[sniffer] gbx size
Hello I have a arge increase (x2) of my .gbx file this coincide with me automaticaly routing hi weightFN to snniffer pop box for your robots to pick. Is the 2 above issues related ? if not, why the increase ? if yes, can this result in FP ? what are the consequences, and how long is the effects ? TIA -Serge # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: gbx size
also, do you keep stats of the messages collected by your robots ? and do you know what they resulted in ? - Original Message - From: Serge se...@cefib.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 16, 2009 5:16 PM Subject: [sniffer] gbx size Hello I have a arge increase (x2) of my .gbx file this coincide with me automaticaly routing hi weightFN to snniffer pop box for your robots to pick. Is the 2 above issues related ? if not, why the increase ? if yes, can this result in FP ? what are the consequences, and how long is the effects ? TIA -Serge # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: gbx size
thanks for the explanation we moved to new hw and are still fine tunning so we do reboot more than once a day what does does condensing do ? something like compressing the file ? or deleting IPs ? if the later, on what criterias ? - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 16, 2009 5:55 PM Subject: [sniffer] Re: gbx size Serge wrote: Hello I have a arge increase (x2) of my .gbx file this coincide with me automaticaly routing hi weightFN to snniffer pop box for your robots to pick. Is the 2 above issues related ? That is very unlikely. I see a few things in your telemetry. You are currently seeing a large number of new IPs. SNF does not appear to remain alive for a full day at a time-- so it never condenses your GBUdb data. That in itself is not a problem as long as you have room in RAM for the data. If you want GBUdb to condense once a day as designed, either allow SNFServer to stay running continuously or set your GBUdb condensation time trigger to a shorter interval than 1 day -- perhaps 10-30 minutes shorter presuming you reboot once per day or something like that. Alternatively you could activate the size trigger and set it near the current size -- or a size you prefer if the 150M default is not appropriate for your system. (You need about twice that much when condensation takes place because a second copy of GBUdb is used to perform the opperation and prevent interference with active scans). Your current GBUdb data size is 83,8Mbytes: timers run started=20090616010038 elapsed=60089/ sync latest=20090616174127 elapsed=40/ save latest=20090616170414 elapsed=2273/ condense latest=1970010100 elapsed=1245174127/ /timers − gbudb size bytes=83886080/ records count=335281/ utilization percent=93.2544/ /gbudb − if not, why the increase ? Most likely you have begun receiving a lot of messages from a new bot net and the new IPs are being added to your GBUdb data. GBUdb will grow as needed within the limits set on your system. The default is about 150Mbytes. if yes, can this result in FP ? Again-- the two issues are not related. Also, GBUdb growth cannot cause false positives. what are the consequences, and how long is the effects ? GBUdb size will grow until it is condensed. SInce your system does not allow SNFServer to run continuously GBUdb will condense when it reaches it's maximum allowed size. You can adjust this if you wish. When GBUdb does condense the size may drop temporarily, but the size will remain roughly stable. If GBUdb were to condense daily as designed then the size might change more frequently and would be related to the number of IPs that are actively communicating with your system over time. Hope this helps, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Daylight Savings Time Update Problem.
Hello Pete We use our own wget batch file, rather long and complicated, do all the following (and more) uses gzip only download if the server file is newer uses lock file test if lock too old (60') and eventualy deletes it (in case of a reboot before deleting the lock, for example) retry download if the .gz file is corrupted or if it didnt test good by snf2check email detailed result not sure how long it will take us to move to CURL Our server is in GMT time zone with NO daylight saving So the issue has to be a bug in sniffer, not, as you say, a bug in the getRulebase batch file Can we expect a quick fix/patch ? TIA Serge - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, March 09, 2009 1:44 PM Subject: [sniffer] Daylight Savings Time Update Problem. Hello Sniffer Folks, IMPORTANT! We have discovered a problem with the rulebase update mechanism that is currently installed on most systems; and this problem combined with daylight savings time is causing trouble with rulebase updates. There has long been a bug in the getRulebase script using wget which causes the rulebase file that is downloaded to have the local system's timestamp. Under normal circumstances this does not cause a problem because most system clocks are synchronized and the local timestamp is generally newer than the timestamp of the rulebase file on our servers. HOWEVER, with daylight savings time starting this past Sunday there is a problem: The local timestamp for the rulebase file is almost always older than the timestamp shown on our servers. As a result the update mechanism continues to go back to get a new rulebase file over, and over, and over again. We have a newer update script that uses CURL and we are testing this newer script to see if it will solve this problem even when the local server's daylight savings time starts later than our server. (The start date of daylight savings time has change recently) We are hopeful that the new script and the use of CURL will solve the update problem by fixing the timestamp bug. We will let you know shortly about the results of our testing. In any case, there are clearly a large number of servers that are not yet on daylight savings time and that in itself is likely to cause some problems. We will post again shortly, Best, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Errorlevel issue
Dear all I have a problem with the branching in the batch below even when the test fails and echo %errorlevel% shows 1 the branching still goes to gziperr0 Does enyone knows why and how to fix ? echo %time% echo testing .gz gzip -d -f -t myfile.snf.gz echo %errorlevel% if errorlevel 0 goto gziperr0 if errorlevel 1 goto gziperr1 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: It's official. SNF Version 3.0 is Ready!
