[sniffer] Re: Experimental Abstract
Hello Frederick, Tuesday, October 10, 2006, 8:14:15 AM, you wrote: Where can I find a list of the latest result codes. http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.ResultCodes _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Help for AutoSNF
Hello Filippo, The best time to download your rulebase file is when you receive an update notification message. If you want to use a scheduler then you should be sure your script only downloads newer files and then schedule it to run about once per hour. To avoid congestion, you should pick the minute of the hour using this chart: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.LogFiles.Submit#When_should_I_submit_my_logs.3F Hope this helps, Thanks, _M Tuesday, October 10, 2006, 11:23:13 AM, you wrote: Hello Pete, in witch time on day you suggest to schedule the autosnf.cmd task? Please let mw know. Thanks Filippo # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: MDaemon plug-in - Process inline during SMTP?
Hello Dave, Will do :-) When the alpha is ready I'll announce it here. Thanks! _M Wednesday, October 4, 2006, 11:13:08 AM, you wrote: Hi Pete. If you need any testers for this plugin, give me a shout. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 02, 2006 8:07 PM To: Message Sniffer Community Subject: [sniffer] Re: MDaemon plug-in - Process inline during SMTP? Hello Dave, The current version can't do this -- it doesn't know how to respond properly to the inline call. It only knows how to add headers to the message file. The version under development (due out shortly) will have more options for calls during the SMTP conversation. Thanks, _M Monday, October 2, 2006, 6:57:00 PM, you wrote: Does anybody know if it's possible to have the MessageSniffer plug-in run inline in MDaemon's SMTP session rather then during queue processing? It appears this is causing MessageSniffer to not be scored by SpamAssassin -- If SA runs during the SMTP session before MessageSniffer does it's thing, the MessageSniffer headers cannot be considered and the end result is that there is no effective scoring. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Mdaemon plugin 'sleeping'
Hello Grant, Saturday, September 30, 2006, 8:20:21 AM, you wrote: snip/ We are having the same problem. Sniffer is processing the messages but it appears as if SA is not picking it up. I posted this in the MDaemon Discussion list yesterday and had one reply. Upgraded to 9.07 and tried what the poster recommended and it is still not adding to the spam score. Anyone else (Pete?) have ideas. We need to get this working. snip/ Link to MDaemon discussion: http://lists.altn.com/[EMAIL PROTECTED]@.eebd191/1 From what you've posted, SNF definitely did it's part - the SNF headers are in the message. After that it's entirely up to SA (or CF). This leaves me to wonder what else SA might not be matching that it should - - That is, once the message gets to SA it's just another message and the SNF headers are just another bit of text in the headers so there's no reason I can think of that SA would not match that text unless SA were broken... Since from SA's perspective the SNF headers are just like any other text, then I wonder what other rules in SA are also not firing when they should and how often? Perhaps identifying those cases might tell us something about what's going on. Also - why the sudden change? This has worked fine for some time. Can anybody pinpoint when (at what event precisely) this problem showed up? Those are my thoughts. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Error posting?
Hello Dave, Saturday, September 30, 2006, 10:01:41 AM, you wrote: Why am I getting the following error when replying to a message here? It certainly is NOT automatic... and has never happened before today. Very odd. Your messages came through - including this one. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Mdaemon plugin 'sleeping'
Hello Sven, Saturday, September 30, 2006, 10:30:27 AM, you wrote: Grant, Pete, I *think* that the problem has been solved within our installation. I haven't changed anything, but SPAM messages are not coming through anymore (execept some Russian spam that SNF is not catching, but that's logical -- can I forward these messages to someone é armresearch for analysis?) . snip/ Missed spam (false negatives) can be forwarded to [EMAIL PROTECTED] and it will be put in the queue for the rule-techs. This method is deprecated but the mechanisms are still in place. The preferred method is for you to have a pop3 mailbox on your system setup as a usertrap where our bots can come and pick up false negatives. A usertrap contains messages that you or your customers (through your review if possible) would like to submit as spam. Messages can be forwarded there - or if you have the technical means you might redirect the messages to this box so that they are in their original (as received) state. Similarly, if you have any clean spamtraps (addresses which receive spam but were never used and will never be used) then their content could be redirected to a spamtrap mailbox on your system where our bots can retrieve it. We treat each type of source with different rules. Usertraps contain messages that may have gone through human hands. Spamtrap contain messages that have never been seen and should not exist (were sent to invalid and/or harvested addresses). If you provide us with the email address (login), fqdn of the pop3 server, and password we can tell our bots to go and collect messages from there and add them to our processing queues. (We poll as frequently as once per minute when traffic is slow). Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: How Many get through
Hello Gary, I've checked your license id (based on your domain) and it is not expired - updates seem to be working normally. Is your update script working correctly? _M Friday, August 25, 2006, 11:48:46 AM, you wrote: I have a question I've been wanting to ask for awhile: How many spams do most people get leaked into their mailbox? ie they pass message sniffer? When I first started over a year ago, very few spam made it into my mailbox. But the past 6 months I get 60-80 spam emails / day into my personal box. Of course I'll see the same messages in my other mail boxes also, so it relates to a lot of deleting? Could I have something set up incorrectly? Or thresholds set to low that they are getting through? Thanks for any info! Sincerely, Gary Stark -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FW: Summary, Form #21539
Hello Andy, Wednesday, August 23, 2006, 8:57:48 AM, you wrote: Pete, I have the same concern. I have been submitting the below spam (possible Words virus) almost daily for more than week - yet, it still is not discovered. Am I submitting correctly? This particular spam campaign is a bit of a challenge. We will continue to work on it. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Paypal failing SNIFFER-GENERAL
Hello Darin, I may be behind... but I don't see an FP report on this. Do you have the rule id? _M Wednesday, August 23, 2006, 1:36:08 PM, you wrote: FYI... I just reported one of these, so watch out. Darin. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Paypal failing SNIFFER-GENERAL
Hello Darin, I have processed an FP with that rule (1100444) - the rule was for an obscure ebay link and has been removed. Best, _M Wednesday, August 23, 2006, 3:23:55 PM, you wrote: Hi Pete, I'm not sure which column is which, but here are the log lines for the message (minus the authorization code) 20060823163449 D83a20d3001502962.SMD 0 32 Match 1100444 60 1502 1551 98 20060823163449 D83a20d3001502962.SMD 0 32 Final 1100444 60 0 3798 98 The FP was submitted at 1:34pm ET. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, August 23, 2006 2:22 PM Subject: [sniffer] Re: Paypal failing SNIFFER-GENERAL Hello Darin, I may be behind... but I don't see an FP report on this. Do you have the rule id? _M Wednesday, August 23, 2006, 1:36:08 PM, you wrote: FYI... I just reported one of these, so watch out. Darin. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Another example of an empty email but looking at the source.
Hello David, Sometimes we have rules for empty email --- but there are many different kinds of empty ;-) Often enough, some empty messages are legitimate. _M Wednesday, August 23, 2006, 6:39:23 PM, you wrote: Received: from PC05.4ueleoz.org [202.215.167.25] by romtech.com.au with ESMTP (SMTPD-8.22) id A7AC0224; Thu, 24 Aug 2006 08:33:16 +1000 Message-Id: [EMAIL PROTECTED] X-mxGuard-Info: Processed by romtech.com.au using mxGuard v2.4 X-mxGuard-SpoolID: d7ab017912af X-mxGuard-Sender: [EMAIL PROTECTED] X-mxGuard-Virus-Info: No viruses detected X-mxGuard-Spam-Score: 0 X-mxGuard-Spam-Probability: CLEAN X-Note: This message has been scanned for spam and viruses by mxGuard for IMail (www.mxguard.com) Subject: From: [EMAIL PROTECTED] Date: Thu, 24 Aug 2006 08:33:20 +1000 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 454950044 X-IMail-ThreadID: d7ab017912af Body contents below !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=iso-8859-1/HEAD BODY/BODY/HTML End of email Is there a rule to filter out empty emails ? Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. DELIVERY ADDRESS: 21 GLEN STREET BELROSE NSW 2085 AUSTRALIA. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Am I submitting to s...@sortmonster.com properly
Hello David, I think this format should come through fine. Phishing is a constant challenge because it is so variable and so close to a legitimate message (on purpose). I will code some rules for the message you submitted and I'm sure Jason (Lead Rule Tech) will see this note and help us watch for these more closely. Thanks! _M Tuesday, August 22, 2006, 5:10:58 PM, you wrote: I just want to know if I am submitting spam emails to [EMAIL PROTECTED] properly being in Australia we see a lot of spam targeting ANZ, National and Commonwealth bank and they seem to be evading the Sniffer program so when I send a spam to [EMAIL PROTECTED] (I am using Outlook 2003) I copy and paste the header and forward the email to [EMAIL PROTECTED] is this working properly. Please see example below. Regards David Moore Received: from dialup-82-207-6-125.lv.ukrtel.net [82.207.6.125] by romtech.com.au (SMTPD-8.22) id A82E053C; Tue, 22 Aug 2006 23:35:42 +1000 Message-ID: [EMAIL PROTECTED] From: Commonweal Bank of Australia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Commonweal Bank of Australia new security features. Date: Tue, 22 Aug 2006 10:45:09 +0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_001D_01C6C5D8.0A0008A0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-mxGuard-Info: Processed by romtech.com.au using mxGuard v2.4 X-mxGuard-SpoolID: 082d00a1ecb1 X-mxGuard-Sender: [EMAIL PROTECTED] X-mxGuard-Virus-Info: No viruses detected X-mxGuard-Spam-Score: 0 X-mxGuard-Spam-Probability: CLEAN X-Note: This message has been scanned for spam and viruses by mxGuard for IMail (www.mxguard.com) X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 454949852 X-IMail-ThreadID: 082d00a1ecb1 From: Commonweal Bank of Australia [mailto:[EMAIL PROTECTED] Sent: Tuesday, 22 August 2006 4:45 PM To: [EMAIL PROTECTED] Subject: Commonweal Bank of Australia new security features. It has come to our attention that your account needs to be confirmed due to the recent changes we have made to our NetBank online system. We contacted you for the following reason: Confirm your Information in order to activate new NetBank security features for your account. Be sure to log in securely by following the link below. It's important that you confirm your NetBank account information otherwise you will not be able to access our online services. We encourage you to login in to your Commonwealth Bank account as soon as possible to help avoid this. Click here We appreciate your understanding as we work to ensure account safety. Sincerely, Commonweal Bank of Australia management stuff. Email ID: GFR97DF -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Am I submitting to s...@sortmonster.com properly
Hello Jim, I've started working on some of these also. SNF usually does look inside file attachments so it's possible we can get to some of the raw content -- in fact, most of it is already coded - but being inside all of the binary cruft in a word document is keeping it out of the scanning window. We are catching some of them, and others not so much. We will keep working on it though. _M Tuesday, August 22, 2006, 5:46:03 PM, you wrote: Pete, Is there any way to deal with the other new attachment based spasm we have been seeing recently? I see a lot coming in that only say here is your invoice and have an invoice.doc (or similar attachment). Inside the word file is the spam itself. I've seen a bunch of these in the last week or so, I initially thought they were viruses, but none of my virus scanners picked them up as such and their contents were just a bunch of spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, August 22, 2006 2:34 PM To: Message Sniffer Community Subject: [sniffer] Re: Am I submitting to [EMAIL PROTECTED] properly Hello David, I think this format should come through fine. Phishing is a constant challenge because it is so variable and so close to a legitimate message (on purpose). I will code some rules for the message you submitted and I'm sure Jason (Lead Rule Tech) will see this note and help us watch for these more closely. Thanks! _M Tuesday, August 22, 2006, 5:10:58 PM, you wrote: I just want to know if I am submitting spam emails to [EMAIL PROTECTED] properly being in Australia we see a lot of spam targeting ANZ, National and Commonwealth bank and they seem to be evading the Sniffer program so when I send a spam to [EMAIL PROTECTED] (I am using Outlook 2003) I copy and paste the header and forward the email to [EMAIL PROTECTED] is this working properly. Please see example below. Regards David Moore Received: from dialup-82-207-6-125.lv.ukrtel.net [82.207.6.125] by romtech.com.au (SMTPD-8.22) id A82E053C; Tue, 22 Aug 2006 23:35:42 +1000 Message-ID: [EMAIL PROTECTED] From: Commonweal Bank of Australia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Commonweal Bank of Australia new security features. Date: Tue, 22 Aug 2006 10:45:09 +0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_001D_01C6C5D8.0A0008A0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-mxGuard-Info: Processed by romtech.com.au using mxGuard v2.4 X-mxGuard-SpoolID: 082d00a1ecb1 X-mxGuard-Sender: [EMAIL PROTECTED] X-mxGuard-Virus-Info: No viruses detected X-mxGuard-Spam-Score: 0 X-mxGuard-Spam-Probability: CLEAN X-Note: This message has been scanned for spam and viruses by mxGuard for IMail (www.mxguard.com) X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 454949852 X-IMail-ThreadID: 082d00a1ecb1 From: Commonweal Bank of Australia [mailto:[EMAIL PROTECTED] Sent: Tuesday, 22 August 2006 4:45 PM To: [EMAIL PROTECTED] Subject: Commonweal Bank of Australia new security features. It has come to our attention that your account needs to be confirmed due to the recent changes we have made to our NetBank online system. We contacted you for the following reason: Confirm your Information in order to activate new NetBank security features for your account. Be sure to log in securely by following the link below. It's important that you confirm your NetBank account information otherwise you will not be able to access our online services. We encourage you to login in to your Commonwealth Bank account as soon as possible to help avoid this. Click here We appreciate your understanding as we work to ensure account safety. Sincerely, Commonweal Bank of Australia management stuff. Email ID: GFR97DF -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Lots of drug spam getting through
Hello Nick, There have been a couple new very aggressive spikes today... most likely these are part of that. I will dig-in with the rule-techs and see what is what. Thanks, _M Monday, August 21, 2006, 11:27:37 AM, you wrote: We're seeing similar - I keep submitting them to [EMAIL PROTECTED], but the same type of spam keeps getting through... Nick Marshall Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: 21 August 2006 15:33 To: Message Sniffer Community Subject: [sniffer] Lots of drug spam getting through We are seeing tons of spam coming through with the subject Re: new ... and advertising drugs. Any luck on stopping this? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] _ Giacom mail management by MessageStar -- [This e-mail was scanned for viruses by Giacom Anti-Virus] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Lots of drug spam getting through
Hello Andrew, That's not the one I had in mind, but if it's in there we'll code for it. _M Monday, August 21, 2006, 12:02:42 PM, you wrote: Would that be the Laugh in the subject line pharmaceutical spam campaign? That was mentioned by Dave Doherty on the Declude.JunkMail mailing list, and when I checked my logs I found many hundreds with clear variations on the keywords in the text, e.g. there is a joke about lawyers and they are using a list of synonyms for lawyer (and many other words/phrases) so that each mailing is permuted. MesageSniffer was catching at least some of these yesterday but I don't know if the permutations are being caught. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, August 21, 2006 8:38 AM To: Message Sniffer Community Subject: [sniffer] Re: Lots of drug spam getting through Hello Nick, There have been a couple new very aggressive spikes today... most likely these are part of that. I will dig-in with the rule-techs and see what is what. Thanks, _M Monday, August 21, 2006, 11:27:37 AM, you wrote: We're seeing similar - I keep submitting them to [EMAIL PROTECTED], but the same type of spam keeps getting through... Nick Marshall Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: 21 August 2006 15:33 To: Message Sniffer Community Subject: [sniffer] Lots of drug spam getting through We are seeing tons of spam coming through with the subject Re: new ... and advertising drugs. Any luck on stopping this? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] _ Giacom mail management by MessageStar -- [This e-mail was scanned for viruses by Giacom Anti-Virus] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode
[sniffer] Re: Newbie Question about .fin and .srv
Hello David, Anything 24 hours old is safe to delete. _M Saturday, August 12, 2006, 4:52:36 PM, you wrote: I am running mxGuard, invURIBL, Message sniffer and I have just installed the Message Sniffer as a service in persistent mode. I have a few files in the Sniffer directory that are about 24 hour old can they be deleted? (License code removed) -20060812095802xAAF83996-1008.SVR -20060812175037x5315DDED-688.FIN -20060812170345xC4A5F6BC-5852.FIN -20060812100537x6AB29C04-5872.FIN -20060812091354xAAF83996-6124.SVR Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. DELIVERY ADDRESS: 21 GLEN STREET BELROSE NSW 2085 AUSTRALIA. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sharon Daniels is out of the office.
Hello John, I did remove the account. _M Monday, August 7, 2006, 2:10:54 PM, you wrote: Bleeping wonderful. We have to put up with this for a week? I guess a nice little Outlook rule is called for. John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 07, 2006 10:02 AM To: Message Sniffer Community Subject: [sniffer] Sharon Daniels is out of the office. I will be out of the office starting 07/08/2006 and will not return until 15/08/2006. I will respond to your message when I return. If your request is urgent please resend your message to [EMAIL PROTECTED] or call 623-5700. Have a great day! Sharon # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Fwd: Re: Prima esperienza di striptease e poi sesso anale trovi qui
Hello Filippo, Thursday, August 3, 2006, 5:08:19 AM, you wrote: Hello, please include in rules this SPAM. Please do not send spam to the list. If you have spam to submit and you do not have a spamtrap and/or usertrap pop3 address setup on your system then forward the spam to our [EMAIL PROTECTED] address. If you have a chronic spam then please ALSO .zip a copy of the message as an attachment and send it in a note to [EMAIL PROTECTED] Put the words Chronic Spam in your subject line and tell us anything special you notice about the message and your policies -- for example if you are willing to have a black rule for a particular word or phrase or perhaps some other attribute. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New SPAM pain
Hello Darrell, That's fine. _M Wednesday, July 26, 2006, 2:43:27 PM, you wrote: If Pete doesn't mind I will post my observations in regards to the product. I run both products (CommTouch and Sniffer). Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: I'm dying to start a thread and talk about Sniffer's stance on CommTouch, but I can resist. Instead, I would like to point out that eight clearly spam messages have made it through to my Inbox [or Outlook Junk Folder] so far this week that appear to have skinned clear through Sniffer. First ones I've seen in Are we undergoing a new phase or campaign that I can make adjustments for? -- John # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New SPAM pain
Hello John, If they look too much like regular email and they arrive at usertraps then it's a good bet we might skip a few before recognizing they are spam... Rules for usertrap submissions are more strict -- so if there is any doubt we err on the side of safety. If we get some in our spamtraps they will be coded more quickly. If you see a chronic problem with any of them, please zip a few and send them to me at support@ as attachments. Include Chronic Spam in your subject line. I will look more closely to find a pattern and will review it with the rule-techs. Thanks! _M Wednesday, July 26, 2006, 4:35:52 PM, you wrote: Besides the one I sent to the list instead of to spam@, many of the ones getting through are simple, text-based things that REALLY look like regular emails. Probably one of the worst kinds to sniff out. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, 26 July 2006 2:52 PM To: Message Sniffer Community Subject: [sniffer] Re: New SPAM pain Hello John, Wednesday, July 26, 2006, 1:57:18 PM, you wrote: I'm dying to start a thread and talk about Sniffer's stance on CommTouch, but I can resist. Me too. Instead, I would like to point out that eight clearly spam messages have made it through to my Inbox [or Outlook Junk Folder] so far this week that appear to have skinned clear through Sniffer. First ones I've seen in ages. Are we undergoing a new phase or campaign that I can make adjustments for? There has been some impressive activity in new spam campaigns this week, but nothing is consistently getting past us that I am aware of. There have been a number of very broken spam campaigns that gave us some trouble, and a few image spam campaigns that were more complex than most. Is there anything special you notice about the ones you've mentioned? _M PS: I was recently asked where image spam rules go so that a customer could ramp up the weight on that rule group. The vast majority of image spam rules are abstracts of message structures and occasionally image file fragments. These rules go in group 61 (Experimental / Abstract). This group has very low false positive rates as a rule (judging from FP submissions which are low in general). -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: MDLP
Hello Nick, It is my understanding the Declude's log formats have changed quite a bit - at least as far as MDLP is concerned. When we asked about the log format it was suggested that we wait a bit before we update MDLP since the log format might change more. That advice and high priorities on other development work (new SNF version etc) have kept MDPL frozen and it will remain frozen for a bit longer. Hope this helps, _M Wednesday, July 12, 2006, 10:25:38 AM, you wrote: Pete, I just moved to Declude 4x - how compatible is MDLP with this log format? Although reports are generated it seems to me some tests are missing, etc. Thanks! -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: My rulebase download and log upload script
Hello John, Any timing that works for you and is reasonable is just fine. Reasonable means, not every 10 seconds/minutes. Some send their file once per day --- others find that to be too large and so they send it once per update. Both of these are good practice. If you are going to send your log file more than once every few hours (such as once per hour or once per udpate) then you will need to make sure you include something random in the name to avoid a possible collision. Our log processing software is pretty fast, but now that we're doing updates every 120 minutes or so there is always the risk that a previous log file might not yet have been handled. Hope this helps, Thanks, _M Monday, July 10, 2006, 6:33:07 PM, you wrote: Reading through the updated script, I notice you are uploading the log file whenever the script runs. I currently upload the log file once per day. Pete, what is the preferred timing for uploading the log file? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 07, 2006 6:24 PM To: Message Sniffer Community Subject: [sniffer] My rulebase download and log upload script The last thing before I leave for the weekend... I finally got around to updating my download/upload script so that I can upload compressed logs. In the course of doing that, I found that my upgraded version of wget has changed its behaviour; as of the 1.10.x series, if you specify -O to specify the target filename, various options are ignored including the -N for download only if server side is newer. Therefore, ever since I upgraded my wget, I've been downloading a compressed rulebase file on *each* run. Some of this script is antique and some of it is new. I just downloaded the standard download script that Bill Landry ushered into this world, and my script was certainly informed by the discussions of that on this list. (I'm not trying to replace that script, I'm just giving credit where credit is due.) My .cmd file script is attached as a .txt file; as I mentioned a while back, I use both the IMail external script mailbox method to launch this file when SortMonster/ARM sends me my notification, and I also run it on a schedule with the AT command so that one of them will work to get timely updates. Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Lot of stock spam getting through....
