Re: [sniffer] New Web Site!
A wiki is a site that is publically editable. Anyone can add to the site as long as they have a valid account. - Original Message - From: Harry Vanderzand [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Friday, March 17, 2006 11:15 AM Subject: RE: [sniffer] New Web Site! What is a wiki? Harry Vanderzand inTown Internet Computer Services 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, March 17, 2006 11:07 AM To: sniffer@sortmonster.com Subject: [sniffer] New Web Site! Hello Sniffer Folks, Today we are making a major transition. The old Message Sniffer web site will be torn down and replaced with a new WIKI: http://kb.armresearch.com/index.php?title=Message_Sniffer The top Message Sniffer page will retain it's index for a while but instead of sending you to the original pages the links will take you to appropriate pages in the new WIKI. Also - if you try to go directly to an old page you will be redirected automatically to the appropriate new page. The WIKI requires that you create an account and log-in before making any changes. We know there are blackhats out there so we will be watching very closely... If we find there is abuse, we will disable the ability to create accounts and you will need to contact us at support@ if you want the ability to post -- let's hope it doesn't come to that. We will continue to update, improve, and correct the wiki - it will, in fact, be under constant development. Have fun! Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] reporting spam
??? That can't be done when Sniffer directly POPs a submission mailbox. - Original Message - From: Roger Moser [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Thursday, March 16, 2006 4:18 PM Subject: [sniffer] reporting spam I just found out that when you are reporting received spam to [EMAIL PROTECTED], you should remove the Received: header added by your mail server. Otherwise you might create a rule that filters all mail from your mail server. Roger This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] reporting spam
On Thursday, March 16, 2006, 5:18:00 PM, Roger wrote: RM I just found out that when you are reporting received spam to RM [EMAIL PROTECTED], you should remove the Received: header added by your RM mail server. Otherwise you might create a rule that filters all mail from RM your mail server. Yikes - that's not true. We only rarely ever examine the received headers in submitted spam - and then only when we're verifying some other hunch we're following. We almost exclusively focus on the body of the message content and it's coding. Rarely, but none the less it happens, we will pick up a domain that is spoofed in submitted spam or otherwise entangled in the message. Submitted spam is never processed automatically - so when this does happen it is always human error - and we are very careful with our procedures to make sure it doesn't happen. Occasionally one slips through and if that happens the rule is moved to a special rule group so that it can never happen again. Hope this clears things up a bit. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New RuleBot F002 Online
Pete, I would definitely like to see rules classified for what they are based on instead of the content, but certainly I don't expect to see that without a major new release. Rules such as those based phrases, IP's, domains, patterns, and viruses all have different accuracies and issues. If you were also to group them in a similar way, we could tag multiple rules for a single message so that for instance a phrase and a domain both hit on the same message. My logs show that I average 3 matches for every final result. If this becomes a plan, I would proceed very carefully since doing it in a way that could cause a lot of cross-over pollution would make comboing such things for a higher score unwise. I would in fact recommend creating something like 4 groups; 1) IP's, 2) Domains, E-mail addresses Links, 3) Patterns (like domain patterns and obfuscation), and 4) Content. There shouldn't be any crossover of FP's in such a thing, so multiple hits would be stronger. In relation to the placement of RuleBot F002 results, I would just favor pretty much anything but the 60 and 63 groups because they are scored lower due to FP's on my system, and it has generally been said by others that this is the case on theirs as well. F002 has the appearance of being hyper-accurate, and it would help if it was placed in a group with other hyper accurate results. Even placing it in 61 (Experimental) would be preferred over 60. Thanks, Matt Pete McNeil wrote: On Friday, March 10, 2006, 3:41:00 PM, Darin wrote: DC Totally agree. I'd like to see some separation between rules created by DC newer rulebots and preexisting rules. That way if there becomes an issue DC with a bot, we can turn off one group quickly and easily. There is no way to do this without completely reorganizing the result codes or defeating the competitive ranking mechanisms. If you feel strongly about it I can move these rule groups to lower numbers on your local rulebase or make some other numbering scheme - but I don't recommend it. Moving these rule groups to lower numbers would cause them to win competitions with other rules where they would normally not win. At some point in the future we might renumber the rule groups again, but I like to avoid this since there are so many folks that just don't get the message (no matter what we do to publish it) when we make changes like this and so any large scale changes tend to cause confusion for very long periods. For example: I still, on occasion, have questions about the gray-hosting group which has not existed for quite a long time. So far there has not been one FP reported on bot F002 and extremely few on F001 - the vast majority of those associated with the very first group of listings prior to the last two upgrades for the bot. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New add compain
On Friday, March 10, 2006, 2:00:42 PM, John wrote: JTL I am seeing a log of spam with a subject line of with fw: or re: followed by JTL the username portion of the reciepient. Any way to create a rule for this? There's nothing simple we can do for this one based on that alone - at least not without risking a lot of false positives. We are looking at structural abstracts wherever there is content. Many that we see are empty. SNF is not yet good at seeing what is NOT there. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New RuleBot F002 Online
Pete, In light of current and prolonged issues, this seems like a good and safe tactic. I would appreciate it however if maybe you could place the rules in another result code since this result code is not as accurate as some others are and some of us weight it lower than others. Thanks, Matt Pete McNeil wrote: Hello Sniffer Folks, Rulebot F002 has been placed online. This rulebot captures and creates geocities web links from the chatty campaigns. This is largely a time saver for us humans... we will focus our attention more on abstracts for these campaigns now that F002 will be capturing the raw links. Rules from F002 will produce a 60 result code (Ungrouped). The engine is following a standard protocol that we have used for months. I expect no false positives from this one. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New RuleBot F002 Online
Totally agree. I'd like to see some separation between rules created by newer rulebots and preexisting rules. That way if there becomes an issue with a bot, we can turn off one group quickly and easily. Darin. - Original Message - From: Matt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Friday, March 10, 2006 3:37 PM Subject: Re: [sniffer] New RuleBot F002 Online Pete, In light of current and prolonged issues, this seems like a good and safe tactic. I would appreciate it however if maybe you could place the rules in another result code since this result code is not as accurate as some others are and some of us weight it lower than others. Thanks, Matt Pete McNeil wrote: Hello Sniffer Folks, Rulebot F002 has been placed online. This rulebot captures and creates geocities web links from the chatty campaigns. This is largely a time saver for us humans... we will focus our attention more on abstracts for these campaigns now that F002 will be capturing the raw links. Rules from F002 will produce a 60 result code (Ungrouped). The engine is following a standard protocol that we have used for months. I expect no false positives from this one. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] F001 Rule Bot Change
Good job, Pete. Through these changes we saw a minimal increase in false positives on one day, and detection seems to have improved as well. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Thursday, March 09, 2006 3:08 AM Subject: [sniffer] F001 Rule Bot Change Hello Sniffer Folks, The F001 Rule Bot has been adjusted. The number of repeat offenses required for an IP to be listed has been increased. It's important to note also: Messages that are filtered out by other rules are excluded from this evaluation. Consequently, for an IP to be added to the F001 bot rules it must not only be seen quite a few times, but it must also be generating messages that are not filtered using other active rules. As part of this adjustment we removed approximately 2 IP rules that had shown either weak or no activity since they were created. This may cause rulebase file sizes to change noticeably. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] F001 Rule Bot Change