Hi Pete Just upgraded from 2.9 to 3.0 1- Please check if all is OK from your side 2- I curently upgrade my rules on emails alerts. My understanding is that the server can dectect new rules and launch a batch file. Please confirm and give link to detailed instructions. Can i use the same batch file I am using now ? TIA Serge Dergham
[sniffer] Re: It's official. SNF Version 3.0 is Ready!
Hi In our case (satellite connexion) we have a lot of cases where snf2check fail, So our current batch keep retrying download every 10 minutes until snf2check succeed (that is done by creating a file error.txt) If I use getRulebase.cmd, what happens if snf2check fail ? or if wget does not complete ? or other problems ? ... My current wget is optimized as follow wget -N http://www.sortmonster.net/Sniffer/Updates/zydt3crn.snf --tries=10 --wait=5 --random-wait -o %DD%result.txt --header=Accept-Encoding:gzip --http-user=sniffer --http-passwd= - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Sunday, July 06, 2008 6:22 PM Subject: [sniffer] Re: It's official. SNF Version 3.0 is Ready! Hello Serge, Sunday, July 6, 2008, 1:46:00 PM, you wrote: Hi Pete Just upgraded from 2.9 to 3.0 1- Please check if all is OK from your side Looks ok from here. Good telemetry showing version 3. High capture rates: 2- I curently upgrade my rules on emails alerts. My understanding is that the server can dectect new rules and launch a batch file. Please confirm and give link to detailed instructions. Can i use the same batch file I am using now ? In theory you could use the same batch file, however it is probably better to use/adapt the getRulebase.cmd script. At present your rulebase is not out of date: update ready=no utc=20080706172248/ You can find some detailed instructions about setting up getRulebase.cmd here starting with step 6. The process is largely the same for all Win* platforms: http://www.armresearch.com/support/articles/installation/decludeImail.jsp Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. -- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] SETLOCAL SET DDdrv=E: SET DDdir=\sniffer\scripts\ SET DD=%DDdrv%%DDdir% rem Set the full path to your IMail directory. SET IMailDir=E:\imail rem Set the full path to you Sniffer directory. set snifferdir=E:\sniffer\ set sniffersrv=E:\snfsrv\rulebase\ rem Set the e-mail address you would like script results sent to. SET [EMAIL PROTECTED] rem Set e-mail from domain for your script results. SET FromDom=Cefib.net :CheckDirectories if not exist %DD% goto end %DDdrv% cd %DD% echo %date% %DD%mail.txt echo %time% %DD%mail.txt echo ** %DD%mail.txt echo param %1 %DD%mail.txt echo ** %DD%mail.txt if exist %DD%error.txt goto errorexist echo - %DD%mail.txt echo %DD%error.txt not found %DD%mail.txt echo Proceeding with .gz test %DD%mail.txt echo - %DD%mail.txt goto testgz :errorexist echo - %DD%mail.txt echo found %DD%error.txt %DD%mail.txt echo Previous download failed, deleting all files %DD%mail.txt del %DD%error.txt %DD%mail.txt if exist %DD%zydt3crn.snf.gz del %DD%zydt3crn.snf.gz %DD%mail.txt if exist %DD%zydt3crn.snf del %DD%zydt3crn.snf %DD%mail.txt echo %DD%error.txt deleted %DD%mail.txt echo Proceeding with download %DD%mail.txt echo - %DD%mail.txt goto download :testgz if exist %DD%zydt3crn.snf.gz goto gzexist echo - %DD%mail.txt echo %DD%zydt3crn.snf.gz not found %DD%mail.txt echo Proceeding with file download %DD%mail.txt echo - %DD%mail.txt goto download :gzexist echo - %DD%mail.txt echo found %DD%zydt3crn.snf.gz %DD%mail.txt del %DD%zydt3crn.snf.gz %DD%mail.txt echo %DD%zydt3crn.snf.gz deleted %DD%mail.txt echo Proceeding with file download %DD%mail.txt echo - %DD%mail.txt goto download :download %DD%wget -N http://www.sortmonster.net/Sniffer/Updates/zydt3crn.snf --tries=10 --wait=5 --random-wait -o %DD%result.txt --header=Accept-Encoding:gzip --http-user=sniffer --http-passwd= if errorlevel 