Hello George, Thanks very much! _M Friday, July 7, 2006, 11:18:24 AM, you wrote: Hi Pete, I've been a customer for a couple of years and usually don't have much to say via maillists. But I wanted to take a moment this morning and think you for the work you do. Keeping up with this stuff must force you to keep your nose to the grindstone. I really appreciate your work. Thanks again, George Thompson Cheif Technical Officer Levelfield.com, Inc www.levelfield.com DBA OnlineAgency.com www.onlineagency.com building the Internet one small business at a time I had a big fight with one like that all last night -- there are some unusual characters in the message that made it hard to filter and it took some time to do the analysis (picking through them with a hex editor). I think these are handled now (as of about 0400e this morning) as I don't have any getting through spamtraps at the moment. I will look into it again. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Lot of stock spam getting through....
Hello Darin, Thanks everyone, kind words are much appreciated. I must share them with the rest of the SNF team who also work 24x7 to make this happen. You don't see them often but I couldn't do it without them. This seems like a good time to introduce a few of them and thank them publicly for their efforts (We've come a long way in a year!): Linda (TechGirl) [Accounting/Ops], Karen (Tink) [Ops/Support/Web], Jason (the Bag) [Filter Team Leader], Adam (TheFelcher) [Rule-Tech], Baron (Kojak) [Rule-Tech], Michael U [Rule-Tech], Nick G [Rule-Tech], Michael M [Exec], Scott C [Sales/Marketing], Joel S [Hosting/Sourcing], ...then there's me... Pete (Madscientist) [Science/Development], Plus a bunch of folks (too many to list everyone) who help out from time to time in too many ways to count. Ok... work to do... _M Friday, July 7, 2006, 1:12:50 PM, you wrote: Great job, Pete! And thanks for all of your efforts to simultaneously increase the catch rate and decrease the FP rate. Darin. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: compressed updates
Hello Matrosity, Tuesday, June 27, 2006, 4:04:46 PM, you wrote: I was wondering if updates would ever be compressed in the future to save bandwidth? Actually, if you are using the scripts with wget and gzip, they are compressed on the fly by the web server. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Update pacing...
Hello Harry, Monday, June 19, 2006, 4:47:14 PM, you wrote: My script does not check for update first. Is there a sample that does do that that you can point me to? This page describes automated updates and lists several scripts. http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.AutoUpdates The one I recommend most for Winx based systems is ImailSnifferUpdateTools.zip Don't let the name fool you - if you are NOT using IMail the scripts are still great --- you will only need to find another way to call them if your system does not provide a program alias functionality. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Snf2check.exe on FreeBSD
Hello Dan, Monday, June 19, 2006, 5:30:15 PM, you wrote: I'm using sniffer on FreeBSD, plugging into Spamassassin. I am trying to write a good autoupdate cron script that works as well on my FreeBSD box as did the one I used to have on my Imail box. I can download the Sniffer DB, but I can't use snf2check.exe in my cron script. When I manually run the script logged in as root, and it gets to the line: /var/spool/snfilter/snf2check.exe /var/spool/snfilter/filename.snf authcodexxx The file checks out OK, however when it runs from cron (as root) it always gets ERROR RULE AUTH. Does anyone have an autoupdate script that is meant to run on a *nix-type system? Or does anyone know a solution to my problem? There is no reason I can think of for this not to work except perhaps for a permissions problem. Error rule auth would generally indicate that the file was corrupt, or that the authentication string is incorrect. All update scripts should use snf2check.exe before pressing the new rulebase file into production or else you may cripple your scanner with a bad file. (the SNF scanner does a less comprehensive check to maintain speed). All that said, on this page you can find PerlAutoUpdates and a few others which might help: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.SubmittedScripts Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Weight Gate Success? Failure?
Hello Sniffer Folks, Is anyone successfully using the WeightGate utility? Anyone having trouble with it? I've literally heard nothing so far ;-) Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...
Hello Pete, Thursday, June 8, 2006, 9:41:55 AM, you wrote: It does look a little weird. Sometimes it's normal though. I'll see if I can identify anything odd in the settings. _M I've changed the settings. I hope this response works ok. _M Testing. Sorry for the extra trafic - only way to debug it. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...
Hello Pete, Thursday, June 8, 2006, 9:42:42 AM, you wrote: Hello Pete, Thursday, June 8, 2006, 9:41:55 AM, you wrote: It does look a little weird. Sometimes it's normal though. I'll see if I can identify anything odd in the settings. _M I've changed the settings. I hope this response works ok. _M Testing. Sorry for the extra trafic - only way to debug it. _M This seems to be working ok, Thanks for your patience. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
Hello Andrew, Thursday, June 8, 2006, 11:32:47 AM, you wrote: Ditto. I advise people to use Insert, Item. Far easier than explaining how to drag and drop (or tie shoelaces). It might be nice to have a SnagIt of that process to share w/ users. I've noticed that whether the headers survive when they are sent to another Exchange+Outlook company are a crap shoot. Generally speaking, if the message is handled by Outlook, it's not the same message anymore. For example, a BASE64 encoded message becomes plain text, and attached graphics don't show up at all in the View Source version. I just had an interesting FP case like this. By the time the match record got to me along with what was supposed to be the original message, there were at least 9K bytes missing - including the bytes that presumably contained the rule match. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin, Wednesday, June 7, 2006, 7:31:29 AM, you wrote: The one issue with this I have is 1) Forward full original source to Sniffer with license code. If we could do it without the license code, it would be much easier to automate on our end. I already have a process in place to copy and reroute false positives by rewriting the Q file. I'm hesitant to alter the message itself to add the license code. If we could authenticate the FP report via some other means it would help greatly. How about connecting IP instead? At the moment that is how it's done: a combination of email address and source IP are matched with the license ID. The reason we ask for the license ID is because folks submitting false positives occasionally forget that we authenticate on their registered email address and use some other address. -- The rule is that if the system can't match the email address it should/may drop the message rather than evaluating it. We get a lot of spam and attempts to game the system at our false@ address... so when it's heavy we do drop messages that can't be properly identified. However, in an effort to provide the best service possible, if the license ID is present and we have the time we will look to see if it could be a legit FP submission by researching the source and domain - and if we think it is likely to be legitimate we will process the FP and respond with an additional code reminding the submitter that they must use their registered email address or an authorized alias. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin, Wednesday, June 7, 2006, 8:44:26 AM, you wrote: Hi Pete, Can I interpret this as email address and matching source IP are sufficient if the correct email address is used to submit? Yes. If not, do you have any suggestions on how you would like to see us inserting the license ID in the D file? To clarify, nothing should be inserted in the D file. The original message should be attached as an RFC 822 attachment is as close to the original form as possible. The license id, if included at all, should be in the subject line of the submission message. Remember also, we WILL be responding to the submission message so that we can record a dialogue with you about the false positive in question. Hope this helps, Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]FP suggestions
Hello Scott, Wednesday, June 7, 2006, 10:08:58 AM, you wrote: For me the pain of false positives submissions is the research that happens when I get a no rule found return. I then need to find the queue-id of the original message and then find the appropriate Sniffer log and pull out the log lines from there and then submit it. Almost always in these cases, a rule is removed. If this process could be improved that would really be a time saver. This depends on the email system you are using. On some systems (MDaemon, and postfix, for example) X- headers from SNF can be emitted into the message. When we see these we can identify the rules directly without asking for the extra research. It would be nice if Declude would offer a mechanism to pick up the optional .xhdr file SNF can generate and include it in the X headers that it already adds to the message. I know this begs the question, why not have SNF add the headers for SmarterMail and IMail platforms, and the reason is that it would require writing an additional copy of the message to disk. Since these systems tend to be io bound already (Declude/IMail anyhow) the performance penalty would be prohibitive. If Declude picks up .xhdr from SNF directly then it can be included in the ONE rewrite Declude makes anyway. I've asked them about this and other improved integration opportunities for a while now (many months), and I get favorable responses, but no action so far. I guess we will see :-) _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Matt, Wednesday, June 7, 2006, 3:37:36 PM, you wrote: Pete, An X-Header would be very, very nice to have. I understand the issues related to waiting to see if something comes through, and because of that, I would maybe suggest moving on your own. I've got it on the list to have a message rewriting option... it's just not as high as some others. I hadn't thought about the weight gating utility - though that seems like something that would be useful in general for external tests... weightgate -5 %WEIGHT% 20 command line to run 5 0 command line to run is executed if %WEIGHT% is in the range [-5,20] and the exit code of command line to run is returned. That seems like a pretty simple utility to knock out - perhaps I will ;-) Also, on the FP reporting links idea, that would break the process - it's important for us to see the message for many reasons, and it's important for the FP resolution process to be interactive. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited. I don't want to mix delimiters... everything so far is using spaces, so it makes sense to continue that way IMO. Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight. I haven't seen any bugs with %WEIGHT% since shortly after it was introduced, but you never know. I have seen some issues with other Declude inserted variables though. Well, errors are always a possibility, but in this case it _should_ be reasonably safe. For example, if this is used to gate SNF, then a missing %WEIGHT% would result in trying to launch a program with the same name as the authentication string, and it is highly unlikely that would be found, so the result would be the program not found error code. That's not perfect because it's a nonzero result, but it is safe in that it is not likely to launch another program. One other thing that I came across with the way that Declude calls external apps...you can't delimit the data with things like quotes. There is no mechanism for escaping a functional quote from a quote that should appear in the data that you pass to it...so don't use quotes as delimiters :) Not a problem... I just whipped together a utility called WeightGate.exe that can be downloaded here (for now): http://www.messagesniffer.com/Tools/WeightGate.exe Suppose you wanted to use it in Declude to skip running SNF if your weight was already ridiculously low (perhaps white listed) or already so high that you want to save the extra cycles. Then you might do something like this: SNF external nonzero c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 (hopefully that didn't wrap, and if it did you will know what I meant ;-) To test this concept out you might first create a copy of WeightGate.exe callled ShowMe.exe (case matters!) and then do something like this: SNF external nonzero c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx 10 0 The result of that would be the creation of a file c:\ShowMe.log that contained all of the parameters ShowMe.exe was called with -- that way you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS returns zero, so this _should_ be safe ;-) If you run WeightGate on the command line without parameters it will tell you all about itself and it's alter ego ShowMe.exe. That description goes like this (I may fix the typo(s) later): WeightGate.exe (C) 2006 ARM Research Labs, LLC. This program is distributed AS-IS, with no warranty of any kind. You are welcome to use this program on your own systems or those that you directly support. Please do not redistribute this program except as noted above, however feel free to recommend this program to others if you wish and direct them to our web site where they can download it for themselves. Thanks! www.armresearch.com. This program is most commonly used to control the activation of external test programs from within Declude (www.declude.com) based on the weigth that has been calculated thus far for a given message. As an added feature, if you rename this program to ShowMe.exe then it will emit all of the command line arguments as it sees them to a file called c:\ShowMe.log so that you can use it as a debugging aid. If you are seeing this message, you have used this program incorrectly. The correct invocation for this program is: WeightGate low weight hight program arg 1, arg 2,... arg n Where: low = a number representing the lowest weight to run progra. weight = a number representing the actual weight to evaluate. high = a number representing the highest weight to run program. program = the program to be activated if weight is in range. arg 1, arg 2, ... arg n = arguments for program. If weight is in the range [low,high] then WeightGate will run program and pass all of arg 1, arg 2,... arg n to it. Then WeightGate will collect the exit code of program and return it as WeightGate's exit code. If WeightGate gets the wrong number of parameters it will display this message and return FAIL_SAFE (zero) as it's exit code. If weight is not in range (less than low or greater than high) then WeightGate will NOT launch program and will return FAIL_SAFE (zero) as it's exit code. As a deubgging aid, I was called with the following arguments: arg[0] me = WeightGate -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin, Wednesday, June 7, 2006, 5:05:28 PM, you wrote: snip/ Uh, but the D file contains mime segments corresponding to attachments. That's ok. SNF looks inside those, and w/ the FP scanning software inside the rfc822 atachment also. It's not perfect, but the majority of the time it does pick out the rules that match and having the original helps us put those into context. The license id, if included at all, should be in the subject line of the submission message. Good. Subject line is easier and more reliable to parse out. Not that it's needed per the original question. :-) -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?
Hello Darin, Wednesday, June 7, 2006, 5:09:27 PM, you wrote: snip/ That would be a bad idea, sorry. After 30 days (heck, after 2) spam is usually long-since filtered, or dead. As a result, looking at 30 day old spam would have a cost, but little benefit. You misinterpreted what I was saying. I was not at all suggesting sending old spam. What I was talking about was copying spam@ with spam that does not fail sniffer _as it comes in_, or _during same day/next day reviews_ Sorry, I did misinterpret then. _as it comes in_ is good, provided the weights are high enough to prevent a lot of FPs. We're all trained pretty well on how to skip those - but the more we see, the more likely we are to slip up ;-) What we do use from time to time are virtual spamtraps. In a virtual spamtrap scenario, you can submit spam that reached a very high (very low false positive) score but did not fail SNF. Generally this is done by copying the message to a pop3 account that can be polled by our bots. That is exactly what I was suggesting. We'll put it on our list to write a filter to do so when time permits. Just trying to help. Thanks very much! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin, Wednesday, June 7, 2006, 7:26:48 PM, you wrote: Unfortunately, by the time the message gets to us it is sometimes just different enough that the original pattern cannot be found. There are some folks who consistently have success, and some who occasionally have problems, and a few who always have a problem. Different in what way? Is the mail client encoding differently in the forwarding process? If so, do you know what clients are altering the messages and how? If there's one that's better for this, we could always use it for forwarding since we currently send it to ourselves first, then forward. It is unclear - we receive FPs that have traveled through all sorts of clients, quarantine systems, changed hands various numbers of times, or not (to all of those)... Right now I don't want to make that research project a high priority. If we rewrite the Q file and queue directly from IMail, encoding shouldn't change, correct? If that avoids this issue, we could do that instead. That's true it wouldn't change, but submitting the message directly would not be correct - the dialogue is with you, and in any case, additional trips through the mail server also modify parts of the header and sometimes parts of the message (tag lines, disclaimers, etc)... The best solution is to include the headers during the scan since they will travel with the message. What do you mean? The XHDR? We would love that for more several reasons, but Declude is not the same company anymore. At some point perhaps they will include the SNF engine in DLL form and all of these issues will become simpler. For now there's no definitive answer on that possibility so we will have to find other solutions. I don't like the idea of rewriting the message file more often than absolutely necessary, but that is a feature that is on the todo list and so it may make it into the next heavy update (work in progress). The next best is to automate matching the log entries with the message so they can be included with the submission (some do this to prevent the second trip). Yeah, we'd have to automate it. I can't imagine taking the time to manually match for each occurrence of no rule found. Another item for the automation list. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]A design question - how many DNS based tests?
Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
Hello Markus, Tuesday, June 6, 2006, 3:27:32 AM, you wrote: Mabe people at Sniffer are already aware of this new type of spam. Not the malformed mailfrom one but this with the short number and nothing else in subject and body) Thanks for those samples... I've coded an additional abstract for the ones you sent. There is also another type of spam (stock spam now with attached png image) this morning passing our filters. Here too some tests has had positive results (see mail headers of attached samples) but sniffer has also completely missed. It took a bit of work to generalize the pattern for the png stock spam but I've got a new family of rules in place for it now... I'm waiting on results to tally but I believe the rules will be effective. If not we will continue to work on them. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Concerned about amount of spam going through
Hello Michiel, Tuesday, June 6, 2006, 3:10:52 AM, you wrote: Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to 70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? IMO, the spam storm explanation is certainly applicable today - we've seen a few spikes, this time bunched together in an unusual - nearly continuous chain... still working on a theory for that. In general, the image based spam trend has given everyone more challenges.. I'm working on engine upgrades that will be out soon to help with those and future threats. Another thing that may have effected the last few days is that our primary spam-trap processor ate itself causing large backlogs and heavy fragmentation. There were a few hours (off-and-on) where the box was not processing traffic so we were delayed responding with new rules. I've changed the software on that box and cleaned up the damage and it is now happily sustaining ~900 msgs/minute so I don't expect further problems from it in the short term. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?
Hello Peer-to-Peer, That's a good point. Any kind, perhaps by category. I was originally thinking of just RBLs of various types. Thanks, _M Tuesday, June 6, 2006, 9:46:01 AM, you wrote: Hi _M, Do you mean like reverse PTR records, or HELO lookups, etc..? --Paul R. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 9:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick,
What is your false positive rate with that pattern?
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Jonathan,
I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar
attempts in the past.
Is there more to this than the two elements I just described -
something I'm not seeing?
_M
Tuesday, June 6, 2006, 10:19:36 AM, you wrote:
Nick, very good method. I have added that to my configuration as well now.
- Original Message -
From: Nick Hayer [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:05 AM
Subject: Re: [sniffer]Numeric spam topic change to png stock spam
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png
image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick,
Thanks.
That's all good then :-)
_M
Tuesday, June 6, 2006, 10:46:55 AM, you wrote:
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS HH HS SH SA SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547
The regex alone will fp; I score it with a 3 [hold on 10; delete on 24]
The png combo I just did it last night when I first saw the spam.
So far I have not see any fp. [ I combo it (the regex) with other
tests as well - which makes it much more reliable.]