Hi Pete - Pete McNeil wrote: Hello Sniffer Folks, The F001 Rule Bot has been adjusted. Is it possible for you to recommend a percentage of accuracy or maybe better stated a percentage of delete weight for each rule? I am wondering which rules you feel are the weakest and which are the strongest. I am well aware 'mileage may vary' but just your thoughts on reliability would be insightful. Currently the rules I trust the most are at 90% of my hold weight which overall is less than 50% of my delete weight. Rules that I trust the least like general and experimental are at ~ 40% of my hold weight. Thanks! -Nick This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Starbucks $500 Prize #972499912]
On Tuesday, March 7, 2006, 5:00:33 PM, Heimir wrote: HE Why is this not filtered? HE Every one of them contains the word HE Domains4u HE I have reported several but they are still coming in. Actually, they are now (I tried coding the message and duped out on the domain rules). Domains4u is not by itself sufficient coding so we don't have a rule like that. If you would like to add that rule we can, but please make the request to support@ and not the public list. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Starbucks $500 Prize #972499912]
Request sent. Thank you for your prompt response. Cordially, Heimir Eidskrem i360, Inc. 2825 Wilcrest, Suite 675 Houston, TX 77042 Ph: 713-981-4900 Fax: 832-242-6632 [EMAIL PROTECTED] www.i360.net www.i360hosting.com www.realister.com Houston's Leading Internet Consulting Company Pete McNeil wrote: On Tuesday, March 7, 2006, 5:00:33 PM, Heimir wrote: HE Why is this not filtered? HE Every one of them contains the word HE Domains4u HE I have reported several but they are still coming in. Actually, they are now (I tried coding the message and duped out on the domain rules). Domains4u is not by itself sufficient coding so we don't have a rule like that. If you would like to add that rule we can, but please make the request to support@ and not the public list. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] declude tests
thank you I put in the detailed tests as below. When the nonsero single test runs I get items trapped with a score of 7 by sniffer however when I turn it off and activate4 the detailed once I do not get a hit at all on the detailed tests even though it is the exact same item. What did I miss here? change from: #SNIFFER external nonzero "D:\IMail\Declude\sniffer\xx.exe xx persistent" 7 0to: #SNIFFER-TRAVEL external 047 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 10 0#SNIFFER-INSURANCE external 048 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 10 0#SNIFFER-AV-PUSH external 049 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 10 0#SNIFFER-WAREZ external 050 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 15 0#SNIFFER-SPAMWARE external 051 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 19 0#SNIFFER-SNAKEOIL external 052 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 19 0#SNIFFER-SCAMS external 053 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 19 0#SNIFFER-PORN external 054 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 19 0#SNIFFER-MALWARE external 055 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 20 0#SNIFFER-INKPRINTING external 056 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 10 0#SNIFFER-SCHEMES external 057 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 15 0#SNIFFER-CREDIT external 058 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 15 0#SNIFFER-GAMBLING external 059 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 15 0#SNIFFER-EXP-IP external 063 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 10 0#SNIFFER-OBFUSCATION external 062 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 15 0#SNIFFER-EXP-ABST external 061 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 10 0#SNIFFER-GENERAL external 060 "D:\IMail\Declude\sniffer\xx.exe xx persistent" 12 0 Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Tuesday, March 07, 2006 5:06 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] declude tests Here's a list of the return codes: http://www.sortmonster.com/MessageSniffer/Help/ResultCodesHelp.html - Original Message - From: Harry Vanderzand To: sniffer@SortMonster.com Cc: Pete McNeil Sent: Tuesday, March 07, 2006 3:58 PM Subject: [sniffer] declude tests at the moment I run the following test in declude SNIFFERexternal nonzero "D:\IMail\Declude\sniffer\xx.exe persistent"13 0 I have seen a more detailed setup before and am interested in doing that here also. Is there a comprehensive list somewhere along with instructions? If I want to apply separate weighting using only some of the detailed test and then a catchall test for the rest, is that possible? thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2519-741-1222
Re: [sniffer] declude tests
On Tuesday, March 7, 2006, 4:58:35 PM, Harry wrote: HV HV HV at the moment I run the following test in declude HV HV SNIFFER external nonzero HV D:\IMail\Declude\sniffer\xx.exe persistent 13 0 HV THIS IS WRONG! You should not have the persistent command line option in your Declude configuration. You should only run your persistent instance outside of Declude. Run only peer instances (without the persistent keyword) from inside Declude. HV I have seen a more detailed setup before and am interested in HV doing that here also. Is there a comprehensive list somewhere along with instructions? HV HV If I want to apply separate weighting using only some of the HV detailed test and then a catchall test for the rest, is that possible? Sure. The easiest way I know of is to leave your existing line in place and then add an additional test (using SNF) that adjusts the specific result code you want to tune. For example, if you wanted to back down group 63 you might add a line: SNF63 external 63 D:\IMail\Declude\sniffer\xx.exe -3 0 Declude will recognize that the command line is identical and will simply reuse the result with the new test name SNF63 instead of running SNF again. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New Rulebot F001
There's been at least one FP ;) -- Rule - 861038 NameF001 for Message 2888327: [216.239.56.131] Created 2006-03-02 Source 216.239.56.131 Hidden false Blocked false Origin Automated-SpamTrap TypeReceivedIP Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength2.08287379496965 False Reports 0 From Users 0 [FPR:B] The rule is below threshold, and/or badly or broadly coded so it will be removed from the core rulebase. My concern with automated IP rule coding is that we use Sniffer because it's extremely accurate. Coding rules linked to IPs, particularly IPs that are used by google or any large ISP to send large amounts of (mostly legitimate) email is contrary to what Sniffer is great at, which is tagging spam that no one else is. Is response code 63 going to be utilized for any other purposes? If not, I will let Declude know to weight these responses lower than normal Sniffer. - Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, March 06, 2006 3:00 PM To: sniffer@sortmonster.com Subject: [sniffer] New Rulebot F001 Hello Sniffer folks, The first of the new rulebots is coming online. Rulebot F001 creates IP rules for sources that consistently fail many tests while also reaching the cleanest of our spamtraps. The rules will appear in group 63. The bot is playing catchup a bit (since there have been few IP rules at all since we disabled the old bots). The algorithms used in this bot have been tested manually for 2 weeks with no false positives. Expect an increase in your rulebase size while F001 catches up with current spamtrap data. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New Rulebot F001
We just reviewed this morning's logs and had a few false positives. Not sure if these are due to the new rulebot, but it's more than we've had for the entire day for the past month. Rules -- 873261 866398 856734 284831 865663 Darin. - Original Message - From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Monday, March 06, 2006 3:13 PM Subject: RE: [sniffer] New Rulebot F001 There's been at least one FP ;) -- Rule - 861038 NameF001 for Message 2888327: [216.239.56.131] Created 2006-03-02 Source 216.239.56.131 Hidden false Blocked false Origin Automated-SpamTrap TypeReceivedIP Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength2.08287379496965 False Reports 0 From Users 0 [FPR:B] The rule is below threshold, and/or badly or broadly coded so it will be removed from the core rulebase. My concern with automated IP rule coding is that we use Sniffer because it's extremely accurate. Coding rules linked to IPs, particularly IPs that are used by google or any large ISP to send large amounts of (mostly legitimate) email is contrary to what Sniffer is great at, which is tagging spam that no one else is. Is response code 63 going to be utilized for any other purposes? If not, I will let Declude know to weight these responses lower than normal Sniffer. - Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, March 06, 2006 3:00 PM To: sniffer@sortmonster.com Subject: [sniffer] New Rulebot F001 Hello Sniffer folks, The first of the new rulebots is coming online. Rulebot F001 creates IP rules for sources that consistently fail many tests while also reaching the cleanest of our spamtraps. The rules will appear in group 63. The bot is playing catchup a bit (since there have been few IP rules at all since we disabled the old bots). The algorithms used in this bot have been tested manually for 2 weeks with no false positives. Expect an increase in your rulebase size while F001 catches up with current spamtrap data. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New rulebase compilers online.
