
I do not think that anyone was asking the F001 bot to be disabled. Are you doing this for upgrading purposes or because there appeared to be an error with it? A single false positive as described, in my opinion, is no cause for alarm. Any time something changes, there is a potential for error, so please be careful in any attempts to implement suggestions from the community without evaluating all of the possibilities. Personally, I like the way the system is working. However, if it is possible to decrease FPs while maintaining the high level of accuracy in blocking spam, that is always welcome. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Wednesday, April 04, 2007 10:26 AM Subject: [sniffer] Re: How to incorporate a white list? The F001 bot will be disabled until further notice. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: How to incorporate a white list?
This has been suggested in this past; however, I forgot the reason for not doing so. Personally, if someone is spamming, I do not care about the source. I would want it to stop. IP blocking is dangerous, and content often seems the most effective method of blocking spam. If the blocks are based on content rather than IP, it does not matter who is sending it because it should be blocked because it appears to be spam. If it is blocked based on IP, the potential for false positives increases greatly as soon as people become overzealous. Jonathan Hickman - Original Message - From: "Andy Schmidt" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Tuesday, April 03, 2007 12:40 PM Subject: [sniffer] Re: How to incorporate a white list? > Hi, > > Unless I'm mistaken, rule 1370762 was targeting the same address range. > > If I may make a suggestion: > Before the spam-trap robots are allowed to block major, well-known and > easily recognizable email providers, how about the robot script pulls a > WHOIS and a Reverse DNS and runs that data against a table of "can't block" > entities - or at least spits those out for "human review". > > If that can't be done, then how about the robots issue an hourly report of > "suspect" IPs. A no-brainer script can pull matching WHOIS and RevDNS for > quick human review and overriding (if necessary). > > I would rather those obvious bad rules are caught before or very quickly > after they go live. There is always some delay before I get first reports > until I realize that this is a "real" problem. Then I have to try to get > headers from end-users before I can dig into logs... Hours and hours pass > (especially if it's overnight events). In the meantime the problem escalates > all around me. > > Thanks, > Andy > > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Pete McNeil > Sent: Tuesday, April 03, 2007 11:09 AM > To: Message Sniffer Community > Subject: [sniffer] Re: How to incorporate a white list? > > Hello Andy, > > Tuesday, April 3, 2007, 9:36:17 AM, you wrote: > > > Hi Phil, > > > Yes, it seems as if some Sniffer rules, e.g., 1367683, is broadly > targeting > > Google's IPs. > > > I've submitted 3 false positive reports since last night, at least two of > > them were Google users, one located in the U.S. and the other in the > > Netherlands! > > This IP rule has been pulled. > > FP processing will happen shortly. > > _M > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Files in Sniffer Directory
Would it be a good idea in a future version to delete files that are older than a certain date automatically? For example, if the file date is older than the current date minus [Insert Number of Days Here] days, it could automatically remove it. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Thursday, March 08, 2007 12:24 PM Subject: [sniffer] Re: Files in Sniffer Directory > Hello Keith Johnson, > > Thursday, March 8, 2007, 10:55:27 AM, you wrote: > > > Periodically I will check the Sniffer directory for misc. files that may > > be there and remove them. These files include .FIN .ERR .WRK, etc. I > > only remove those that have older time stamps on them. Yesterday when I > > logged in, I had well over 150 of .AMT files. Does anyone know what > > these files are and what causes them? By them being present as well as > > old .FIN, etc., would it have an impact on Sniffer's processing > > performance? Thanks for the aid on this. > > .AMT ?? Could you mean .ABT ? > > If so - then .ABT indicates a job that was aborted by a client > instance of SNF. > > The extensions to SNF job files change to represent the status of the > job. > > http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.Peer-Server#What_file_extensions_that_are_used_for_the_various_temporary_files_that_are_created_in_the_Sniffer_folder.3F > > > > When an SNF instance is launched it looks to see if there are any > instances currently acting as servers. If there is a server present > then it will submit it's job to be processed (.QUE) -- it has become a > client instance. > > It takes a look around to see how busy the system is by checking the > number of job files present and the information in the .stat file (if > present). Based on what it sees it sets an alarm clock and goes to > sleep - expecting to find it's job has been completed when it wakes > up. If it wakes up and the job is not done - it will give it another > try, maybe a few,... but if it decides it's waited too long then it > gives up-- (ABT). > > An aborting SNF instance will try