1 goto wgeterr1 if not exist zydt3crn.snf goto nosnf fgrep Server file no newer than local file %DD%result.txt if not errorlevel 1 goto nonewff :step2 fgrep `zydt3crn.snf' saved %DD%result.txt if not errorlevel 1 goto newff echo cas wget non prevu %DD%mail.txt goto END :newff echo %time% %DD%mail.txt echo Renaming and testing %DD%mail.txt rename zydt3crn.snf zydt3crn.snf.gz gzip -d -f -t zydt3crn.snf.gz if errorlevel 0 goto gziperr0 if errorlevel 1 goto gziperr1 GOTO END :gziperr0 Echo gzip OK errorlevel 0 %DD%mail.txt gzip -d -f zydt3crn.snf.gz GOTO New GOTO END :gziperr1 Echo gzip errorlevel 1 %DD%mail.txt Echo gzip .gz file did not test OK %DD%mail.txt GOTO END :New ECHO New Rule File Found ECHO New Rule File Found
[sniffer] Server didnt restart
Hello My server rebooted last night. Sniffer server did not restart correctly. I fixed that, but i have 40K+ message in the imail/spool/proc, most inbound and not yet localy delivered. Will they be reprocessed automaticaly ? or is there something else i need to do ? How long will it take ? (dual xeon 1.266 GHz) TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Server didnt restart
Oh, forgot Most of the processor time was use by declude proc Also, since i go thru 2 satellite connections, DNS queries usualy take much longer than you guys Would probably be calling on Darell next week for help optimizing my declude tests/filters - Original Message - From: Serge [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, November 21, 2007 1:57 AM Subject: Re: [sniffer] Server didnt restart Thank you all for your input It took about 9+ hours to process the backlog Server was processing about 125 msg/minute, with an average of about 75 from the backlog and 50 new/minutes Pete mentioned AVAFTERJM, curently i dont use this command, so i suppose it is set to declude default (on?); Should i change this ? Regards Serge - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, November 20, 2007 4:32 PM Subject: [sniffer] Re: Server didnt restart Serge, If you wanted to feed those back logged messages into the proc folder on a scheduled interval you may want to use one of our utilities (MoveFiles). It's free. The benefit is that new mail coming in will not be delayed and you can feed those messages back into the proc folder as your server can process them and keep up with new mail. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Paul Rogers wrote: They will get processed it's just a matter of how long it will take. I think the answer will depend on how many messages per hour your server normally processes. You didn't specify how long your server was offline so we can only guess how long it took to accumulate 40k messages (and thus a per hour inbound rate). At max capacity I see my main server process (through sniffer/latest beta) about 800-1000 messages per minute (60k/hour)...that would be on a quad xeon (on SATA drives). So at that rate (assuming no other incoming email which can slow the overall process down) maybe an hour. But since the server also has normal incoming emails to deal with as well, it may take 90-120 mins to completely clear a queue that size. Keep an eye on your proc folder q file count... dir q*.* /w Paul --- -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, November 20, 2007 8:02 AM To: Message Sniffer Community Subject: [sniffer] Server didnt restart Hello My server rebooted last night. Sniffer server did not restart correctly. I fixed that, but i have 40K+ message in the imail/spool/proc, most inbound and not yet localy delivered. Will they be reprocessed automaticaly ? or is there something else i need to do ? How long will it take ? (dual xeon 1.266 GHz) TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude EVA] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Was: Database Compiler Upgrades Now: When will the new version be out of beta?