Pete, Does this mean that you are somehow supporting incremental rule base updates, or is it that the compiler is just much faster so we will get the same number of updates, but generally get them 40-120 minutes earlier in relation to the data that generated them? Either way, definitely an improvement. The closer to real-time we can get, the better. Thanks, Matt Pete McNeil wrote: Hello Sniffer Folks, I have just completed work to upgrade the rulebase compiler bots. They are now significantly more efficient. As a result you will be seeing updates more frequently. Previous lag was between 40-120 minutes. Current lag (sustained) is 5 minutes. More timely updates should equate to lower spam leakage for new spam. You do not need to take any action on this. This note is for your information only. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer, MDLP, and invURIBL?
the %WEIGHT% passes the current message weight from Declude to INVURIBL. Used with SKIPWEIGHT option in invuribl.exe.config the %REMOTEIP% passes the sender's IP from Declude to INVURIBL. Used to whitelist IPs in senderipwhitelist.txt invuribl will find false positives, but is a very effective test. The INVURIBL weighting is determined with your setting in invuribl.exe.config I personally use multi.surbl.org and multi.uribl.com Name servers checked against sbl.spamhaus.org URI's "A" record checked agains sbl.spamhaus.org, cn-kr.blackholes.us and russia.blackholes.us - Original Message - From: Joe Wolf To: sniffer@SortMonster.com Sent: Saturday, February 25, 2006 11:05 AM Subject: [sniffer] Sniffer, MDLP, and invURIBL? I'm currently running Sniffer via Declude and use MDLP. Great! Since all the talk about invURIBL on the Imail list I thought I'd give it a try. The only problem I have is that it doesn't seem to be compatible with MDLP. invURIBL assigns its own weight to each message. The global.cfg line is as follows: INV-URIBL external weight "X:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP%" 0 0 I'm not an expert but the %WEIGHT% must pass the weight determined by invURIBL to Declude. I don't know what the variables of the weighting system are. I'm worried that I may start getting a bunch of false positives since MDLP can't manage the weighting of invURIBL. Would appreciate any advice from anyone that knows more about this than I do! Thanks, Joe
RE: [sniffer] Sniffer, MDLP, and invURIBL?
Joe, Are you using MDLP to autotune your weights in Declude? If so, you can exclude invURIBL and other tests which you don't want to change, whether because you think the weight is perfect, or because their randomness doesn't fit MDLP's idea of a weighting system. Check out this snippet from The McNeil on this list at some point in the past: "Use the #MDLP:MANUAL feature to lock these tests at the values you set. In your GLOBAL.CFG file create a line that lists the tests you want to adjust manually. #MDLP:MANUAL TEST1 TEST2 TEST3 You can also use more than one line if you wish... #MDLP:MANUAL TEST1 ... #MDLP:MANUAL TEST2 ... #MDLP:MANUAL TEST3 ... The #MDLP:MANUAL directive appears to be a comment to Declude so it will be otherwise ignored. If you have an #MDLP directive you want to comment out then you can add an additional # as in: ##MDLP:... This will cause MDLP to ignore it as well." Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe WolfSent: Saturday, February 25, 2006 9:05 AMTo: sniffer@SortMonster.comSubject: [sniffer] Sniffer, MDLP, and invURIBL? I'm currently running Sniffer via Declude and use MDLP. Great! Since all the talk about invURIBL on the Imail list I thought I'd give it a try. The only problem I have is that it doesn't seem to be compatible with MDLP. invURIBL assigns its own weight to each message. The global.cfg line is as follows: INV-URIBL external weight "X:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP%" 0 0 I'm not an expert but the %WEIGHT% must pass the weight determined by invURIBL to Declude. I don't know what the variables of the weighting system are. I'm worried that I may start getting a bunch of false positives since MDLP can't manage the weighting of invURIBL. Would appreciate any advice from anyone that knows more about this than I do! Thanks, Joe
Re: [sniffer] Sniffer, MDLP, and invURIBL?
I would actually prefer that MDLP autotune the weight for invURIBL, but since the weights are managed by invURIBL and not Declude I don't know how this will work. -Joe - Original Message - From: Colbeck, Andrew To: sniffer@SortMonster.com Sent: Saturday, February 25, 2006 12:35 PM Subject: RE: [sniffer] Sniffer, MDLP, and invURIBL? Joe, Are you using MDLP to autotune your weights in Declude? If so, you can exclude invURIBL and other tests which you don't want to change, whether because you think the weight is perfect, or because their randomness doesn't fit MDLP's idea of a weighting system. Check out this snippet from The McNeil on this list at some point in the past: "Use the #MDLP:MANUAL feature to lock these tests at the values you set. In your GLOBAL.CFG file create a line that lists the tests you want to adjust manually. #MDLP:MANUAL TEST1 TEST2 TEST3 You can also use more than one line if you wish... #MDLP:MANUAL TEST1 ... #MDLP:MANUAL TEST2 ... #MDLP:MANUAL TEST3 ... The #MDLP:MANUAL directive appears to be a comment to Declude so it will be otherwise ignored. If you have an #MDLP directive you want to comment out then you can add an additional # as in: ##MDLP:... This will cause MDLP to ignore it as well." Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe WolfSent: Saturday, February 25, 2006 9:05 AMTo: sniffer@SortMonster.comSubject: [sniffer] Sniffer, MDLP, and invURIBL? I'm currently running Sniffer via Declude and use MDLP. Great! Since all the talk about invURIBL on the Imail list I thought I'd give it a try. The only problem I have is that it doesn't seem to be compatible with MDLP. invURIBL assigns its own weight to each message. The global.cfg line is as follows: INV-URIBL external weight "X:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP%" 0 0 I'm not an expert but the %WEIGHT% must pass the weight determined by invURIBL to Declude. I don't know what the variables of the weighting system are. I'm worried that I may start getting a bunch of false positives since MDLP can't manage the weighting of invURIBL. Would appreciate any advice from anyone that knows more about this than I do! Thanks, Joe
RE: [sniffer] IP Blacklist rules
Hi, Thanks. I will treat result code 63 with a combo filter so that any parallel hit with a regular RBL won't end up counting twice. That should take care of it. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, February 24, 2006 03:38 PM To: Andy Schmidt Subject: Re: [sniffer] IP Blacklist rules On Friday, February 24, 2006, 2:56:02 PM, Andy wrote: AS Hi, AS I'm realizing that some Sniffer rules amount to nothing more than IP AS blacklists. AS received:~+[nnn\.nnn\.nnn\.nnn] AS AS Are all sender IP rules properly grouped so that I can identify AS and ignore them by return code. I already use IP blacklists (and AS other means) to cross check Sniffer and add to my confidence AS value before a mail is finally blocked. AS I can't afford Sniffer to effectively double up those sender-IP tests. AS Ideally, Sniffer should perform content checking. Please review the result code explanations here: http://www.sortmonster.com/MessageSniffer/Help/ResultCodesHelp.html IP rules are coded to symbol 63. The voting system on each SNF node sees rules with lower symbol values as more fit, so the only time you will see a result code of 63 is when no other rule matches that message. You may want to reconsider ignoring this result code - there is added value. When an IP rule is in the SNF rulebase, it indicates that: * The rule is from a message that reached our spamtraps. * Additional algorithms were used to classify the IP as a spam