-Nick
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]To switch
to the DIGEST mode, E-mail to [EMAIL PROTECTED]To
switch to the INDEX mode, E-mail to
[EMAIL PROTECTED]Send administrative queries to
[EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Hello Andrew, Tuesday, June 6, 2006, 11:44:46 AM, you wrote: David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. Actually, since we've been offering production ready 30 day trials, what once was the free version (as you put it) has been reduced to a technology demonstrator. It is only useful for proving your system configuration and barely catches spam at all ;-) I believe the sniffer.snf rulebase has not been maintained in some time. I've seen the free version with hit rates as low as 10% on the remaining messages that have been already filtered by a gateway, which I thought was still decent because these were the messages that had already evaded the blacklist tests. And free is good. On the same system, I noted that this made Sniffer about half as effective as fresh SURBL/URIBL testing, but I had no way to compare their overlap. Interesting. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?
segment of our subscriber base and to customize individual subscribers in cases where their policy disagrees. This customization process most frequently occurs as a result of our false positive handling process... though it is worth noting that the vast majority of reported false positives result in rules being removed from the core rulebase. To date, only a very small fraction of our customers have any customization. Ongoing development work and upcoming features are focused on improving accuracy (on both the spam and ham sides of the equation), improving response time, increasing SNFs flexibility and breadth, reducing complexity, maintenance administration, and improving speed efficiency. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Sniffer updates down?
Hello John, Friday, June 2, 2006, 5:22:45 PM, you wrote: I am getting errors since late last night that host can not be found. I checked your license record and finding no problems successfully downloaded your rulebase file from the expected URL. Not sure what could be going on but it seems it must be local based on what I've seen so far. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Viagra Spam
Hello Ali, Wednesday, May 31, 2006, 2:44:28 AM, you wrote: How is everyone managing to deal with the upsurge of viagra spam mail. Sniffer does not seem to pick it up? Just so you know we are on this... There are a set of abstracts coded and we are collecting domain on this one as well. It is a new variant of the one that started yesterday. It has quite a bit of bandwidth behind it as well. Rate Graph Image attached. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. msgperhour48.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Spam Storm - It's a big one.
Hello Sniffer Folks, Watch out for today's spam storm -- it's a lot bigger than we've seen in a long while. 48 hour image attached. A large component of this one is a broken spam with an empty subject and two empty quoted printable segments. There is a wide variety of other spam mixed in also however. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. getchart.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]spam storm
Tuesday, May 23, 2006, 10:35:01 AM, you wrote: Dear Sniffer Friends, Our servers are really getting slammed with spam. Is anyone else seeing a hugh spam storm right now? Hello Michael Sniffer Folks, http://reports.messagesniffer.com/Performance/FlowRates.jsp Logs since about 0523.0100 have shown a spike and a heavy increase. I was also called in on a new image spam wave early this morning (about 6 hours ago), and there is a new snake-oil spam going around - just text about canadian drugs and a link - but prolific, lots of bandwidth, and an inexhaustible supply of domains (luckily that's not all we use). Today seems a stair step up from the previous spam storm alert a few days ago. 48 hour image attached. Note: We've throttled back one of our heaviest spamtraps to keep our sampling more current (the increased volume was causing some queueing). As a result, the peaks on the graph are lower than they might normally be... the shape of the graph is the important part of the image. The flow rates analysis (link at top) shows the shelf starting at 0100 and building. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. getchart.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]possibly moving to new os
Hello steve, Saturday, May 20, 2006, 4:51:10 PM, you wrote: Hi, We are a current Imail/sniffer/declude customer. We are thinking of moving away from our current Imail setup to one using postfix. I downloaded the 30 trial. Is it possible to transfer our license to the new setup after we finish testing? Yes. If you have a valid license and you move to a new platform you can take that license with you. One license per MTA is all that we require. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Ebay Phishing Emails getting through
Hello Andrew, Wednesday, May 17, 2006, 5:35:36 PM, you wrote: Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. I've just manually submitted the ~35 messages that my filters triggered on for phishing that didn't trigger Message Sniffer today but ended up in my HOLD folder anyway due to their total spamminess. Most of them are against eBay and came from Germany. If your overall false positive rate is low enough then it would be great if you could automate that process to create a synthetic spamtrap. Somehow, take the most spammy of the messages that get past SNF and send them to a special account on your system from which our robots could pull the messages Since we code rules 24x7x365 we would be able to respond to these quickly and (from your perspective) automatically. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Ebay Phishing Emails getting through
Hello Jim, Wednesday, May 17, 2006, 2:46:48 PM, you wrote: Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. ot Ah... So the list is working :-) I'll have to update the signup instructions... I can check that off the list. /ot Today, starting at about 0100 E, the blackhats really took it up a notch. I know because I was on duty making rules at the time. One of the things I saw a lot of were new phishing attacks - all varieties and variants. I know the team has been pushing hard on these, but some are bound to get through on the first few passes. Another thing we've noticed in the grand scheme is that localized phishing attacks are becoming more common. These are less likely to hit our spamtraps since the target lists used are highly regional -- so if we don't have a spamtrap in that geography our view of the spam may be delayed. We're working on this problem on a number of fronts.. Ideas, as always, are welcome. Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Ebay Phishing Emails getting through
Hello Daniel, Wednesday, May 17, 2006, 3:07:38 PM, you wrote: I've gotten one myself. The pharmacy ones, are still coming through too for that matter. Here is what the latest wave has looked like from here (attached image). You can see, starting about 24 hours ago a jagged, but fairly regular climbing series of spikes. Each is a new wave of variants on the current campaigns. Most notably, the the medications drug spam, chatty drugs, russian porn, phishing (especially localized versions), and stuff-for-free* surveys. Of course a variety of the usual players is well mixed in. During the previous 24 hours things were _relatively_ quiet. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. getchart.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Test
Hello sniffer, Just testing. -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] zipping log files
Hello Sniffer Folks, I expect to be able to accept compressed log files within the next few days if all goes as planned. I will announce that ability on this list when we are ready. Is it possible now? Roger Sorry for the odd way of posting this response, I'm in the middle of changing mail servers and the old one is a bit confused. Roger, Go ahead and post logs that are zipped using the following rules: Only use GZIP or ZIP. * If you use GZIP then your uploaded log file name should be: yourdomain.yourSNFlicenseid.log.gz (as in microneil.com.snf2beta.log.gz) or alternately yourdomain.yourSNFlicneseid.randombit.log.gz * If you use ZIP then your uploaded log file name should be: yourdomain.yourSNFlicenseid.log.zip alternately yourdomain.yourSNFlicenseid.randombit.log.zip * If you send your log files frequently then please do include a timestamp or random number to avoid a collision. Above I've represented this as randombit. * If you send your log files more than a couple hours apart then you probably don't need the randombit. The file inside the .gz or .zip _MUST_ be your naked log file. No subdirectories and no multiple files. That should do it... It's not set up yet (I've been distracted working on other SNF stuff) but I will have scripting in place to handle the above within a few minutes. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] zipping log files
Hello Pete, Friday, May 12, 2006, 1:48:00 PM, you wrote: Hello Sniffer Folks, I expect to be able to accept compressed log files within the next few days if all goes as planned. I will announce that ability on this list when we are ready. Is it possible now? Roger Sorry for the odd way of posting this response, I'm in the middle of changing mail servers and the old one is a bit confused. Roger, Go ahead and post logs that are zipped using the following rules: snip/ It's not set up yet (I've been distracted working on other SNF stuff) but I will have scripting in place to handle the above within a few minutes. The code is now in place and has been tested. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Missing false positives from today - mail server changes are hard.
Hello Sniffer Folks, We are in the process of moving mail servers around, and as is often the case when mice or men make plans, things have gone awry. It appears that false positive reports made today may have been lost due to mail routing errors. Apologies. If you submitted a false positive today, please re-send it and I will process it as quickly as possible. At the moment things appear to be working. We will have finished these moves within the next few days and hopefully during the remainder of the transition things will go more smoothly. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....
Chuck, I sent a different message off list, but just in case you don't get that one - I've received a number of bounce notifications from your system (transient non-fatal delivery errors). There's a good chance that your rulebase is out of date if your update notifications are bouncing. Indicators here are in the nominal range for leakage for the past 24 hours. Hope this helps, _M On Friday, May 5, 2006, 7:14:00 PM, Chuck wrote: CS It is not slowing down out here. CS Chuck Schick CS Warp 8, Inc. CS (303)-421-5140 CS www.warp8.com CS -Original Message- CS From: [EMAIL PROTECTED] CS [mailto:[EMAIL PROTECTED] CS On Behalf Of Pete McNeil CS Sent: Friday, May 05, 2006 9:32 AM CS To: Darin Cox CS Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer CS On Friday, May 5, 2006, 11:02:00 AM, Darin wrote: DC Not just drugs, but some others too have been slipping through the DC past couple of days. We've reported a little under 40 in the past DC couple of days. CS We saw a bit of a lull, then a rash of new campaigns bunched together with CS some new obfuscation techniques. We're getting a handle on it now. Looks CS like the burst started about 30 hours ago and is tailing off now. CS Attached image - new arrival rates last 2 days. CS This E-Mail came from the Message Sniffer mailing list. For CS information and (un)subscription instructions go to CS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....
On Friday, May 5, 2006, 11:02:00 AM, Darin wrote: DC Not just drugs, but some others too have been slipping through the past DC couple of days. We've reported a little under 40 in the past couple of DC days. We saw a bit of a lull, then a rash of new campaigns bunched together with some new obfuscation techniques. We're getting a handle on it now. Looks like the burst started about 30 hours ago and is tailing off now. Attached image - new arrival rates last 2 days. getchart.jsp.png Description: PNG image
Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....
We've had that rule before and had to pull it for false positives. _M On Friday, May 5, 2006, 11:41:50 AM, John wrote: JTL FYI, I created a Declude Filter: JTL Subject END NOTCONTAINS news JTL BODY25 CONTAINShttp://geocities.com/ JTL Been catching every one like that. JTL John T JTL eServices For You JTL Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] JTL On Behalf Of Daniel Bayerdorffer Sent: Friday, May 05, 2006 7:38 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer Here too. -- Daniel Bayerdorffer [EMAIL PROTECTED] Numberall Stamp Tool Co., Inc. PO Box 187 Sangerville, ME 04479 USA TEL 207-876-3541 FAX 207-876-3566 www.numberall.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, May 05, 2006 10:34 AM To: sniffer@sortmonster.com Subject: [sniffer] Lot of Drugs Spam getting through sniffer The last few days tons on Drus spam is coming in and sniffer is catching none of it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information JTL and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html JTL This E-Mail came from the Message Sniffer mailing list. For JTL information and (un)subscription instructions go to JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....