to take out the server instance that > failed to respond by changing that server's job file from .SVR to .ERR > -- this prevents other instances from seeing that server instance and > trying to use it; and it lets the server instance know that it's got a > problem (if it is still alive). > > Next, the client instance will load the rulebase itself and scan it's > own message. After that - it _SHOULD_ remove it's job file. HOWEVER -- > if something kills off the instance before it has a chance to finish > then the .ABT file will be left behind (if it's gotten to this stage). > > (In some cases, Windows will fail to delete the file at all even > though it will tell the client instance it has deleted the file!) > > When a system gets too busy to handle the load it may start to kill > off SNF instances before they are finished - this leaves orphaned job > files in the workspace. > > > > Deleting old job files that have been left behind is a good thing. It > shouldn't be necessary on most systems. However, as long as you only > delete older files that are not active you will not get into any > trouble. > > If you leave orphaned job files to build up in the SNF workspace then > SNF client instances will sleep longer than they should because they > will see the extra files as evidence of a heavy traffic load. This can > effect performance by increasing the number of active processes on the > system. Also, the extra files slow down directory scanning and this > can also reduce performance and bring the system closer to having a > problem. > > Hope this helps, > > _M > > > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Lots of False Positives
After our last update (I believe it was on Friday), we have encountered numerous false positives related to MS-GREYMAIL; however, there have been others as well. This did not start until this weekend, but basically, it seems like every message is being caught by Sniffer for some reason or another, and most of the valid ones seem to fit into the GREYMAIL category. Jonathan Hickman Cape Lookout Internet Services # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: New web server
http://www.armresearch.com./ If you put a . at the end, it comes up with your Resin Default Home Page. You should specify the default IP address to redirect to the site as well in case someone uses an odd host header. - Original Message - From: Karen Perry To: Message Sniffer Community Sent: Tuesday, November 14, 2006 3:24 PM Subject: [sniffer] New web server Sniffer Folks, On Friday, we upgraded the web server that hosts www.armresearch.com. We think we have everything ported to the new site correctly, but just in case - please keep an eye out and let us know if you see any problems. For example, if you have any trouble finding a page (such as a 404), first check the file extension of the page (pages should all now be .jsp) and please let us know so we can fix it. Thanks! k
[sniffer] Yahoo! Email Delivery
We are still getting this error from Yahoo! servers when attempting to send email to people on their domain: Reason: Remote host said: 451 Message temporarily deferred - 4.16.50 I recall others encountering this difficulty. What did you do or what did Yahoo! tell you was the cause? It seems like every message sent to yahoo.com is being bounced with that message. I cannot contact their abuse or support departments because those emails bounce with the same error. Jonathan HickmanCape Lookout Internet Services[EMAIL PROTECTED]
[sniffer] Yahoo! Is Retarded
Now, my word choice of 'Retarded' is merely to illuminate the slowness of Yahoo! in regards to this issue and the severity of their decision and not to indicate that they are mentally handicapped which is an accusation for which I have no basis. However, as evidence of this, please review the following URLs: http://ca.answers.yahoo.com/question/index?qid=20061024160658AAAh0QY http://answers.yahoo.com/question/index?qid=20061024080547AAf54ah Jonathan Hickman
Re: [sniffer]AW: [sniffer]Numeric spam
I can confirm the results in regards to the stock spam. If people received the numbers, they also received stock spam in multiple cases. In cases where people did not receive the numbers, they did not receive the stock spam. I have a very small number of users I have checked for this, though. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Wednesday, June 07, 2006 8:30 AM Subject: Re: [sniffer]AW: [sniffer]Numeric spam > Hello Markus, > > Wednesday, June 7, 2006, 7:43:36 AM, you wrote: > > > > > > > Today I've noticed that there is a relation between the recipient > > adresses that was used in the past 36 hours in the numeric spam > > messages and the following wave of stock-spam messages containing > > this png-graphic. After checking around 10 Mailboxes there is a > > correspondence of 100%. Or they have received both or none of this > > two messages. For example my personal mailbox "markus" who's well > > spread and destination of many other spams hasn't received it. > > Other mailboxes like "domain" and "internet" that are pretty > > unknown and rarely used has received both. > > It's a good possibility that the "probe" was a broken version of the > stock spam, that the errors were corrected and the campaign was > re-sent. > > A second possibility is that the "probe" was truly a probe and that it > was used to clean rejected addresses from the list prior to sending > the stock spam in an effort to maximize the effectiveness of the > burst. > > -- as far fetched as that may sound, the blackhats do have a virtually > unlimited (all be it stolen) computing resource at their disposal and > it would not be unreasonable to expect them to leverage that system to > maximize their impact. The way they are shaping their deliveries these > days clearly indicates that they are taking steps to maximize their > impact. > > _M > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Because a small amount of weight is added, it is still sufficient for tilting the scales on more occurrences than other image types. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Tuesday, June 06, 2006 10:44 AM Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam > Hello Jonathan, > > I urge caution from experience... png images are not entirely rare, > and the cid: tag format in the regex is also common. > > I'd love to be wrong - but I recall false positives with similar > attempts in the past. > > Is there more to this than the two elements I just described - > something I'm not seeing? > > _M > > Tuesday, June 6, 2006, 10:19:36 AM, you wrote: > > > Nick, very good method. I have added that to my configuration as well now. > > > - Original Message - > > From: "Nick Hayer" <[EMAIL PROTECTED]> > > To: "Message Sniffer Community" > > Sent: Tuesday, June 06, 2006 10:05 AM > > Subject: Re: [sniffer]Numeric spam topic change to png stock spam > > > >> Hi Markus - > >> > >> Markus Gufler wrote: > >> > >> >There is also another type of spam (stock spam now with attached png > > image) > >> >this morning passing our filters. > >> > > >> I am catching these fairly easily - > >> a combo filter - > >> #combo-stockspammer-png.txt > >> SKIPIFWEIGHT26 > >> TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY > >> BODY5CONTAINSContent-Type: image/png; > >> # > >> The body regex is this: > >> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ > >> > >> -Nick > >> > >> > > >> > > >> > >> > >> # > >> This message is sent to you because you are subscribed to > >> the mailing list . > >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > >> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > >> Send administrative queries to <[EMAIL PROTECTED]> > >> > > > > > > # > > This message is sent to you because you are subscribed to > > the mailing list . > > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > > Send administrative queries to <[EMAIL PROTECTED]> > > > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer]Numeric spam topic change to png stock spam
Nick, very good method. I have added that to my configuration as well now. - Original Message - From: "Nick Hayer" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Tuesday, June 06, 2006 10:05 AM Subject: Re: [sniffer]Numeric spam topic change to png stock spam > Hi Markus - > > Markus Gufler wrote: > > >There is also another type of spam (stock spam now with attached png image) > >this morning passing our filters. > > > I am catching these fairly easily - > a combo filter - > #combo-stockspammer-png.txt > SKIPIFWEIGHT26 > TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY > BODY5CONTAINSContent-Type: image/png; > # > The body regex is this: > src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ > > -Nick > > > > > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer] New Web Site!
A wiki is a site that is publically editable. Anyone can add to the site as long as they have a valid account. - Original Message - From: "Harry Vanderzand" <[EMAIL PROTECTED]> To: Sent: Friday, March 17, 2006 11:15 AM Subject: RE: [sniffer] New Web Site! > What is a wiki? > > Harry Vanderzand > inTown Internet & Computer Services > 519-741-1222 > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil > > Sent: Friday, March 17, 2006 11:07 AM > > To: sniffer@sortmonster.com > > Subject: [sniffer] New Web Site! > > > > Hello Sniffer Folks, > > > > Today we are making a major transition. The old Message Sniffer web > > site will be torn down and replaced with a new WIKI: > > > > http://kb.armresearch.com/index.php?title=Message_Sniffer > > > > The top Message Sniffer page will retain it's index for a while but > > instead of sending you to the original pages the links will take you > > to appropriate pages in the new WIKI. > > > > Also - if you try to go directly to an old page you will be > > redirected automatically to the appropriate new page. > > > > The WIKI requires that you create an account and log-in before > > making any changes. We know there are blackhats out there so we will > > be watching very closely... If we find there is abuse, we will > > disable the ability to create accounts and you will need to contact > > us at support@ if you want the ability to post -- let's hope it > > doesn't come to that. > > > > We will continue to update, improve, and correct the wiki - it will, > > in fact, be under constant development. > > > > Have fun! > > > > Thanks, > > > > _M > > > > Pete McNeil (Madscientist) > > President, MicroNeil Research Corporation Chief SortMonster > > (www.sortmonster.com) Chief Scientist (www.armresearch.com) > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information and (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > > > > > > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Last chance to renew at the old price!