source. * The source has been consistently and recently active and detected at our user's system. Inactive IP rules are forgotten after a short period. * There have been no false positives reported against the rule. We remove IP rules on the first FP case and place the rule in a problematic rule group so that it cannot be reinstated without a strict review. * No other rules in our system are currently identifying the associated message content. Though we do focus on content, it is clear that in some cases an IP is the most efficient indicator. Since most other blacklisting services focus on a broad spectrum of IPs, there is bound to be overlap between them and also with SNF IP rules. However the fact that the IP shows up in our system does carry some unique information about that IP (see above). We explicitly do not aggregate IP rules from other lists. We recognize that other IP black lists are used in spam filters along with SNF and we encourage that as well as the use of other tests. (Even though SNF encapsulates diversity in it's algorithms and continues to expand this diversity, the best filtering systems will always use as many useful mechanisms as possible.) Additionally, as we move forward, IP rules in the SNF ruelbase will be gathered by unique, sophisticated mechanisms such as wavefront detection and cross-feature source correlation, etc. As a result, IP rules found in the SNF rulebase will increasingly represent some unique characteristics not found in other IP lists. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
A program like freeware Baregrep (http://www.baremetalsoft.com/baregrep/) might be helpful to you. Do you not regularly cycle your logs and submit them? John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Thursday, February 23, 2006 4:49 AM To: sniffer@SortMonster.com Subject: [sniffer] False Positives So when I asked how I would send in false positives, someone mentioned that I should look up the appropriate log entry and send that in. That brings up another question. My log file is 270MB and climbing. I've never opened it cause it's too big. Do you have a reader for your log files? I think it would be nice to have a little list of things to do to send in false positives: 1. Have your users send you the false positive. Save it as an .eml file (?) 2. Look up (somehow) the entry in your log file that corresponds to that .eml file. Copy and paste that text into a new email. 3. Send an email from your primary Sortmonster email address, attaching the .eml file and any log portion as necessary. Is this correct? --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Thursday, February 23, 2006, 5:48:55 AM, Kevin wrote: KR So when I asked how I would send in false positives, someone mentioned KR that I should look up the appropriate log entry and send that in. That KR brings up another question. My log file is 270MB and climbing. I've KR never opened it cause it's too big. Do you have a reader for your log KR files? I recommend you delete your current log - or at least set it aside until you've completed work on the FPs in question. There are editors out there (I like slickedit) that will handle files that large. That said, your log file should never get that large. You should rotate it out and send it to us once a day or so. There are some scripts to handle that for you: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Details about your log file are here: http://www.sortmonster.com/MessageSniffer/Help/LogsHelp.html KR I think it would be nice to have a little list of things to do to send KR in false positives: KR 1. Have your users send you the false positive. Save it as an .eml file (?) KR 2. Look up (somehow) the entry in your log file that corresponds to that KR .eml file. Copy and paste that text into a new email. KR 3. Send an email from your primary Sortmonster email address, attaching KR the .eml file and any log portion as necessary. KR Is this correct? Everything you want to know about false positives (most likely) is on this page - including step by step instructions: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] When to go persistent
Goran, I'd be interested in Pete's technical answer, too. The practical answer is that you should always go with the persistent instance of Message Sniffer. From reading Pete's previous screeds and monitoring the list here in the last year and from having my own troubles, it's pretty clear to me that only marginal cases suffer with the persistent mode (and I was one of them). Pete's answer on volumes won't answer what are the marginal cases, it just doesn't fit your question. For me, it was simple lack of hardware, but I was *right* on the edge. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 8:30 AM To: sniffer@SortMonster.com Subject: [sniffer] When to go persistent Hi, Is there any good rule of thumb, in terms of messages processed per minute/hour/day when you should move to a persistent instance of Sniffer? Thank you Goran Jovanovic Omega Network Solutions This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] When to go persistent
On Thursday, February 23, 2006, 11:30:02 AM, Goran wrote: GJ Hi, GJ Is there any good rule of thumb, in terms of messages processed per GJ minute/hour/day when you should move to a persistent instance of GJ Sniffer? I would suggest using the persistent mode unless you have a reason not to. (In very rare cases it may not perform as well as peer-server mode.) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] When to go persistent
Andrew, So when you went to persistent it lowered the stress on your already stressed hardware? And I see that Pete has responded as I write this with: Use it Well I will set it up and see how my system reacts. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, February 23, 2006 11:39 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] When to go persistent Goran, I'd be interested in Pete's technical answer, too. The practical answer is that you should always go with the persistent instance of Message Sniffer. From reading Pete's previous screeds and monitoring the list here in the last year and from having my own troubles, it's pretty clear to me that only marginal cases suffer with the persistent mode (and I was one of them). Pete's answer on volumes won't answer what are the marginal cases, it just doesn't fit your question. For me, it was simple lack of hardware, but I was *right* on the edge. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, February 23, 2006 8:30 AM To: sniffer@SortMonster.com Subject: [sniffer] When to go persistent Hi, Is there any good rule of thumb, in terms of messages processed per minute/hour/day when you should move to a persistent instance of Sniffer? Thank you Goran Jovanovic Omega Network Solutions This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] When to go persistent
I'm investigating the persistant mode and read the info on the web site. Can't make heads or tails of it. How do enable persistant mode on a Windows 2003 Server? The web site speaks hypothetically, but the information is not practical. From the message at http://www.mail-archive.com/sniffer@sortmonster.com/msg00165.html it would seem that you need an external utility to run Sniffer in persistant mode, but the link to http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html is no longer valid. What exact steps are needed to run in persistant mode on Windows 2003 Server? Thanks, Joe - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Goran Jovanovic sniffer@SortMonster.com Sent: Thursday, February 23, 2006 10:44 AM Subject: Re: [sniffer] When to go persistent On Thursday, February 23, 2006, 11:30:02 AM, Goran wrote: GJ Hi, GJ Is there any good rule of thumb, in terms of messages processed per GJ minute/hour/day when you should move to a persistent instance of GJ Sniffer? I would suggest using the persistent mode unless you have a reason not to. (In very rare cases it may not perform as well as peer-server mode.) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] What is this file
