[sniffer]Concerned about amount of spam going through
Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? Groet, Michiel
Re: [sniffer]Concerned about amount of spam going through
I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Michiel Prins Sent: 06 June 2006 08:11 To: Message Sniffer Community Subject: [sniffer]Concerned about amount of spam going through Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to 70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? Groet, Michiel # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 23 2 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 41 41 0605SNIFFER-EXP-A 450 0 0 36 7 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
We just use a single test, we don't categorise. If SNIFFER returns a result we weight it. However, SNIFFER oftens returns a zero result when the email is obviously junk i.e. SNIFFER returns a positive result (spam) in about 30% of all identified junk mail. SNIFFER external nonzero \declude\sniffer\sniffer.exe 23 0 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 11:17 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 23 2 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 41 41 0605SNIFFER-EXP-A 450 0 0 36 7 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail
Re: [sniffer]Concerned about amount of spam going through
Hello Michiel, Tuesday, June 6, 2006, 3:10:52 AM, you wrote: Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to 70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? IMO, the spam storm explanation is certainly applicable today - we've seen a few spikes, this time bunched together in an unusual - nearly continuous chain... still working on a theory for that. In general, the image based spam trend has given everyone more challenges.. I'm working on engine upgrades that will be out soon to help with those and future threats. Another thing that may have effected the last few days is that our primary spam-trap processor ate itself causing large backlogs and heavy fragmentation. There were a few hours (off-and-on) where the box was not processing traffic so we were delayed responding with new rules. I've changed the software on that box and cleaned up the damage and it is now happily sustaining ~900 msgs/minute so I don't expect further problems from it in the short term. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. I've seen the free version with hit rates as low as 10% on the remaining messages that have been already filtered by a gateway, which I thought was still decent because these were the messages that had already evaded the blacklist tests. And free is good. On the same system, I noted that this made Sniffer about half as effective as fresh SURBL/URIBL testing, but I had no way to compare their overlap. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Waller Sent: Tuesday, June 06, 2006 5:46 AM To: Message Sniffer Community Subject: Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through We just use a single test, we don't categorise. If SNIFFER returns a result we weight it. However, SNIFFER oftens returns a zero result when the email is obviously junk i.e. SNIFFER returns a positive result (spam) in about 30% of all identified junk mail. SNIFFER external nonzero \declude\sniffer\sniffer.exe 23 0 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 11:17 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages Date TestSS SH HH HSIMP 0605 SNIFFER-TRAVEL 12 0 0 23 2 0605 SNIFFER-INSUR 4 0 0 0 0 0605 SNIFFER-AV 0 0 0 0 0 0605 SNIFFER-MEDIA 13450 0 0 8 0605 SNIFFER-SWARE 73 0 0 0 0 0605 SNIFFER-SNAKE 83860 0 0 9 0605 SNIFFER-SCAMS 138 0 0 2 3 0605 SNIFFER-PORN908 0 0 1 3 0605 SNIFFER-MALWARE 12 0 0 2 3 0605 SNIFFER-INK 2 0 0 0 0 0605 SNIFFER-RICH28650 0 2 219 0605 SNIFFER-CREDIT 363 0 0 0 1 0605 SNIFFER-CASINO 300 0 0 0 0 0605 SNIFFER-GENERAL 28810 0 41 41 0605 SNIFFER-EXP-A 450 0 0 36 7 0605 SNIFFER-OBFUSC 4 0 0 5 0 0605 SNIFFER-EXP-IP 28 0 0 8 5 SSSniffer says spam, final result too SHSniffer says spam, final result not HHSniffer says ham, final result too HSSniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries
[sniffer]Re[2]: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Hello Andrew, Tuesday, June 6, 2006, 11:44:46 AM, you wrote: David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. Actually, since we've been offering production ready 30 day trials, what once was the free version (as you put it) has been reduced to a technology demonstrator. It is only useful for proving your system configuration and barely catches spam at all ;-) I believe the sniffer.snf rulebase has not been maintained in some time. I've seen the free version with hit rates as low as 10% on the remaining messages that have been already filtered by a gateway, which I thought was still decent because these were the messages that had already evaded the blacklist tests. And free is good. On the same system, I noted that this made Sniffer about half as effective as fresh SURBL/URIBL testing, but I had no way to compare their overlap. Interesting. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Sorry I was out of office. You're right there must be something wrong with the second column. Yesterday there was a little bit of confusion as I changed different things on the database and additionaly there was this issue with the malformed mailfrom address. I will try to publish the correct numbers tommorrow. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Michiel Prins Gesendet: Dienstag, 6. Juni 2006 12:30 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Are you sure? That would mean you only nees sniffer, coz none of sniffer's ham is spam in the final result... -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: dinsdag 6 juni 2006 12:25 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Sorry in the table below the column header SH and HS must be switched. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Markus Gufler Gesendet: Dienstag, 6. Juni 2006 12:17 An: Message Sniffer Community Betreff: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 232 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 4141 0605SNIFFER-EXP-A 450 0 0 367 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative
