[sniffer] Re: False Positive - how to react?
Hello Stefan, Tuesday, October 2, 2007, 3:14:03 AM, you wrote: Pete McNeil wrote: I will respond off list. Did you try to contact me? Yes. I didn't see anything from you. If yes which e-mail address did you use? I used the address you used to post to the list. [EMAIL PROTECTED] snip/ PS: In the last two weeks I see more spam catched by IMail's spam filter (IMail Premium 2006.21). Everything that is caught by that filter has passed Sniffer. Anything special going on? Different filters will always catch some things that are missed by others. That is why diversity is important in spam fighting - it makes it difficult for blackhats to craft messages that will get through. As for anything special going on - the blackhats have been continuously ramping up their volume, rate of change, and diversity. That's not news because they have been doing this for a while now. The rate of increase continues to climb and so leakage will continues to climb and there will be good days and bad days for all filters of all types. With 2000-3000 connections per day you are going to see highly variable results. In contrast the message rate on one of our spamtrap processing servers is currently more than 3400 per minute. Many of the production servers we monitor average 400K per day or more. If your system were to get the focus of just one of the new stock-push campaigns in any real way for only one or two minutes you could easily exceed your traffic for an entire year in spam leakage on that one campaign alone - and each message would be unique. (of course, your server would probably fail before that actually happened) My point is only that 35 messages out of 3000 is in the noise given the environment today on the Internet. You will likely see highly variable numbers in that range and it is significantly more likely that you will see a dramatic increase from time to time than any kind of decrease. All that said, we are evolving with the problem and we are about to release a new version of SNF in wide beta that will help - especially as more nodes are deployed. The new system employs collaborative real-time learning system. We hope to have a wide beta package available this week - if you would like to get a jump on that then let me know off list and I will send you the current test package. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: False Positive - how to react?
Pete, thanks for your thorough explanations. And I'm not complaining! Sniffer works fine for us. It was just an observation... -- Elektronik-Labor Carls GmbH Co. KG Stefan Paege Fon: +49 5973 9497-23 Fax: +49 5973 9497-19 Elektronik-Labor Carls GmbH & Co. KG Kommanditgesellschaft:Sitz Neuenkirchen, Registergericht Steinfurt HRA 3310 Persönlich haftende Gesellschafterin: Elektronik-Labor Carls, Beteiligungsgesellschaft mbH, Sitz Neuenkirchen, Registergericht Steinfurt HRB 4175 Geschäftsführer: Irmgard Carls, Joachim Schulte # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: False Positive - how to react?
For the first (known) time I see Message Sniffer filter a valid mail. What is the best way to handle stuff like this? Check out this page: http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: False Positive - how to react?
Frank, thanks for your answer. Seems like i'm too dense to get it. The step by step instructions tell me: 4. Attach the message that was captured incorrectly. How should I do that? I don't have that message because it got filtered and deleted by Sniffer. For the first (known) time I see Message Sniffer filter a valid mail. What is the best way to handle stuff like this? Check out this page: http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives -- Elektronik-Labor Carls GmbH Co. KG Stefan Paege Fon: +49 5973 9497-23 Fax: +49 5973 9497-19 Elektronik-Labor Carls GmbH & Co. KG Kommanditgesellschaft:Sitz Neuenkirchen, Registergericht Steinfurt HRA 3310 Persönlich haftende Gesellschafterin: Elektronik-Labor Carls, Beteiligungsgesellschaft mbH, Sitz Neuenkirchen, Registergericht Steinfurt HRB 4175 Geschäftsführer: Irmgard Carls, Joachim Schulte # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: False Positive - how to react?
Ok, I guess the instruction is for people who filter spam to a spam folder... ;-) I think you should contact [EMAIL PROTECTED] I think they will able to remove the rule based on you sniffer log, perhaps the only will remove it for your system. One other problem - the first entry og the log is your licensecode! - you should not post it public (e.g. in this group). This is the related Sniffer log entry: *** 20070926071222 d064801a658d9.smd 0 78 Match 1336961 60 6933694583 *** 20070926071222 d064801a658d9.smd 0 78 Final 1336961 60 0 26005 83 thanks for your answer. Seems like i'm too dense to get it. The step by step instructions tell me: 4. Attach the message that was captured incorrectly. How should I do that? I don't have that message because it got filtered and deleted by Sniffer. For the first (known) time I see Message Sniffer filter a valid mail. What is the best way to handle stuff like this? Check out this page: http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: False Positive - how to react?
Hello Stefan, Normally attaching the message is as easy as dragging and dropping it into your note to [EMAIL PROTECTED] If you have a quarantine folder then dragging the message file on to your message as an attachment also usually works (YMMV - not all email clients work this way). Since you don't have a copy/sample of the message the best you can do is locate the matching SNF log entries and include those -- they will tell us the rule ID. I have that from your previous message. I will respond off list. Thanks, _M Wednesday, September 26, 2007, 9:47:52 AM, you wrote: Frank, thanks for your answer. Seems like i'm too dense to get it. The step by step instructions tell me: 4. Attach the message that was captured incorrectly. How should I do that? I don't have that message because it got filtered and deleted by Sniffer. For the first (known) time I see Message Sniffer filter a valid mail. What is the best way to handle stuff like this? Check out this page: http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: False Positive - how to react?
Hello Pi-Web, Wednesday, September 26, 2007, 10:41:51 AM, you wrote: Ok, I guess the instruction is for people who filter spam to a spam folder... ;-) I want to make one additional comment here -- It is true that most folks filter to a temporary quarantine and so that is probably to be considered a best practice. BUT - that is certainly not always the case and there are plenty of systems that do delete or reject messages instead. We do our best to handle all cases ;-) _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]