On Thursday, February 23, 2006, 1:07:07 PM, Goran wrote: GJ Pete, GJ I have seen a couple of times that the file GJ C:\External\Sniffer\my license-20060221071316x386D4931-2352.SVR GJ Is open and cannot be backed up. GJ What is this file? I assume that I do not need to be worried since the GJ file disappears. When in peer-server mode, if an instance comes to life and finds it is the only instance around it will set itself up as a server just in case another instance comes along and needs help. When an instance of SNF is acting as a server it will announce that by creating a .SVR file in the working directory. In peer-server mode, a server-peer will handle a few jobs, then it's own, and then it will go away so it can return it's result. While it is active it will leave it's .SVR file out to advertise to the peer-clients that it is available to process messages. In persistent mode, the server-peer never has a message of it's own to process and so it never goes away (almost). As a result, all peer-clients always hand off their messages to the persistent peer-server. Since the persistent peer-server never goes away the .SVR file will also not go away. These files are all generally transient. (.QUE, .FIN, .ABT, .XXX, etc...) This causes some trouble with backup software. It's usually best to skip backing up the sniffer working directory except for the .exe, .snf, and any script files you have. It is usually best to keep a current / recent copy of those files in a separate directory that can be backed up and to otherwise treat the SNF working directory as you would a temp directory. (skip it) Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] What is this file
Thank you that is great. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, February 23, 2006 3:08 PM To: Goran Jovanovic Subject: Re: [sniffer] What is this file On Thursday, February 23, 2006, 1:07:07 PM, Goran wrote: GJ Pete, GJ I have seen a couple of times that the file GJ C:\External\Sniffer\my license-20060221071316x386D4931-2352.SVR GJ Is open and cannot be backed up. GJ What is this file? I assume that I do not need to be worried since the GJ file disappears. When in peer-server mode, if an instance comes to life and finds it is the only instance around it will set itself up as a server just in case another instance comes along and needs help. When an instance of SNF is acting as a server it will announce that by creating a .SVR file in the working directory. In peer-server mode, a server-peer will handle a few jobs, then it's own, and then it will go away so it can return it's result. While it is active it will leave it's .SVR file out to advertise to the peer-clients that it is available to process messages. In persistent mode, the server-peer never has a message of it's own to process and so it never goes away (almost). As a result, all peer-clients always hand off their messages to the persistent peer-server. Since the persistent peer-server never goes away the .SVR file will also not go away. These files are all generally transient. (.QUE, .FIN, .ABT, .XXX, etc...) This causes some trouble with backup software. It's usually best to skip backing up the sniffer working directory except for the .exe, .snf, and any script files you have. It is usually best to keep a current / recent copy of those files in a separate directory that can be backed up and to otherwise treat the SNF working directory as you would a temp directory. (skip it) Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positive - no reaction?
On average it takes 2 or three days to hear back on false positives. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 9:40 AM Subject: [sniffer] False Positive - no reaction? Hi, I filed this false positive report a day ago and never heard back. Just trying to see if my emails are blocked again. Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, February 20, 2006 10:41 AM To: '[EMAIL PROTECTED]' Subject: License ID nwb655oh This message was a GIF image from one individual to another. Log Entries: nwb655oh 20060219172434 DA9CC319600AA9394.SMD 31 360 Match 836625 61 2245 2388 71 nwb655oh 20060219172434 DA9CC319600AA9394.SMD 31 360 Final 836625 61 0 32767 71 Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCmy vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEaZ EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5ud Epwb2QL MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1nf ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tfo swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+o j+uVYwvZz yvahEwG3Nw2FWDeVazW2UBqjRCGqZCaIU0iTW3aPc0mVZXe4WUuuYVqtaHrGOAf/AAD+N QPUSgjB XizbZg33ShP4Tyb0chHMZFPHcHD1aEmTbISudYzCdoGahgaaky2ZoCesjwq6jD6upSmKi FCIknCF p3Svmk+I0QyBySaa7AvCngvOhzrQqw7OuyL9kQT2iinzrA70rDDflkHQjGb2l07pk3X2r p3Svmk+lL1sWf5 zQ7+30H1xGn841L8622MjIyMkKeJvIiPor2vgZyxjamrqJigoKCTl8aBneGXq9KMq+e2t9Otu+yS wpKlzZ+zxail/7WJ0PazxNO5zPOs4f/akIPXp4vzmIjsuYT6tqjBzLX2zJHz1bX8+JXn/ wpKlzZ+6nT0tnY 2OTZ5NTX5Pjq1ND9/dTo6OgAAACgoKSAgID//wD//wAAAP//AP8A//9YqUYI/ wALCRTo RAqggwcNKTSEqKHDhw0XSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjy pxJs6bN mzhz6tzJs6fPnx4RCpXiZGChJQcHNZFSyJFTR9miSp1KtarVq1izat3KtavXr2DDih1Lt qzZs2jT ql3Ltq3bt3Djyp1Lt67du3jz6t3Lt6/fv4DnPi0kpckgQFEONgHUFKrVbZAjS55MubLly 5gza97M ubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7ZtyYFz697Nu7dvudvUOmWklEoUKosFP nX6u7nz 59CjS59Ovbr169iza9/OvXv15eDDX/8bf40RceRLokQZZHTg8qrh48ufT7++/fv48+vfz This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription
Re: [sniffer] False Positive - no reaction?
I'm a little behind. I'm going to do false positives in the next 10 minutes. I only have 20 to do it should go fast. Sorry for the delay. Thanks, _M On Tuesday, February 21, 2006, 9:40:07 AM, Andy wrote: AS Hi, AS I filed this false positive report a day ago and never heard back. AS Just trying to see if my emails are blocked again. AS Phone: +1 201 934-3414 x20 (Business) AS Fax:+1 201 934-9206 AS -Original Message- AS From: Andy Schmidt [mailto:[EMAIL PROTECTED] AS Sent: Monday, February 20, 2006 10:41 AM AS To: '[EMAIL PROTECTED]' AS Subject: License ID nwb655oh AS This message was a GIF image from one individual to another. AS Log Entries: AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Match 836625 61 2245238871 AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Final 836625 61 0 32767 71 AS Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCmy vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEaZ EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5ud Epwb2QL AS MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1nf ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tfo swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+o j+uVYwvZz yvahEwG3Nw2FWDeVazW2UBqjRCGqZCaIU0iTW3aPc0mVZXe4WUuuYVqtaHrGOAf/AAD+N QPUSgjB XizbZg33ShP4Tyb0chHMZFPHcHD1aEmTbISudYzCdoGahgaaky2ZoCesjwq6jD6upSmKi FCIknCF p3Svmk+I0QyBySaa7AvCngvOhzrQqw7OuyL9kQT2iinzrA70rDDflkHQjGb2l07pk3X2r p3Svmk+lL1sWf5 AS zQ7+30H1xGn841L8622MjIyMkKeJvIiPor2vgZyxjamrqJigoKCTl8aBneGXq9KMq+e2t9Otu+yS wpKlzZ+zxail/7WJ0PazxNO5zPOs4f/akIPXp4vzmIjsuYT6tqjBzLX2zJHz1bX8+JXn/ wpKlzZ+6nT0tnY 2OTZ5NTX5Pjq1ND9/dTo6OgAAACgoKSAgID//wD//wAAAP//AP8A//9YqUYI/ wALCRTo RAqggwcNKTSEqKHDhw0XSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjy pxJs6bN mzhz6tzJs6fPnx4RCpXiZGChJQcHNZFSyJFTR9miSp1KtarVq1izat3KtavXr2DDih1Lt qzZs2jT ql3Ltq3bt3Djyp1Lt67du3jz6t3Lt6/fv4DnPi0kpckgQFEONgHUFKrVbZAjS55MubLly 5gza97M ubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7ZtyYFz697Nu7dvudvUOmWklEoUKosFP nX6u7nz 59CjS59Ovbr169iza9/OvXv15eDDX/8bf40RceRLokQZZHTg8qrh48ufT7++/fv48+vfz AS This E-Mail came from
RE: [sniffer] False Positive - no reaction?
Sorry - didn't mean to be pushy. I just thought that false positives are worse than missed spam, so I had assumed that they would always be at the top of the queue. I can wait (PS - would have calmed my nerves, if there had been some automatic ticket number response that reassured me that my email was received. The web site makes it sound as if there's a million reasons why a false positive might not be accepted - so an automatic confirmation might be a good self-service tool. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 09:55 AM To: Andy Schmidt Subject: Re: [sniffer] False Positive - no reaction? I'm a little behind. I'm going to do false positives in the next 10 minutes. I only have 20 to do it should go fast. Sorry for the delay. Thanks, _M On Tuesday, February 21, 2006, 9:40:07 AM, Andy wrote: AS Hi, AS I filed this false positive report a day ago and never heard back. AS Just trying to see if my emails are blocked again. AS Phone: +1 201 934-3414 x20 (Business) AS Fax:+1 201 934-9206 AS -Original Message- AS From: Andy Schmidt [mailto:[EMAIL PROTECTED] AS Sent: Monday, February 20, 2006 10:41 AM AS To: '[EMAIL PROTECTED]' AS Subject: License ID nwb655oh AS This message was a GIF image from one individual to another. AS Log Entries: AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Match 836625 61 2245238871 AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Final 836625 61 0 32767 71 AS Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] 6 ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCm y vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEa Z EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5u d Epwb2QL AS MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1n f ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tf swA1jzU7qTo9l0A+o swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/ jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+ j+o j+uVYwvZz
Re: [sniffer] [Fwd: Diann Helms]
On Wednesday, February 15, 2006, 8:53:27 AM, Heimir wrote: HE Anyway to stop this spam. HE We are getting hundreds of them. HE I have personally gotten 23. It's a challenging one... there is almost no data, and the geocities link is constantly different. I've written another abstract to cover this structure. I'll continued to do that as new structures arise, provided I can do so without creating false positives. If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. If you want such a black rule added to your rulebase please send a request off-list to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Fwd: Diann Helms]
Heimir, It's not a Sniffer-related answer but I personaly use a combination of a text filter file (looking for known geocities-links) and the IP-blacklist SORBS-DUHL (who contains dialup ip-ranges). As all my customers are connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So the combination of this two filters can catch most of this stuff, as legit messages containing geocities-link shouldn't come from dial-up Ip's to my server. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Wednesday, February 15, 2006 2:53 PM To: sniffer@sortmonster.com Subject: [sniffer] [Fwd: Diann Helms] Anyway to stop this spam. We are getting hundreds of them. I have personally gotten 23. From - Wed Feb 15 07:51:25 2006 X-Account-Key: account3 X-UIDL: 384485764 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from DM [206.53.51.56] by deepspace.i360.net (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 -0600 Message-Id: [EMAIL PROTECTED] From: Shane Redmond [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Diann Helms X-Mailer: Opera7.20/Win32 M2 build 2981 Date: Wed, 15 Feb 2006 06:37:38 -0600 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] X-Declude-Spoolname: D208b017db78a.smd X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] X-Country-Chain: CANADA-destination X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 384485764 X-IMail-ThreadID: 208b017db78a Braxton, http://uk.geocities.com/proboycott45571 Shane Redmond This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
Hi Pete, [] If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. I think I could use such a black rulw without getting to may FPs, but in which catagoeries would that rule then go? I score the several Sniffer results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 would put it several points below my hold weight. An extra hit would be needed to get it held. If you want such a black rule added to your rulebase please send a request off-list to [EMAIL PROTECTED] As the above information might be of interest to others I'll ask here first. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
would you share your filters? I assume Declude filters. Cordially, Heimir Eidskrem i360, Inc. 2825 Wilcrest, Suite 675 Houston, TX 77042 Ph: 713-981-4900 Fax: 832-242-6632 [EMAIL PROTECTED] www.i360.net www.i360hosting.com www.realister.com Houston's Leading Internet Consulting Company Markus Gufler wrote: Heimir, It's not a Sniffer-related answer but I personaly use a combination of a text filter file (looking for known geocities-links) and the IP-blacklist SORBS-DUHL (who contains dialup ip-ranges). As all my customers are connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So the combination of this two filters can catch most of this stuff, as legit messages containing geocities-link shouldn't come from dial-up Ip's to my server. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Wednesday, February 15, 2006 2:53 PM To: sniffer@sortmonster.com Subject: [sniffer] [Fwd: Diann Helms] Anyway to stop this spam. We are getting hundreds of them. I have personally gotten 23. From - Wed Feb 15 07:51:25 2006 X-Account-Key: account3 X-UIDL: 384485764 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from DM [206.53.51.56] by deepspace.i360.net (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 -0600 Message-Id: [EMAIL PROTECTED] From: Shane Redmond [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Diann Helms X-Mailer: Opera7.20/Win32 M2 build 2981 Date: Wed, 15 Feb 2006 06:37:38 -0600 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] X-Declude-Spoolname: D208b017db78a.smd X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] X-Country-Chain: CANADA-destination X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 384485764 X-IMail-ThreadID: 208b017db78a Braxton, http://uk.geocities.com/proboycott45571 Shane Redmond This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Fwd: Diann Helms]
would you share your filters? I assume Declude filters. Yes. Attached is the original message from Scott Fisher regarding the geocities-filter file. (I call it GEOCITIESLINKS) I've replaced each weight (100 and 75 points) with 0. So this test will add no weight to the final result. In addition you have to set up SORBS-DUHL as a standard IP4R-Test. Then you need an additional text filter file (I call it COMBO-DUHL-GEOCITIES) ~~ TESTFAILED END NOTCONTAINS GEOCITIESLINKS TESTFAILED 80 CONTAINS SORBS-DUHL ~~ The first line will stop the combo-filter if there was no geocities-links in the message body The second line will add 80 points if the message cames in from a DUHL-ip. Markus ---BeginMessage--- Title: Message Here's my geocities filter. It's a little more specific so I can weight foreign geocities more than US geocities. STOPATFIRSTHIT BODY100CONTAINSar.geocities.comBODY100CONTAINSgeocities.com.arBODY100CONTAINSar.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.ar BODY100CONTAINSasia.geocities.comBODY100CONTAINSasia.geocities.yahoo.com BODY100CONTAINSau.geocities.comBODY100CONTAINSgeocities.com.auBODY100CONTAINSau.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.au BODY100CONTAINSbr.geocities.comBODY100CONTAINSgeocities.com.brBODY100CONTAINSbr.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.br BODY100CONTAINSca.geocities.comBODY100CONTAINSgeocities.caBODY100CONTAINSca.