Hello Pete Since installing the Beta, I'm having many smtp32 errors. A windoows pops up with the following message: smtp32.exe application error Application could not initialize correctly 0xc142 Cannt it be related ? Regards - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, November 16, 2007 12:48 AM Subject: [sniffer] Re: Was: Database Compiler Upgrades Now: When will the new version be out of beta? Hello Robert, Sorry, I wasn't really specific enough. Actually interested in the estimated date for Sniffer itself. For most of the year, we enjoy being modestly early adopters. During the holiday quarter, we're late adopters. Ah - you hijacked the thread. I thought something like that was going on. Please don't do that ;-) The projected Production Certification Date for the new SNF engine is a moving target as we collect features and bugs (if any). Currently it looks like 5 - 7 weeks is a good estimate. The current beta is in production on many systems with no current bugs*. All of the items on the to-do list look much more like features: Automatic trailing / for paths Drilldown Header Directive Log Rotate On Local Time Option SNF BIG_ENDIAN* (* Ok, this might be considered a bug if you plan to run SNF on hardware like a G5 Mac.) The biggest thing holding back the beta is documentation -- that takes time, and we are working on it. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Sniffer codes
Hi I have many messages failling Sniffer (0) but not any of the others meaning i'm missing some codes Suggestions ? TIA SNIFFER external nonzero E:\snfsrv\snfClient.exe 0 0 SNIFWHTLST external 000 E:\snfsrv\snfClient.exe 0 0 SNIFFER-TRAVEL external 047 E:\snfsrv\snfClient.exe 12 0 SNIFFER-INSUR external 048 E:\snfsrv\snfClient.exe 15 0 SNIFFER-AVPUSH external 049 E:\snfsrv\snfClient.exe 12 0 SNIFFER-WAREZ external 050 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SPMWRE external 051 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SNAKEO external 052 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SCAMS external 053 E:\snfsrv\snfClient.exe 15 0 SNIFFER-PORN external 054 E:\snfsrv\snfClient.exe 17 0 SNIFFER-MALWARE external 055 E:\snfsrv\snfClient.exe 17 0 SNIFFER-Toner external 056 E:\snfsrv\snfClient.exe 15 0 SNIFFER-SCHEMES external 057 E:\snfsrv\snfClient.exe 15 0 SNIFFER-CREDIT external 058 E:\snfsrv\snfClient.exe 15 0 SNIFFER-GAMBL external 059 E:\snfsrv\snfClient.exe 15 0 SNIFFER-GREYM external 060 E:\snfsrv\snfClient.exe 14 0 SNIFFER-OBFUS external 061 E:\snfsrv\snfClient.exe 17 0 SNIFFER-SPAM external 062 E:\snfsrv\snfClient.exe 12 0 SNIFFER-GENERAL external 063 E:\snfsrv\snfClient.exe 17 0
[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade
Pete, I need to be able to put larde files (Rule base, Logs, ...) in a different directory branch than static files (config, exe, ...) to facilitate backup so logs and rulebase are OK, but how can i move the gdx file out ? Regards - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Wednesday, November 07, 2007 3:32 AM Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade Hello Serge, Tuesday, November 6, 2007, 9:56:26 PM, you wrote: Hello what files need to go in the workplace directory ? TIA Normally, all of the distribution files plus your rulebase (.snf) file. Also, it is common to have your update script and utilities in the workspace or a sub directory from there. It is possible with the new version to put some of these files in different locations - but that is more complex. You can see the directory options in the top few lines of the snf_engine.xml file where you can set paths for logs, rulebase files, workspace, and identity. Be sure to include the full path (on winx boxes this includes the drive letter). One common option when setting up the new beta on a system that already has the old version running is to configure the snf_engine.xml so that the rulebase file is located in the old SNF workspace. This way it is easy to switch back if desired, and existing update mechanisms can remain unchanged until you are ready to make a permanent switch. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade
Hello what files need to go in the workplace directory ? TIA - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Saturday, November 03, 2007 9:07 PM Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade Hello Serge, Saturday, November 3, 2007, 4:04:32 PM, you wrote: pete Now that i'm sure it is running, I will configure declude in the next few minutes Long sessions time is normal in our cas as we have to go thru 2 satellite conexions would that be a problem ? It is possible that some sessions will fail from time to time when congestion is high, but it should not be a problem overall. The system is designed to survive outages without causing trouble. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade
I did not include the path to snf_engine.xml in the registry config of the service Now it is ok using explorer i get The XML page cannot be displayed Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later. Only one top level element is allowed in an XML document. Error processing resource 'file:///E:/snfsrv/Logs/zydt3crn.status... stats nodeid='zydt3crn' basetime='20071103132451' elapsed='61891' class='minute' -^ What am i doing wrong ? Also, how to I check if is os correctly connecting to your servers ? Thanks - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Saturday, November 03, 2007 12:16 PM Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade Hello Serge, Friday, November 2, 2007, 11:46:59 PM, you wrote: Hello Pete, I finishished configuring and installing the new server as service. How do i test it and check it is running correctly ? Running from command prompt seems ok and create logs, but starting the service does not create logs The most common cause of this condition is a typo in the service setup and/or not using the full path to the SNFServer.exe and the snf_engine.xml file. The service utility usually runs from a different location so it is important to use the full path to launch SNFServer - otherwise it may fail to launch at all, or if it does launch it may not find it's configuration file and working directories. The next thing to check would be permissions. Be sure that the user running SNFServer has full access to it's working directories and to the location of the message files it will scan. When SNF is running correctly it will create status logs in it's working directory. The second status log file will change about once per second. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade
Oops, sorry, keyboard pb I meant Also, how do I check if it is correctly connecting to your servers ? - Original Message - From: Serge To: Message Sniffer Community Sent: Saturday, November 03, 2007 1:34 PM Subject: Re: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade I did not include the path to snf_engine.xml in the registry config of the service Now it is ok using explorer i get The XML page cannot be displayed Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later. Only one top level element is allowed in an XML document. Error processing resource 'file:///E:/snfsrv/Logs/zydt3crn.status... stats nodeid='zydt3crn' basetime='20071103132451' elapsed='61891' class='minute' -^ What am i doing wrong ? Also, how to I check if is os correctly connecting to your servers ? Thanks - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Saturday, November 03, 2007 12:16 PM Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade Hello Serge, Friday, November 2, 2007, 11:46:59 PM, you wrote: Hello Pete, I finishished configuring and installing the new server as service. How do i test it and check it is running correctly ? Running from command prompt seems ok and create logs, but starting the service does not create logs The most common cause of this condition is a typo in the service setup and/or not using the full path to the SNFServer.exe and the snf_engine.xml file. The service utility usually runs from a different location so it is important to use the full path to launch SNFServer - otherwise it may fail to launch at all, or if it does launch it may not find it's configuration file and working directories. The next thing to check would be permissions. Be sure that the user running SNFServer has full access to it's working directories and to the location of the message files it will scan. When SNF is running correctly it will create status logs in it's working directory. The second status log file will change about once per second. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade
pete Now that i'm sure it is running, I will configure declude in the next few minutes Long sessions time is normal in our cas as we have to go thru 2 satellite conexions would that be a problem ? Regards - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Saturday, November 03, 2007 6:06 PM Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade Hello Serge, Saturday, November 3, 2007, 9:34:46 AM, you wrote: I did not include the path to snf_engine.xml in the registry config of the service Now it is ok using explorer i get The XML page cannot be displayed Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later. Only one top level element is allowed in an XML document. Error processing resource 'file:///E:/snfsrv/Logs/zydt3crn.status... stats nodeid='zydt3crn' basetime='20071103132451' elapsed='61891' class='minute' -^ What am i doing wrong ? If you are appending your status logs you may need to open them in a text editor. Normally the second.status log is not appended and you can load and refresh it in a browser -- it will complain about not having a style sheet, but it will display the data. Also, how to I check if is os correctly connecting to your servers ? In your status report there is an element that reports the latest SYNC event time. It should be within the last minute or so consistently if you are connecting properly. I am showing telemetry from your system. It does not show any email traffic. The latest session took more than a second to complete -- this is quite long, usually sessions are done in 50-200ms. Based on what I see here it seems: You have SNFServer running. SNFServer is not scanning messages. The network connection between your server and our SYNC server is slow. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Sniffer White List
We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
I'm using 000, isnt that right ? not sure how we can check logs when we call sniffer from declude Pete, why keep the confusion ? why not have a different code than 0 or 000 ? something like -1, or 100 - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 7:49 PM Subject: [sniffer] Re: Sniffer White List Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
posted this before getting pete's post please disregard - Original Message - From: Serge [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 8:11 PM Subject: [sniffer] Re: Sniffer White List I'm using 000, isnt that right ? not sure how we can check logs when we call sniffer from declude Pete, why keep the confusion ? why not have a different code than 0 or 000 ? something like -1, or 100 - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 7:49 PM Subject: [sniffer] Re: Sniffer White List Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Uploading problems
Pete, Is it ok to submit spam where the header and subjet were modified by declude ? # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Uploading problems
Hi Pete all after 200 PORT command successful. Consider using PASV. I am getting 425 connection failed Is this another FW issue ? would you please share the batch script you use with wput to upload logs on pasv mode TIA - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, December 08, 2006 3:22 AM Subject: [sniffer] Re: Uploading problems Hello K, Thursday, December 7, 2006, 9:32:27 PM, you wrote: snip/ Since my FTP program hasn't seemed to be able to get log files uploaded, I tried uploading via the command prompt on my mail server... ftp open ftp.sortmonster.net Connected to www.sortmonster.net. 220 Hello. User (www.sortmonster.net:(none)): 331 Please specify the password. 230 Login successful. ftp ftp bin 200 Switching to Binary mode. ftp hash Hash mark printing On ftp: (2048 bytes/hash mark) . ftp send mylogfile061203.log 200 PORT command successful. Consider using PASV. 150 Ok to send data. At this point it just hangs, no transfer occurring. In the event that it might be transferring but not displaying the hash marks, I left it sit for over 30 minutes(10mb logfile)...nothing. I'm not sure what else to try. What you've described usually goes along with a firewall problem. Firewalls and FTP are always a challenge. What seems to be happening is that the command channel is working fine, but when it's time to set up the data channel that fails- and so you don't get any data. You might try using PASV mode so you don't have to open up your firewall too much. I think that SFTP also works on this box though I've not tried it personally. We have approximately 130 systems uploading log files, so I'm sure the server side is working ok. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer] Rash of false positives