On Friday, May 5, 2006, 1:08:14 PM, John wrote: JTL Well, I am at the point that I could care less about geocities false JTL positives. If GeoCities is going to allow this much spam junk then I could JTL care less about allowing them. That's fine. There are probably a number of systems that feel that way. I only meant to say that we've tried a block-first strategy w/ geocities before and had to remove it. YMMV. You should also know (may remember) that the blackhats experimented a while ago with using several other hosting sites, including msn, and seeding them in round-robin fashion so that they all appeared in each campaign. Since this experiment stopped abruptly I doubt that it has been abandoned - rather, it was put on the shelf for a while. At the time it was clearly effective for them. I think it likely they will do that again (don't know when) since they are putting some new effort into this path. I don't have any evidence of it yet. I discovered that on 20060503 the blackhats made some significant changes to their use of geocities links and their transmission patterns. I've re-tuned the F002 bot to compensate and it is currently reviewing a handful of new geocities links every minute and adding approximately 1.2 new rules per minute. I suspect that the lull we observed may have had something to do with their tooling up for this set of campaigns. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Message loop
Yes, I'm sorry. I'm still working on that with the back-end server guys over there. I am getting your messages though. Please ignore the jsmith bounces for now. I will keep on them. Thanks! _M On Thursday, April 20, 2006, 12:11:25 PM, Scott wrote: SF Still happening when I reply to false positive messages from you: SF Failed to deliver to '[EMAIL PROTECTED]' SF mail loop: too many hops (too many 'Received:' header fields) SF - Original Message - SF From: Pete McNeil [EMAIL PROTECTED] SF To: Matt sniffer@SortMonster.com SF Sent: Wednesday, April 19, 2006 7:03 PM SF Subject: Re: [sniffer] Message loop On Wednesday, April 19, 2006, 7:20:01 PM, Matt wrote: M M Pete, M M I tried replying to some FP reports and I received back some loop reports from your gateway: M M M M M Failed to deliver to '[EMAIL PROTECTED]' M mail loop: too many hops (too many 'Received:' header fields) I'm aware of the problem. It's actually a problem on our partners' servers. They are making a transition and the destination server is unhappy about the number of hops required to get there through our forwarding chain. I believe they have adjusted these settings this afternoon to compensate. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html SF This E-Mail came from the Message Sniffer mailing list. For SF information and (un)subscription instructions go to SF http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer application
On Wednesday, April 19, 2006, 11:05:15 AM, Jeff wrote: JA Peter, JA I have taken over the network administration for Neptune Chemical Pump Co. JA Could I get a manual for the sniffer software. That is how to use set up JA and confirm it is still configured correctly. You can find the root of our documentation here: http://kb.armresearch.com/index.php?title=Main_Page And the Message Sniffer specific part begins here: http://kb.armresearch.com/index.php?title=Message_Sniffer We have been reorganizing and expanding our documentation. To ensure that it will be as good as possible, we are allowing people to edit the documentation online when they feel something could be added or improved. If you would like to have an account for the wiki please send a note to support@ and we will set you up. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Message loop
On Wednesday, April 19, 2006, 7:20:01 PM, Matt wrote: M M Pete, M M I tried replying to some FP reports and I received back some loop reports from your gateway: M M M M M Failed to deliver to '[EMAIL PROTECTED]' M mail loop: too many hops (too many 'Received:' header fields) I'm aware of the problem. It's actually a problem on our partners' servers. They are making a transition and the destination server is unhappy about the number of hops required to get there through our forwarding chain. I believe they have adjusted these settings this afternoon to compensate. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Bad Rule Alert: 963461
Hello Sniffer Folks, We have a bad rule circulating in some rulebases. The rule has already been discovered and removed. Please create a rule-panic entry for rule id: 963461 just in case you might have a copy of the rule. After your next update (or tomorrow about the same time if it is easier) you can remove the rule-panic entry. Sorry for the trouble, Hope this helps, Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Bad Rule Alert: 963461 follow up.
Hello Sniffer Folks, Regarding rule 963461 - the rule was coded for a short sequence of nbsp;nbsp;nbsp; (3x). It was misinterpreted and/or miscopied as part of obfuscation. The rule was coded at 20060417.1929 E and removed at approximately 20060418.1000 E. There was one additional rule pulled (963533) which was coded for a binary segment of an image file. No hits have been reported on the second rule at this time. Best, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False positive processing
On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote: DC Nope. None of them. DC I haven't heard back from the replies to a couple of false positives on the DC 10th, and we haven't heard anything from our submissions on the 16th (6) and DC 17th (2). I don't remember if we've heard anything from those on the 15th DC (4). Right now I'm preparing to process FPs. I have a total of 24. 15 from you. I don't show any others pending. When I'm done I'll go back and look at the 10th, 16th, and 17th to see if I received and responded. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] False positive processing
I have responded off list. Let me know (off list) if you got my response just in case it goes missing again. Thanks, _M On Tuesday, March 21, 2006, 12:04:29 PM, Darin wrote: DC Right. 15 from today. Let me know what you find out. The ones from the DC 10th were replies to FP processing to investigate further and apply white DC rules. The others were normal FP reports. DC Thanks, DC Darin. DC - Original Message - DC From: Pete McNeil [EMAIL PROTECTED] DC To: Darin Cox sniffer@SortMonster.com DC Sent: Tuesday, March 21, 2006 11:52 AM DC Subject: Re[2]: [sniffer] False positive processing DC On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote: DC Nope. None of them. DC I haven't heard back from the replies to a couple of false positives on DC the DC 10th, and we haven't heard anything from our submissions on the 16th (6) DC and DC 17th (2). I don't remember if we've heard anything from those on the DC 15th DC (4). DC Right now I'm preparing to process FPs. I have a total of 24. 15 from DC you. I don't show any others pending. When I'm done I'll go back and DC look at the 10th, 16th, and 17th to see if I received and responded. DC _M DC This E-Mail came from the Message Sniffer mailing list. For information and DC (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html DC This E-Mail came from the Message Sniffer mailing list. For DC information and (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Updates slow
On Monday, March 20, 2006, 3:58:03 PM, John wrote: JTL It seems today that updates have been slow to retrieve, the last one being JTL averaging 54 Kbps. Updates are triggered on the e-mail update notice. I just retrieved your rulebase at an average of 267K/sec via my DSL. My DL rate is 3Mbps - so that's just about full bandwidth. Occasionally there are high bursts of traffic - perhaps you met one of those. Another possibility is that your specific network path may have, or have had an issue --- on the previous report of slow downloads it turned out that RackSpace was working on a network problem that seemed to effect only some paths into the server(s). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] New Web Site!
Hello Sniffer Folks, Today we are making a major transition. The old Message Sniffer web site will be torn down and replaced with a new WIKI: http://kb.armresearch.com/index.php?title=Message_Sniffer The top Message Sniffer page will retain it's index for a while but instead of sending you to the original pages the links will take you to appropriate pages in the new WIKI. Also - if you try to go directly to an old page you will be redirected automatically to the appropriate new page. The WIKI requires that you create an account and log-in before making any changes. We know there are blackhats out there so we will be watching very closely... If we find there is abuse, we will disable the ability to create accounts and you will need to contact us at support@ if you want the ability to post -- let's hope it doesn't come to that. We will continue to update, improve, and correct the wiki - it will, in fact, be under constant development. Have fun! Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Web Site!
On Friday, March 17, 2006, 11:53:58 AM, John wrote: JTL What is the purpose of using a WIKI site? A few things really - * It's fast and easy to create, update, and correct the content. Things happen quickly here and in the messaging security business in general. It makes sense to use tools that can adapt just as quickly and with as little friction as possible. * Some of our user community contribute software and technical knowledge on a regular basis. A wiki makes that process easier. This is particularly useful where SNF overlaps with other software - The folks who use, develop, or maintain that software can now participate openly in developing documentation for that work. * We've always maintained a collaborative relationship with our customers and this helps to enforce that point. * One of the things we've always encouraged is the sharing of information related to, but not necessarily about SNF. For example, it is not uncommon for a discussion about integrating SMF with a mail server to branch off into a wide range of loosely related topics from DNS, to server and network performance, to handy tools and tricks. We have a lot of experts in our community. Quite Often, difficult to find solutions lurk in the context of the discussions on and off our list. Now those solutions can be captured here in the natural context in which they came up so that they will be easy to find. -- Consider this approach part of fostering a strong user community and providing a resource that goes beyond our own products and services. At the end of the day we are working shoulder to shoulder with the developers, managers, administrators, and users of all kinds of systems. We want this wiki to be a valuable resource for anybody who uses SNF, and lots of folks who don't (yet). _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] New Web Site!