I believe a new topic is in order. Quick, someone ask a newbie question! - Original Message - From: John W. Enyart To: sniffer@SortMonster.com Sent: Thursday, December 29, 2005 11:27 AM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Amen. Keep this professional, or take me off the list. My mailbox is filling up with this garbage. - John W. Enyart EAI, Inc. 3259 Blackberry Lane Malvern, PA 19355-9670 610/935/3085 FAX 610.935.3086 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolf TombeSent: Thursday, December 29, 2005 11:23 AMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! What the heck is going on with people posting to this list lately? People seem to be jumping all over each other, jumping to a lot of conclusions and getting all riled up. Its the Holiday Season for goodness sake! Its supposed to be a time of good will to others. We can agree or disagree about the amount of the price hike; but is all the other escalating banter really necessary? Wolf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 9:33 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Joe, you are correct. I searched for and got out my agreement and it states Minimum Advertised Price. Memory does not always work so well. It is no ECC you know. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe WolfSent: Wednesday, December 28, 2005 5:43 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! FYI, a reseller agreement may include a MAP (Minimum Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling price. Any such stipulation in an agreement would put both of you in violation of federal price-fixing laws. -Joe - Original Message - From: John T (Lists) To: sniffer@SortMonster.com Sent: Wednesday, December 28, 2005 7:29 PM Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! According to the Reseller agreement I signed when I became a reseller of Message Sniffer, I can not charge that low of a price. As such, Pete or some one at Sniffer would need to notify me that I had permission to sell at such a low price. What I mean is, be careful. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KevinSent: Wednesday, December 28, 2005 5:00 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude.Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too.This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Last chance to renew at the old price!
[ROTFL] - Original Message - From: "Fox, Thomas" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 27, 2005 4:14 PM Subject: RE: [sniffer] Last chance to renew at the old price! > Might I suggest a visit to: http://www.lexus.com/cpo/ > and a graduated price increase over the next two years? > A one or two year old Lexus is just as nice as a brand > new one, and would be a lot easier on our already > strained IT budgets. > > Thanks, > --tlf > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch > > Sent: Tuesday, December 27, 2005 3:57 PM > > To: sniffer@SortMonster.com > > Subject: RE: [sniffer] Last chance to renew at the old price! > > > > 1) The monthly rate is going to $ 45.00. > > > > 2) It would be a one year extension to your current subscription and > > then your next renewal would be at the new price. For > > example, if your > > license expires 02/08/2006, your next renewal would be on > > 02/08/2007. > > > > This is offer is completely optional and is available to all existing > > customers. > > > > Thanks, > > MM > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > > Sent: Tuesday, December 27, 2005 2:47 PM > > To: sniffer@SortMonster.com > > Subject: Re: [sniffer] Last chance to renew at the old price! > > > > 1) what will the monthly rate be after 2005? > > > > 2) If we where to renew at the current rate, how long will > > that rate be > > good > > for? As you mentioned grandfathered - is this forever or > > just one year. > > > > > > > > > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information > > and (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information and (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > > > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[6]: [sniffer] POP3 Account Question
I would agree that the dictionary method may be a good idea; however, I am the type of person that will commonly guess at addresses such as sales, support, webmaster, etc. so you may want to exclude those types of addresses as Pete suggested. Addresses such as csmith, rjones, etc. are commonly used in brute force methods, though, and would be useful. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "William Van Hefner" Sent: Tuesday, December 06, 2005 3:25 PM Subject: Re[6]: [sniffer] POP3 Account Question > On Tuesday, December 6, 2005, 2:13:43 PM, William wrote: > > WVH> Pete, > > WVH> How about just creating some accounts that are commonly targeted by > WVH> dictionary attacks, but that were never actually valid accounts on our > WVH> server? I could redirect all of them to a common mailbox. There are also a > WVH> few other "common" (non-role) addresses that we do not use, which always get > WVH> targeted by spammers. I am thinking of sales@, info@, etc. I have > WVH> accumulated quite a list of common dictionary attack names from my logs. I > WVH> wouldn't have to seed the addresses anywhere. They get hit just by virtue of > WVH> how common they are. > > That is definitely another good strategy -- more limited and better > structured than using a "nobody" account. > > The only caveat is making sure that nobody on the outside would ever > have reason to expect an info@ or sales@ address existed... sometimes > folks will guess. If this happens, it's usually not a fatal problem, > but it's worth thinking about on a case-by-case basis. > > Do you have a histogram for your list? That would be interesting to > see. > > Thanks, > > _M > > > > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Declude.JunkMail] 3.05.5 issues
I had the exact same problem. I increased the process threads for Declude, and it fixed the problem. I set it to 100 for the number of threads. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 1:46 PM To: Declude.JunkMail@declude.com Cc: sniffer@SortMonster.com Subject: RE: [sniffer] [Declude.JunkMail] 3.05.5 issues I have got it down to 15 and tried to set sniffer back to persistent mode again However I find that with sniffer in persistent mode as David suggested, the proc directory starts back logging. which means the system is not keeping up with the flow of mail. Within 20 minutes I had 1400 files in the proc directory. I stopped the sniffer service and now it is gradually catching up. Any more suggestions as to what can get tuned? I appreciate the assistance Thank you Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, October 04, 2005 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues Trial and error is best. Set it to some thing like 20 and watch what happens. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 9:27 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues thank you I was under the understanding given me by David from Declude that it was appropriate given the amount of power my hardware has. What would you recommend for my hardware? Thanks John, I always appreciate your active involvement in the list Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, October 04, 2005 12:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 3.05.5 issues Your threads is way too high, and I suspect that there are time outs occurring and not all scanning is being done. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, October 04, 2005 6:17 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] 3.05.5 issues I find that since being on the new version that more spam is slipping through. We have imail v8.05, declude and sniffer on win 2000 server dual xeon 3.4Ghz with 2Gb ram. Threads are set to 50 with no other setting in declude.cfg Any advice you can give me to tighten it to where we had it before? I have had several clients complaining Other than changing from V2.06.16 to 3.05 nothing else has changed on the server thank you Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] reporting spam in bulk
I would be interested in the script if you are willing to share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, January 05, 2005 7:50 PM To: Matt Subject: Re[2]: [sniffer] reporting spam in bulk On Wednesday, January 5, 2005, 7:16:50 PM, Matt wrote: M> Pete, M> I've been meaning to add a link to a script from within Killer M> WebMail that will allow me to report things to you with a single M> click. If I do this, am I correct in assuming that I should just use M> something like CDONTS to construct a mail and place the original M> source as the body? If not, what would be the preferred method? I think that should work fine for reporting spam. M> Note that I have original D*.SMD files for everything in the range of M> E-mails that I would consider reporting (using Declude's COPYFILE). M> Generally speaking, this would be a customized setup, although M> achievable by anyone with IMail and Declude. The hack to KWM is just M> some JavaScript to extract the spool data file name from my message M> headers that I insert (full headers must be turned on in Web mail), M> and this links to an ASP script on my server that handles everything M> else. This all sounds like a good idea. There are likely to be a few IMail/WebMail folks around for a while. This sounds like it's not for the technically timid though. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Surprising missed spam
How does a user go about modifying the custom sniffer rules? Must Sort Monster be contacted or is it possible to do this with some other system (such as a web based interface)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, September 14, 2004 3:28 PM To: Landry William Subject: Re[4]: [sniffer] Surprising missed spam On Tuesday, September 14, 2004, 1:05:29 PM, Landry wrote: LW> Pete, I started running the new code this morning, and so far, so LW> good. I'll let you know if I see anything strange. Thanks. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html