i thought declude.cfg is for V 3.x Am I wrong ?is declude.cfg used with V 2.x ? - Original Message - From: John Moore To: sniffer@SortMonster.com Sent: Wednesday, November 09, 2005 11:12 PM Subject: RE: [sniffer] Rash of false positives Matt, Thank you for your help and thorough explanation. I added the declude.cfg with the PROCESSES 20 We are running declude 2.06 and have the JM pro and AV standard. We will look into getting the persistent mode setup and see if that helps as well. Thanks, again. John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, November 09, 2005 4:49 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Rash of false positives John,The mystery heap issue is a memory issue with Windows where it only reserves so much memory for running things like Declude, Sniffer, other external tests and your virus scanners. If you have something that is hanging, running slowly, or taking too long, it can gobble up all of the memory available to these launched processes and then result in errors. Generally speaking, you can only get about 40 or so processes of these types to run at one time before you could start seeing these errors. Declude counts as one process, and often there is one other process that Declude launches that goes to this count (external tests and virus scanners are all run in serial so only one can be launched at a time by a single Declude process). If you have something like a virus scanner that crashes and then pops up a window on your next login, this can count towards the number of open processes.You can specify in Declude how many processes to run before Declude starts dumping things into an overflow, either the overflow folder in 2.x and before, or something under proc in 3.x. If you create a file called Declude.cfg and place in it "PROCESSES 20" that should protect you from hitting the mystery heap's limitations unless something is crashing and hanging. You might want to check Task Manager for processes to verify if things are hanging since not everything will pop up a window.I believe that running Sniffer in persistent mode will help to alleviate this condition, but it's only one part and if the mystery heap is the cause, it might just cause the errors to be triggered on other IMail launched processes including Declude.exe and your virus scanners.MattJohn Moore wrote: We have not run snf2check on the updates. And it may be a coincidence or bad timing that sniffer appears to be the culprit. But we have stopped sniffer (commented out in the declude global.cfg) for an observed period of time and the mail never stops (and had never stopped before sniffer) and conversely, it only stops when sniffer is running. We have not gone the extra steps of putting sniffer in persistent mode. We are looking at moving the imail/declude/sniffer setup to a newer box with more resources. Currently on a dell 2450 dual 833 and 1 gig of ram and raid 5. Volume of email is less than 10,000 emails per day. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin CoxSent: Wednesday, November 09, 2005 1:47 PMTo: sniffer@SortMonster.comSubject: Re: Re[4]: [sniffer] Rash of false positives Arecorrupted rulebase files the culprit? How do you update... and do you run snf2check on the updates? Just wondering if the rulebase file is theproblem, if the problemoccurs during the update, or if you are running into obscure errors with the EXE itself Darin. - Original Message - From: John Moore To: sniffer@SortMonster.com Sent: Wednesday, November 09, 2005 12:42 PM Subject: RE: Re[4]: [sniffer] Rash of false positives We had this same thing happen. It has been happening more frequently recently and we are looking into disabling sniffer as it seems to be the culprit each time. John Moore305 Spin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard FarrisSent: Wednesday, November 09, 2005 11:38 AMTo: sniffer@SortMonster.comSubject: Re: Re[4]: [sniffer] Rash of false positives This morning my server quit sending mail and my tech said the Dr. Watson error on the server was my Sniffer file...I rebooted and thought it was OK but quit again..I had a lot of mail back logged...so I updated a new rule base but it did not seem to helpI reinstalled Imail and things seem OK but slow since there is such a back log of mailIf things don't get back to normal I will be back.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support"Crossroads to a Cleaner Internet"
Re: [sniffer] Spam keeps getting through...
just to make sure, can we now send several spams as attachements in one email ans what adress to use i have 3 that got thru my own mailbox in less than 3 hours they did not even get tagged, only failed sorbs and sorbs_dul - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Chuck Schick sniffer@SortMonster.com Sent: Monday, October 10, 2005 11:08 PM Subject: Re: [sniffer] Spam keeps getting through... On Monday, October 10, 2005, 5:44:21 PM, Chuck wrote: CS Sniffer is not catching a wave of spam (drug offers) this has been going on CS for over a week and I have been forwarding examples. Is there anything that CS can be done? Short additional follow up... Attached please find a graph of the trap arrival rates showing the current state of the front-end filters on our spamtraps... According to this instrumentation and my recent observations of our trap processing queues we have a good rule-set for the druglist campaign at the moment. That rulebase may not be completely deployed to everyone yet, but it is constantly being pushed out. The peaks on this graph today strongly coincide with bursts of new variants of the druglist campaign. If you look closely you can just spot an up-tic on the end indicating a new variant beginning, though we have already coded for it's basics. The big spikes at approximately 20, 10, and 8 hours ago represent the most recent bursts with new variants... so we're about due for another round with them that some of you may already be seeing. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Dead List ?