On Friday, March 17, 2006, 12:50:40 PM, John wrote: JTL Pete, while I fully understand all of what you said, allowing any one JTL registered to edit any page is leaving things wide open for abuse. Isn't JTL there a way to set permissions on a section basis? Example, I should not JTL have the ability to edit the recent events page and not that I would, but I JTL am human and humans make mistakes and do dumb things from time to time. The facilities are already in place for the system admin (us) to lock any page. Also, in order to make everyone more comfortable with this I have changed the settings so that only the system administrator can create an account. -- What that means is that if anyone wants to contribute they will have to send a note to support@ to have an account created for them. We will create an account for anyone who has something of value to contribute. We will revoke any accounts that abuse the system. It makes me sad to have to do this so soon after turning the system on, but apparently there is no other way to do this without causing a near panic. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] reporting spam
On Thursday, March 16, 2006, 5:18:00 PM, Roger wrote: RM I just found out that when you are reporting received spam to RM [EMAIL PROTECTED], you should remove the Received: header added by your RM mail server. Otherwise you might create a rule that filters all mail from RM your mail server. Yikes - that's not true. We only rarely ever examine the received headers in submitted spam - and then only when we're verifying some other hunch we're following. We almost exclusively focus on the body of the message content and it's coding. Rarely, but none the less it happens, we will pick up a domain that is spoofed in submitted spam or otherwise entangled in the message. Submitted spam is never processed automatically - so when this does happen it is always human error - and we are very careful with our procedures to make sure it doesn't happen. Occasionally one slips through and if that happens the rule is moved to a special rule group so that it can never happen again. Hope this clears things up a bit. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New add compain
On Friday, March 10, 2006, 2:00:42 PM, John wrote: JTL I am seeing a log of spam with a subject line of with fw: or re: followed by JTL the username portion of the reciepient. Any way to create a rule for this? There's nothing simple we can do for this one based on that alone - at least not without risking a lot of false positives. We are looking at structural abstracts wherever there is content. Many that we see are empty. SNF is not yet good at seeing what is NOT there. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] F001 Rule Bot Change
Hello Sniffer Folks, The F001 Rule Bot has been adjusted. The number of repeat offenses required for an IP to be listed has been increased. It's important to note also: Messages that are filtered out by other rules are excluded from this evaluation. Consequently, for an IP to be added to the F001 bot rules it must not only be seen quite a few times, but it must also be generating messages that are not filtered using other active rules. As part of this adjustment we removed approximately 2 IP rules that had shown either weak or no activity since they were created. This may cause rulebase file sizes to change noticeably. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] F001 Rule Bot Change
On Thursday, March 9, 2006, 8:48:43 AM, Nick wrote: NH Hi Pete - NH Pete McNeil wrote: Hello Sniffer Folks, The F001 Rule Bot has been adjusted. NH Is it possible for you to recommend a percentage of accuracy or maybe NH better stated a percentage of delete weight for each rule? I am NH wondering which rules you feel are the weakest and which are the NH strongest. I am well aware 'mileage may vary' but just your thoughts on NH reliability would be insightful. Currently the rules I trust the most NH are at 90% of my hold weight which overall is less than 50% of my delete NH weight. Rules that I trust the least like general and experimental are NH at ~ 40% of my hold weight. It's a bit too early to know about the reliability of F001. So far the number of false positives has fallen quite sharply and continues to fall from what I can see. In addition, the new constraints on F001 will cause it to be much more reliable still (w/ regard to FPs). I would say that the most conservative weight for symbol 63 would be to weight it at the same weight as your average IP based blacklist. A more moderate position might have the lowest rated SNF tests at about 70% of your hold weight (this seems to be fairly common). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Starbucks $500 Prize #972499912]
On Tuesday, March 7, 2006, 5:00:33 PM, Heimir wrote: HE Why is this not filtered? HE Every one of them contains the word HE Domains4u HE I have reported several but they are still coming in. Actually, they are now (I tried coding the message and duped out on the domain rules). Domains4u is not by itself sufficient coding so we don't have a rule like that. If you would like to add that rule we can, but please make the request to support@ and not the public list. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] declude tests
On Tuesday, March 7, 2006, 4:58:35 PM, Harry wrote: HV HV HV at the moment I run the following test in declude HV HV SNIFFER external nonzero HV D:\IMail\Declude\sniffer\xx.exe persistent 13 0 HV THIS IS WRONG! You should not have the persistent command line option in your Declude configuration. You should only run your persistent instance outside of Declude. Run only peer instances (without the persistent keyword) from inside Declude. HV I have seen a more detailed setup before and am interested in HV doing that here also. Is there a comprehensive list somewhere along with instructions? HV HV If I want to apply separate weighting using only some of the HV detailed test and then a catchall test for the rest, is that possible? Sure. The easiest way I know of is to leave your existing line in place and then add an additional test (using SNF) that adjusts the specific result code you want to tune. For example, if you wanted to back down group 63 you might add a line: SNF63 external 63 D:\IMail\Declude\sniffer\xx.exe -3 0 Declude will recognize that the command line is identical and will simply reuse the result with the new test name SNF63 instead of running SNF again. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] New Rulebot F001
Hello Sniffer folks, The first of the new rulebots is coming online. Rulebot F001 creates IP rules for sources that consistently fail many tests while also reaching the cleanest of our spamtraps. The rules will appear in group 63. The bot is playing catchup a bit (since there have been few IP rules at all since we disabled the old bots). The algorithms used in this bot have been tested manually for 2 weeks with no false positives. Expect an increase in your rulebase size while F001 catches up with current spamtrap data. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] New rulebase compilers online.
Hello Sniffer Folks, I have just completed work to upgrade the rulebase compiler bots. They are now significantly more efficient. As a result you will be seeing updates more frequently. Previous lag was between 40-120 minutes. Current lag (sustained) is 5 minutes. More timely updates should equate to lower spam leakage for new spam. You do not need to take any action on this. This note is for your information only. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Rulebot F001
On Monday, March 6, 2006, 3:13:53 PM, Jay wrote: JSHNL There's been at least one FP ;) JSHNL -- JSHNL Rule - 861038 JSHNL NameF001 for Message 2888327: [216.239.56.131] JSHNL Created 2006-03-02 JSHNL Source 216.239.56.131 JSHNL Hidden false JSHNL Blocked false JSHNL Origin Automated-SpamTrap JSHNL TypeReceivedIP JSHNL Created By [EMAIL PROTECTED] JSHNL Owner [EMAIL PROTECTED] JSHNL Strength2.08287379496965 JSHNL False Reports 0 Yes, sorry about the confusion. The original announcement happened about 3 days before that FP. The note was a resend this afternoon so that Karen (Tink) could update the web site with recent news. In fact, both of those notes were resends... The originals didn't make it because I transposed the s and n near the t in sortmonster. Sorry again for the confusion. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Rulebot F001
On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's logs and had a few false positives. Not DC sure if these are due to the new rulebot, but it's more than we've had for DC the entire day for the past month. DC Rules DC -- DC 873261 DC 866398 DC 856734 DC 284831 DC 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New rulebase compilers online.
On Monday, March 6, 2006, 6:09:43 PM, Matt wrote: M Pete, M Does this mean that you are somehow supporting incremental rule base M updates, or is it that the compiler is just much faster so we will get M the same number of updates, but generally get them 40-120 minutes M earlier in relation to the data that generated them? The latter. Incremental updates are coming with the V3 engine. We will have real time reporting and tuning before that. The new behavior for the compiler bots is to seek out any eligible rulebases that match the profile of the previously compiled rulebase and to use the cached data to build the new rulebase provided it is discovered within a short enough period (a matter of seconds). This is called replication. Replication happens in seconds. Compiling a rulebase takes between 5 and 35 minutes depending on the complexity. While I have seen occasional spikes, I generally now see unfinished, eligible rulebase counts in the low teens and estimated lag in the single digits. M Either way, definitely an improvement. The closer to real-time we can M get, the better. :-) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] New Rulebot F001
On Monday, March 6, 2006, 7:24:20 PM, Andrew wrote: snip CA I would like to state that I don't need Message Sniffer to CA identify servers that send bogus postmaster notifications. This CA would be entirely due to false positives such as the three CA examples above. CA Given that spammers clearly recycle their email database as a CA fake-mailfrom database, any spamtrap address will get bogus bounces and CA therefore, the spamtraps will flag legitimate senders' IP addresses in CA Rule 63. CA I don't expect nor want you to discuss the details of the CA spamtraps as the point of one class of your spamtraps is that CA their methods are secret. However, Matt has described a subset of CA the filters various Decluders have used to filter out postmaster CA bounces and other reflected noise, and I can certainly chip in on CA that conversation offline. In addition to all previous IP rule false positives, any new false positives will be kept in the rulebase to prevent any repeats. Regarding outscatter, we do create rules where we can to eliminate known outscatter - when the bounce contains sufficient information to identify it clearly as originating from malware or known spam. However, the trap F001 is using are pre-processed with mediation rules to blind the system from these kinds of messages. These rules are not complete (perhaps never will be) but they are pretty good and getting better. With each new case we will be refining what cannot be seen by bots or even people from these sources. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Sniffer, MDLP, and invURIBL?