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.ca BODY100CONTAINScf.geocities.comBODY100CONTAINScf.geocities.yahoo.com BODY100CONTAINScn.geocities.comBODY100CONTAINSgeocities.cnBODY100CONTAINScn.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.cn BODY100CONTAINSde.geocities.comBODY100CONTAINSgeocities.deBODY100CONTAINSde.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.de BODY100CONTAINSes.geocities.comBODY100CONTAINSgeocities.esBODY100CONTAINSes.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.es BODY100CONTAINSespanol.geocities.comBODY100CONTAINSespanol.geocities.yahoo.com BODY100CONTAINShk.geocities.comBODY100CONTAINSgeocities.com.hkBODY100CONTAINSgeocities.hkBODY100CONTAINShk.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.hkBODY100CONTAINSgeocities.yahoo.hk BODY100CONTAINSin.geocities.comBODY100CONTAINSgeocities.co.inBODY100CONTAINSin.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.in BODY100CONTAINSit.geocities.comBODY100CONTAINSgeocities.itBODY100CONTAINSit.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.it BODY100CONTAINSkr.geocities.comBODY100CONTAINSgeocities.co.krBODY100CONTAINSkr.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.kr BODY100CONTAINSmx.geocities.comBODY100CONTAINSgeocities.com.mxBODY100CONTAINSmx.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.mx BODY100CONTAINSsg.geocities.comBODY100CONTAINSgeocities.com.sgBODY100CONTAINSsg.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.sg BODY100CONTAINSuk.geocities.comBODY100CONTAINSgeocities.co.ukBODY100CONTAINSuk.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.uk BODY75CONTAINSgeocities.comBODY75CONTAINSgeocities.yahoo.com - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:09 AM Subject: Re: [Declude.JunkMail] Stock Spam If you're referring to the geocities stuff that's been out the last couple of days, I just use a body filter. BODY3CONTAINSau.geocities.com Sniffer, which I weight at 7,picks it up OK, and the added weight of 3 is enough to get to my hold weight of 10. -Dave Doherty Skywaves, Inc. - Original Message - From: Michael Jaworski To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:32 AM Subject: [Declude.JunkMail] Stock Spam Anyone have a good filter strategy on the increasing amount of stock spam??? Thanks, Mike ---End Message---
Re: [sniffer] False Positive
Answered off-list _M On Tuesday, February 14, 2006, 2:07:48 PM, Steve wrote: SG Hello, SG Could you please tell me what would cause an email to fail rule # 831417 SG This was a good email flagged this morning and deleted. SG Regards, SG Steve Guluk SG SGDesign SG (949) 661-9333 SG ICQ: 7230769 SG This E-Mail came from the Message Sniffer mailing list. For SG information and (un)subscription instructions go to SG http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Search your sniffer logs and include the log lines for that particular message. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Wednesday, February 15, 2006 3:55 PM To: sniffer@SortMonster.com Subject: [sniffer] False Positives My users have been getting a lot of FPs by Sniffer lately. They send me the email with the FULL HEADERS displayed and I forward this email on to SortMonster. The program they use to analyze incoming submissions check MY email headers, determine that SNIFFER was not at fault and sends me back an email saying it didn't find any flags. How the heck am I supposed to submit FPs from my users to SNIFFER?!! I also save my user's email and attach it to my submissions to sortmonster, but these too are not flagged. Very frustrating, esp since SNIFFER FPs are particularly dangerous since I give it so much weight. --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
I second the motion. We have been submitting spam for over a year and I don't know if a single one was received. Thank you Jim, for the suggestion. Michael Stein Computer House www.computerhouse.com - Original Message - From: Jim Matuska Jr. [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Wednesday, February 15, 2006 4:40 PM Subject: RE: [sniffer] False Positives Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Max Evals Error
On Monday, February 13, 2006, 3:18:00 PM, David wrote: DS Anyone ever seen this in a log file of a valid license? DS 20060213200957 De7928e8800a61b18.smd 328 266 DS ERROR_MAX_EVALS 72 0 0 18885 1024 DS This line has shown up 3 times today in a log file that processes DS about 10,000 msgs per hour. After this log line, processing goes on as DS normal. That's pretty unusual. The number of evaluators (creatures decoding the message) is limited to about 1000. It is theoretically possible for too many evaluators to be spawned, but highly unlikely. Most of the time, fewer than 100 are generated. It's ok for this to happen, but it is noteworthy. I will look for any rules that make this more likely than usual. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] problems!!!!
Harry, (please don't post your entire license code to a public list.) regarding the reliability of sniffer we should know that errors sometimes can happen, even at sniffer-side after they've worked for years now very relaible. I don't expect that such errors will happen now more often. What you can do is trying to configure your declude spamfilter in order to hold only if multiple or at least more then one test failed. For doing this the first step is to set the maximum weight of each test (at least slightly) below your hold weight. I've configured different weights for different sniffer exit codes depending how reliable they seem to me but as a maximum weight for sniffer I've set 95% of the mark-subjectline-weight and around 63% of the hold-weight. So the problematic sniffer-rule from yesterday was not a real problem on our server. There was some single messages who has had a final weight above the the hold weight because we use combinations of the most reliabletests. From several thousand processed messages only around 20 messages has had a false-positive combination caused by sniffer-rule82893 and another spam test. Thanks to Andrew and Goran for their info's and scripts. Saved a lot of time here. Pete: Any info if and if yes when you can adapt MDLP for the declude v3 logfile? I realy miss this data. Once accustomized tothehourly results of MDLP e sometimes feel now like a blind chicken :-) Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Wednesday, February 08, 2006 4:02 PMTo: sniffer@SortMonster.comSubject: [sniffer] problems With the recent issues at sniffer it has caused tremendous problems with the entire client base here. Sniffer has been so reliable for so lond and al of a sudden recently I cannot rely on it any more What is going on with sniffer Will these issues get resolved or is it going to be more unstable than what we have come to rely on? I need my spam trap software to work without spend hours everyday and without getting a large group of my customers questioning the reliability of what I am doing. Hope there will be some indication of improvement. The following is my sniffer code SNIFFERexternal nonzero "D:\IMail\Declude\sniffer\sniffer.exex" 10 0 Should I be doing something different? This has worked very well for a year now. Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 07, 2006 9:42 PMTo: sniffer@SortMonster.comSubject: RE: Re[4]: [sniffer] Bad Rule - 828931 Goran, this is pretty much what I did to get to re-queuing:gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.I then used a batch file I had previously created called qm.cmd (for queue and move). Note that the folders I specify are for Declude 1.x, which has an overflow folder. I use the overflow folder so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held messages. I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder. If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).I hope that helps,Andrew 8) p.s. Another re-posting in HTML so as to preserve the line breaks. Sorry for the duplication, folks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David
RE: [sniffer] problems!!!!