I have not received any message from this list since 9/23 is this list slow, or is there a problem on sortmonster side ? or maybe my side ? This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] OT test settings
ty jay - Original Message - From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Monday, September 12, 2005 3:22 AM Subject: RE: [sniffer] OT test settings DSBL ip4r list.dsbl.org * 15 0 MXRATE-BLACKip4r pub.mxrate.net 127.0.0.2 15 0 SBLXBL4 ip4r xbl.spamhaus.org 127.0.0.4 15 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Sunday, September 11, 2005 10:20 PM To: sniffer@SortMonster.com Subject: [sniffer] OT test settings Hi pete Can you please give the settings for the following tet that appears in the MDLP reports: DSBL MXRATE-BLACK SBL-XBL4 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] OT test settings
Hi pete Can you please give the settings for the following tet that appears in the MDLP reports: DSBL MXRATE-BLACK SBL-XBL4 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Downloads are slow...
rename abcdefg.snf abcdefg.old rename abcdefg.tst abcdefg.snf copy /V /Y abcdefg.snf C:\sniffer\abcdefg.snf :Done I would use copy /V /Y abcdefg.snf C:\sniffer\abcdefg.new Rename C:\sniffer\abcdefg.snf abcdefg.old Rename C:\sniffer\abcdefg.new abcdefg.snf C:\sniffer\abcdefg.exe reload - Original Message - From: Jim Matuska [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, December 28, 2004 7:26 PM Subject: Re: Re[2]: [sniffer] Downloads are slow... So far it seems to be working, at least it doesn't seem to be downloading the rulebase yet, I'll have to see if it does later when there is an updated rulebase. My script uses a copy at the end rather than a move. It's listed below for reference. Do you see any issues? wget -N http://www.sortmonster.net/Sniffer/Updates/fp0o4jye.snf -O abcdefg.new --http-user=* --http-passwd=* if exist abcdefg.new goto Replace goto Done :Replace rename abcdefg.new abcdefg.tst snf2check.exe abcdefg.tst abcdefg if errorlevel 1 goto Done echo New File Tested GOOD! if exist abcdefg.old del abcdefg.old rename abcdefg.snf abcdefg.old rename abcdefg.tst abcdefg.snf copy /V /Y abcdefg.snf C:\sniffer\abcdefg.snf :Done if exist abcdefg.tst del abcdefg.tst Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Jim Matuska sniffer@SortMonster.com Sent: Tuesday, December 28, 2004 11:12 AM Subject: Re[2]: [sniffer] Downloads are slow... On Tuesday, December 28, 2004, 12:49:21 PM, Jim wrote: JM I agree that something needs to be done about the update scripts that are JM inadvertently downloading the full rulebase all the time. I didn't even JM know it but we were doing this until I went through our update script again JM this morning and found it didn't have the -N option in Wget, so we were Watch out - you may still have not fixed it. One of the tricks with the -N option is that the file downloaded previously must still be in it's place for the comparison. If it has been moved then the -N will not matter. This make things a little bit more complex since you can't download a rulebase file on top of the one that is running. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer Downloads
rem this script is used to update sniffer rulbase rem most of this was ibased on / inspired by what other users posted on this list, I thanks everybody for their inputs rem it calls wget, fgrep, imail1, gzip, snf2check rem it checks for new files, and can be used by both alias trigger or sheduler rem it uses compression rem it checks for error at almost every stage and report result rem I use alias, but also schedule it once a day, just in case rem It creates files for last success, failure, ... rem It email the result of the operation to the admin The command for the alias is: E:\sniffer\Scripts\SNFRupdt.bat E:\sniffer\Scripts\alias.txt I have Imail rule to forward the sniffer notification to that alias (with extensive security) The script is attached, I will try to answer questions if any Below is a sample email i get from updater: mar. 28/12/2004 21:38:16,14 ** F:\Imail\spool\tmpA568.tmp ** 21:40:44,93 Renaming and testing gzip OK errorlevel 0 New Rule File Found and Extracted Testing with Snf2check Snf2check Files tested good mar. 28/12/2004 21:40:45,58 Copying and Replacing Files updated successfuly 21:40:46,99 Reloading Sniffer RuleBase mar. 28/12/2004 21:40:48,99 ** --21:38:16-- http://www.sortmonster.net/Sniffer/Updates/adcdefg.snf = `adcdefg.snf' Resolving www.sortmonster.net... 216.88.37.61 Connecting to www.sortmonster.net[216.88.37.61]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 11,160,480 [application/x-sortmonster] Remote file is newer, retrieving. --21:38:26-- http://www.sortmonster.net/Sniffer/Updates/adcdefg.snf = `adcdefg.snf' Connecting to www.sortmonster.net[216.88.37.61]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3,181,882 [application/x-sortmonster] 0K .. .. .. .. .. 1%3.23 KB/s 50K .. .. .. .. .. 3%7.05 KB/s 100K .. .. .. .. .. 4% 10.29 KB/s 150K .. .. .. .. .. 6%7.69 KB/s 200K .. .. .. .. .. 8%9.27 KB/s 250K .. .. .. .. .. 9% 15.46 KB/s 300K .. .. .. .. .. 11% 20.51 KB/s 350K .. .. .. .. .. 12% 16.67 KB/s 400K .. .. .. .. .. 14% 16.00 KB/s 450K .. .. .. .. .. 16% 19.63 KB/s 500K .. .. .. .. .. 17% 24.81 KB/s 550K .. .. .. .. .. 19% 26.01 KB/s 600K .. .. .. .. .. 20% 29.36 KB/s 650K .. .. .. .. .. 22% 24.24 KB/s 700K .. .. .. .. .. 24% 24.43 KB/s 750K .. .. .. .. .. 25% 20.78 KB/s 800K .. .. .. .. .. 27% 25.39 KB/s 850K .. .. .. .. .. 28% 29.36 KB/s 900K .. .. .. .. .. 30% 30.47 KB/s 950K .. .. .. .. .. 32% 33.69 KB/s 1000K .. .. .. .. .. 33% 36.79 KB/s 1050K .. .. .. .. .. 35% 38.08 KB/s 1100K .. .. .. .. .. 37% 39.53 KB/s 1150K .. .. .. .. .. 38% 40.49 KB/s 1200K .. .. .. .. .. 40% 41.56 KB/s 1250K .. .. .. .. .. 41% 42.12 KB/s 1300K .. .. .. .. .. 43% 49.21 KB/s 1350K .. .. .. .. .. 45% 49.21 KB/s 1400K .. .. .. .. .. 46% 48.50 KB/s 1450K .. .. .. .. .. 48% 37.20 KB/s 1500K .. .. .. .. .. 49% 32.01 KB/s 1550K .. .. .. .. .. 51% 29.09 KB/s 1600K .. .. .. .. .. 53% 35.95 KB/s 1650K .. .. .. .. .. 54% 37.65 KB/s 1700K .. .. .. .. .. 56% 40.00 KB/s 1750K .. .. .. .. .. 57% 41.56 KB/s 1800K .. .. .. .. .. 59% 44.44 KB/s 1850K .. .. .. .. .. 61% 45.70 KB/s 1900K .. .. .. .. .. 62% 43.25 KB/s 1950K .. .. .. .. .. 64% 46.38 KB/s 2000K .. .. ..
Re:[sniffer] Test ordering/precedence
Where can i find examples of using exit codes to assign different weights depending on groupes, when using sniffer with declude/imail ? TIA - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Jim Matuska [EMAIL PROTECTED] Sent: Thursday, December 02, 2004 9:59 PM Subject: Re[2]: [sniffer] Test ordering/precedence On Thursday, December 2, 2004, 4:15:43 PM, Jim wrote: JM Pete, JM We have rules setup in declude based upon sniffer return codes 60 and 62 to JM mark all messages with those tests as spam, however we do not have any 61 or JM 62 return codes setup. Can you briefly explain what each of these groups JM includes and a false positive rate for each. The false positive rates for all of these rule groups have fallen dramatically over the past 8 months and at this point they are all comparable. Different systems see different rates, but all rates are low. Group 63 - Experimental Received [IP] - contains rules that match Receive headers by IP. These are now largely generated by robots which monitor inbound spamtrap and usertrap data and then test those sources. This group used to provide the second largest rate of false positives. The rate now is roughly the same as any other group. Group 62 - Obfuscation - contains rules built to detect obfuscation techniques. Internally this group breaks down into a number of sub-groups which detect unnecessary URL encoding, HEX encoding, and HTML obfuscation patterns. Group 61 - Experimental Abstract - contains rules that are designed to recognize data patterns and structures found in spam. For example errors in headers combined with message structures, misspellings, unusual uses for table and HTML structures or message segments, and other abstract patterns that result from the use of scripting engines to generate polymorphic spam. Note: Group 60 was Gray-Hosting many months ago. That group was retired and then reused. Now it is being renumbered again. Group 60 - General (Ungrouped) - contains many of the same kinds of rules found in other groups, but particularly those which cannot be accurately categorized there. For example, fake diploma spam. These rules are largely text segments, domains, URI/URL segments, and structures (much like those found in group 61). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html