On Saturday, February 25, 2006, 1:38:53 PM, Joe wrote: JW JW JW I would actually prefer that MDLP autotune the weight for JW invURIBL, but since the weights are managed by invURIBL and not JW Declude I don't know how this will work. I'm not familiar enough with invURIBL to know how it is configured. However, as long as it's maximum and minumum weights are in a reasonable range, then if you exclude it from MDLP you should be ok. MDLP's AI tries to optimize the weights of the tests it can manipulate so that the most accurate total scores are provided. If there are tests it cannot adjust then it is forced to work around those with the other tests. The results are not predictable (the task is far too dynamic and contains far too many variables) but they should be sane and correct. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Running sniffer as a service
On Friday, February 24, 2006, 7:13:47 AM, Jeff wrote: JP Do I need to modify anything in my Declude configuration file where it calls JP the SNIFFER test in order for this to function ?? No. You set up a persistent instance outside of Declude and the other SNF instances adapt automatically. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[6]: [sniffer] When to go persistent
On Friday, February 24, 2006, 10:31:25 AM, Goran wrote: GJ Hi, GJ I just got my service up and running using Matt's post GJ http://www.mail-archive.com/sniffer@sortmonster.com/msg00169.html GJ It was simple especially since I already the resource kit installed. GJ Now I know that this I supposed to work to get the persistent instance GJ to load the new rulebase after a download. GJ REM Load new rulebase file. GJ %LicenseID%.exe reload GJ But is there any way to query the service and ask it to tell you when GJ was the last time the rulebase was loaded? Or what version of the GJ rulebase it is using? By default, the persistent instance will reload the rulebase about once every 10 minutes. The reload command creates a semaphore file in the workspace and waits for it to disappear. When the persistent instance has complied it will delete the file. Therefore, the command licenseid.exe reload will generally not return until the rulebase has been reloaded. In some cases, due to a timing function bug, the persistent instance may not respond to the reload or other semaphores... however, it does still reload itself every 10 minutes or so. A sure way of reloading the rulebase if you need to force it and you suspect something isn't quite right is to restart the persistent instance. GJ When running in peer mode this question does not GJ arise since the instances read the file off disk so there is no problem. GJ With the persistent instance this is not the case and I would like to GJ know that it really is using the newest rulebase. Just to clarify a bit... in peer-server mode, a server-peer will load the rulebase, process some number of messages including it's own, and then return. So, reloads are frequent, but not guaranteed. Client-peers do not load the rulebase. The persistent instance processes many more messages than a server-peer and then reloads after it drops. Otherwise it is very much the same as an ordinary peer instance. As a rule, unless something is broken then you can be sure the new rulebase is running within about 10 minutes (by default) of when it appears in the workspace. Hope this helps, _M PS: I'm working on adding some of the version 3 features to version 2 for testing and tuning on our way to a full version 3 engine. Soon I will be coming out with incremental version 2 releases on our way to 3. I will be making instrumentation features a priority since they will be helpful while tuning and (hopefully not) debugging the new prototoypes. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Thursday, February 23, 2006, 5:48:55 AM, Kevin wrote: KR So when I asked how I would send in false positives, someone mentioned KR that I should look up the appropriate log entry and send that in. That KR brings up another question. My log file is 270MB and climbing. I've KR never opened it cause it's too big. Do you have a reader for your log KR files? I recommend you delete your current log - or at least set it aside until you've completed work on the FPs in question. There are editors out there (I like slickedit) that will handle files that large. That said, your log file should never get that large. You should rotate it out and send it to us once a day or so. There are some scripts to handle that for you: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Details about your log file are here: http://www.sortmonster.com/MessageSniffer/Help/LogsHelp.html KR I think it would be nice to have a little list of things to do to send KR in false positives: KR 1. Have your users send you the false positive. Save it as an .eml file (?) KR 2. Look up (somehow) the entry in your log file that corresponds to that KR .eml file. Copy and paste that text into a new email. KR 3. Send an email from your primary Sortmonster email address, attaching KR the .eml file and any log portion as necessary. KR Is this correct? Everything you want to know about false positives (most likely) is on this page - including step by step instructions: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] When to go persistent
On Thursday, February 23, 2006, 11:30:02 AM, Goran wrote: GJ Hi, GJ Is there any good rule of thumb, in terms of messages processed per GJ minute/hour/day when you should move to a persistent instance of GJ Sniffer? I would suggest using the persistent mode unless you have a reason not to. (In very rare cases it may not perform as well as peer-server mode.) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] When to go persistent
On Thursday, February 23, 2006, 11:53:51 AM, LLC wrote: JISL I'm investigating the persistant mode and read the info on the web site. JISL Can't make heads or tails of it. JISL How do enable persistant mode on a Windows 2003 Server? The web site speaks JISL hypothetically, but the information is not practical. From the message at JISL http://www.mail-archive.com/sniffer@sortmonster.com/msg00165.html it would JISL seem that you need an external utility to run Sniffer in persistant mode, JISL but the link to JISL http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html JISL is no longer valid. JISL What exact steps are needed to run in persistant mode on Windows 2003 JISL Server? Sorry about that... the Judoscript site comes and goes lately. (Maybe permanently gone this time). To run in persistent mode, simply launch an instance of SNF from the command line with the word persistent in place of the file to scan. licenseid.exe authentication persistent The persistent instance will be recognized by all of the other instances (those are launched by your email server usually - one per message). When a persistent instance is present it will keep the rulebase loaded in memory and the other instances will coordinate with it to get their messages scanned. This eliminates the work of reloading the rulebase and can help to optimize the timing of the message scans to improve throughput. If the persistent instance fails or is stopped for any reason then the SNF software returns to it's native peer-server mode. There are a number of utilities out there (some free) that allow you to run an executable as a service. RunExeSvc is the one I used. Many have recommended FireDaemon: http://www.firedaemon.com/ There is also a windows toolkit that will let you run programs as services - it requires some hacking in the registry as I recall. I can't provide specifics for these approaches at this time, but I believe the windows toolkit method was described well in the sniffer@ list archives, and Firedaemon will have it's own process that is likely to be simpler. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] When to go persistent
On Thursday, February 23, 2006, 12:59:24 PM, Goran wrote: GJ Pete, To run in persistent mode, simply launch an instance of SNF from the command line with the word persistent in place of the file to scan. licenseid.exe authentication persistent GJ I am calling Sniffer from Declude. Could I just later my statement in my GJ config file to include persistent? That way the first time it is called GJ that instance will go persistent and all the rest will end up talking to GJ it? No. That will not work. You need the persistent instance to run and stay running while the other instances (called from Declude) come and go. GJ Regardless of how the persistent instance is started should I have the GJ persistent keyword on the line that is called from Declude? You should not have any instance in Declude defined with the persistent command line option. Don't do this. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] What is this file
On Thursday, February 23, 2006, 1:07:07 PM, Goran wrote: GJ Pete, GJ I have seen a couple of times that the file GJ C:\External\Sniffer\my license-20060221071316x386D4931-2352.SVR GJ Is open and cannot be backed up. GJ What is this file? I assume that I do not need to be worried since the GJ file disappears. When in peer-server mode, if an instance comes to life and finds it is the only instance around it will set itself up as a server just in case another instance comes along and needs help. When an instance of SNF is acting as a server it will announce that by creating a .SVR file in the working directory. In peer-server mode, a server-peer will handle a few jobs, then it's own, and then it will go away so it can return it's result. While it is active it will leave it's .SVR file out to advertise to the peer-clients that it is available to process messages. In persistent mode, the server-peer never has a message of it's own to process and so it never goes away (almost). As a result, all peer-clients always hand off their messages to the persistent peer-server. Since the persistent peer-server never goes away the .SVR file will also not go away. These files are all generally transient. (.QUE, .FIN, .ABT, .XXX, etc...) This causes some trouble with backup software. It's usually best to skip backing up the sniffer working directory except for the .exe, .snf, and any script files you have. It is usually best to keep a current / recent copy of those files in a separate directory that can be backed up and to otherwise treat the SNF working directory as you would a temp directory. (skip it) Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positive - no reaction?
I'm a little behind. I'm going to do false positives in the next 10 minutes. I only have 20 to do it should go fast. Sorry for the delay. Thanks, _M On Tuesday, February 21, 2006, 9:40:07 AM, Andy wrote: AS Hi, AS I filed this false positive report a day ago and never heard back. AS Just trying to see if my emails are blocked again. AS Phone: +1 201 934-3414 x20 (Business) AS Fax:+1 201 934-9206 AS -Original Message- AS From: Andy Schmidt [mailto:[EMAIL PROTECTED] AS Sent: Monday, February 20, 2006 10:41 AM AS To: '[EMAIL PROTECTED]' AS Subject: License ID nwb655oh AS This message was a GIF image from one individual to another. AS Log Entries: AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Match 836625 61 2245238871 AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Final 836625 61 0 32767 71 AS Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCmy vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEaZ EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5ud Epwb2QL AS MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1nf ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tfo swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+o j+uVYwvZz yvahEwG3Nw2FWDeVazW2UBqjRCGqZCaIU0iTW3aPc0mVZXe4WUuuYVqtaHrGOAf/AAD+N QPUSgjB XizbZg33ShP4Tyb0chHMZFPHcHD1aEmTbISudYzCdoGahgaaky2ZoCesjwq6jD6upSmKi FCIknCF p3Svmk+I0QyBySaa7AvCngvOhzrQqw7OuyL9kQT2iinzrA70rDDflkHQjGb2l07pk3X2r p3Svmk+lL1sWf5 AS zQ7+30H1xGn841L8622MjIyMkKeJvIiPor2vgZyxjamrqJigoKCTl8aBneGXq9KMq+e2t9Otu+yS wpKlzZ+zxail/7WJ0PazxNO5zPOs4f/akIPXp4vzmIjsuYT6tqjBzLX2zJHz1bX8+JXn/ wpKlzZ+6nT0tnY 2OTZ5NTX5Pjq1ND9/dTo6OgAAACgoKSAgID//wD//wAAAP//AP8A//9YqUYI/ wALCRTo RAqggwcNKTSEqKHDhw0XSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjy pxJs6bN mzhz6tzJs6fPnx4RCpXiZGChJQcHNZFSyJFTR9miSp1KtarVq1izat3KtavXr2DDih1Lt qzZs2jT ql3Ltq3bt3Djyp1Lt67du3jz6t3Lt6/fv4DnPi0kpckgQFEONgHUFKrVbZAjS55MubLly 5gza97M ubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7ZtyYFz697Nu7dvudvUOmWklEoUKosFP nX6u7nz 59CjS59Ovbr169iza9/OvXv15eDDX/8bf40RceRLokQZZHTg8qrh48ufT7++/fv48+vfz AS This E-Mail came from
Re[2]: [sniffer] False Positive - no reaction?
On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false positives are AS worse than missed spam, so I had assumed that they would always be at the AS top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email was AS received. The web site makes it sound as if there's a million reasons why a AS false positive might not be accepted - so an automatic confirmation might be AS a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] False Positive - no reaction?
On Tuesday, February 21, 2006, 11:16:43 AM, Andy wrote: snip/ AS The only other suggestion I have is to create a 24 hour 'queue' display on AS the web site. All you need to show is a column of the sender domain names of AS the email (not the entire sender email address). If I submit a false AS positive I can confirm that it made it into your queue by checking the web AS page. This way, you don't need to send automated emails. Agreed. Thanks for the suggestion. I'll add that to the plan for upgrading the false processing engine. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
On Wednesday, February 15, 2006, 8:53:27 AM, Heimir wrote: HE Anyway to stop this spam. HE We are getting hundreds of them. HE I have personally gotten 23. It's a challenging one... there is almost no data, and the geocities link is constantly different. I've written another abstract to cover this structure. I'll continued to do that as new structures arise, provided I can do so without creating false positives. If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. If you want such a black rule added to your rulebase please send a request off-list to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] [Fwd: Diann Helms]
On Wednesday, February 15, 2006, 11:02:11 AM, Bonno wrote: BB Hi Pete, BB [] If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. BB I think I could use such a black rulw without getting to may FPs, but in BB which catagoeries would that rule then go? I score the several Sniffer BB results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 BB would put it several points below my hold weight. An extra hit would be BB needed to get it held. Normally when we make custom black rules we code them to a special rule group (generally with a group symbol 5 by convention). Since 5 is a lower number than all other rule groups (except for white rules = 0) any message matching a local black rule will be distinct. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