thank you Sorry for the licence goof. Just finished 4 hours going through spam Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus GuflerSent: Wednesday, February 08, 2006 10:48 AMTo: sniffer@SortMonster.comSubject: RE: [sniffer] problems Harry, (please don't post your entire license code to a public list.) regarding the reliability of sniffer we should know that errors sometimes can happen, even at sniffer-side after they've worked for years now very relaible. I don't expect that such errors will happen now more often. What you can do is trying to configure your declude spamfilter in order to hold only if multiple or at least more then one test failed. For doing this the first step is to set the maximum weight of each test (at least slightly) below your hold weight. I've configured different weights for different sniffer exit codes depending how reliable they seem to me but as a maximum weight for sniffer I've set 95% of the mark-subjectline-weight and around 63% of the hold-weight. So the problematic sniffer-rule from yesterday was not a real problem on our server. There was some single messages who has had a final weight above the the hold weight because we use combinations of the most reliabletests. From several thousand processed messages only around 20 messages has had a false-positive combination caused by sniffer-rule82893 and another spam test. Thanks to Andrew and Goran for their info's and scripts. Saved a lot of time here. Pete: Any info if and if yes when you can adapt MDLP for the declude v3 logfile? I realy miss this data. Once accustomized tothehourly results of MDLP e sometimes feel now like a blind chicken :-) Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Wednesday, February 08, 2006 4:02 PMTo: sniffer@SortMonster.comSubject: [sniffer] problems With the recent issues at sniffer it has caused tremendous problems with the entire client base here. Sniffer has been so reliable for so lond and al of a sudden recently I cannot rely on it any more What is going on with sniffer Will these issues get resolved or is it going to be more unstable than what we have come to rely on? I need my spam trap software to work without spend hours everyday and without getting a large group of my customers questioning the reliability of what I am doing. Hope there will be some indication of improvement. The following is my sniffer code SNIFFERexternal nonzero "D:\IMail\Declude\sniffer\sniffer.exex" 10 0 Should I be doing something different? This has worked very well for a year now. Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 07, 2006 9:42 PMTo: sniffer@SortMonster.comSubject: RE: Re[4]: [sniffer] Bad Rule - 828931 Goran, this is pretty much what I did to get to re-queuing:gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.I then used a batch file I had previously created called qm.cmd (for queue and move). Note that the folders I specify are for Declude 1.x, which has an overflow folder. I use the overflow folder so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held messages. I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder. If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).I hope that helps,Andrew 8) p.s. Another re-posting in HTML so as to preserve the line breaks. Sorry for the duplication, folks. -Original Message- From: [EMAIL PROTECTED]
Re: [sniffer] problems!!!!
I have an idea. These problems seem to stem mostly from changes in the methods of handling rulebase updates. We were lucky enough not to be affected with the latest rule issue, but the previous one made for a very long day andsomedisgruntled customers. Would it be feasible to announce in advance when such changes are to be implemented? With advance notice of a date and time for the switch we could choose to freeze our rulebases just before that for a day to make sure the kinks were worked out before updating. A few spam messages that slip through are better than a slough of false positives that require review and are delayed in reaching the customer. Thoughts? Darin. - Original Message - From: Harry Vanderzand To: sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 10:02 AM Subject: [sniffer] problems With the recent issues at sniffer it has caused tremendous problems with the entire client base here. Sniffer has been so reliable for so lond and al of a sudden recently I cannot rely on it any more What is going on with sniffer Will these issues get resolved or is it going to be more unstable than what we have come to rely on? I need my spam trap software to work without spend hours everyday and without getting a large group of my customers questioning the reliability of what I am doing. Hope there will be some indication of improvement. The following is my sniffer code SNIFFERexternal nonzero "D:\IMail\Declude\sniffer\umzqbs4l.exe dky4t444qqpk69j6" 10 0 Should I be doing something different? This has worked very well for a year now. Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 07, 2006 9:42 PMTo: sniffer@SortMonster.comSubject: RE: Re[4]: [sniffer] Bad Rule - 828931 Goran, this is pretty much what I did to get to re-queuing:gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.I then used a batch file I had previously created called qm.cmd (for queue and move). Note that the folders I specify are for Declude 1.x, which has an overflow folder. I use the overflow folder so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held messages. I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder. If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).I hope that helps,Andrew 8) p.s. Another re-posting in HTML so as to preserve the line breaks. Sorry for the duplication, folks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 7:47 PM To: Landry, William (MED US) Subject: Re[4]: [sniffer] Bad Rule - 828931 Hello William, Tuesday, February 7, 2006, 7:39:05 PM, you wrote: LWMU grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log That's what I tried. Just figured out I forgot to capitalize the "F". It works. Confirmed - 22,055 I'm writing a program now to parse the sniffer log file, extract the file ID, lookup the id in sql server, determine quarantine location, extract q/d pair from quarantine and send to user. -- Best regards, David mailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to
RE: [sniffer] problems!!!!
If I understand right you mean that if "experimental" rules are introduced you want to know about and so temporaly disable ruelbase updates on you server. As I know Sniffer has a much smarter way for doing this. They introduce experimental rules in a separate category (sniffer-exp) and look how they will work. In fact I can see that this category is the least reliable. So I've set a relative low weight for this exit code. If a experimental rule showed to be reliable they move them in the appropriate category (rich, fraud,...) I'm not sure about this but I think it's so and so it shouldn't be necessary to do something like manualy block updates. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Wednesday, February 08, 2006 4:59 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] problems I have an idea. These problems seem to stem mostly from changes in the methods of handling rulebase updates. We were lucky enough not to be affected with the latest rule issue, but the previous one made for a very long day andsomedisgruntled customers. Would it be feasible to announce in advance when such changes are to be implemented? With advance notice of a date and time for the switch we could choose to freeze our rulebases just before that for a day to make sure the kinks were worked out before updating. A few spam messages that slip through are better than a slough of false positives that require review and are delayed in reaching the customer. Thoughts? Darin. - Original Message - From: Harry Vanderzand To: sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 10:02 AM Subject: [sniffer] problems With the recent issues at sniffer it has caused tremendous problems with the entire client base here. Sniffer has been so reliable for so lond and al of a sudden recently I cannot rely on it any more What is going on with sniffer Will these issues get resolved or is it going to be more unstable than what we have come to rely on? I need my spam trap software to work without spend hours everyday and without getting a large group of my customers questioning the reliability of what I am doing. Hope there will be some indication of improvement. The following is my sniffer code SNIFFERexternal nonzero "D:\IMail\Declude\sniffer\umzqbs4l.exe dky4t444qqpk69j6" 10 0 Should I be doing something different? This has worked very well for a year now. Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 07, 2006 9:42 PMTo: sniffer@SortMonster.comSubject: RE: Re[4]: [sniffer] Bad Rule - 828931 Goran, this is pretty much what I did to get to re-queuing:gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.I then used a batch file I had previously created called qm.cmd (for queue and move). Note that the folders I specify are for Declude 1.x, which has an overflow folder. I use the overflow folder so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held messages. I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder. If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).I hope that helps,Andrew 8) p.s. Another re-posting in HTML so as to preserve the line breaks. Sorry for the duplication, folks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject?
Re: [sniffer] problems!!!!
On Wednesday, February 8, 2006, 11:19:52 AM, Andy wrote: AS Pete, AS The only idea I came up with, would be to have ALL new rules go into a 6 AS hour proving category (=return code) before they are moved into their AS final category. AS By using Sniffer return codes, folks could decide to trust the established AS rules and decide to cross-check any new rules by weighing them against AS other sources/methods. This is not something we could do without a lot of work. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message sniffer in FreeBSD Postfix
Is there anyone else who would like to see Message Sniffer incorporated into Amavis-new? This would be a great addition to my IMGate - Postfix mail gateway. Currently I use message sniffer on my Imail box but would like to offload that server and do the sniffing before the mail hits Imail. This is already available by using Sniffer with Spamassassin. Craig This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message sniffer in FreeBSD Postfix
Does not require spamassassin or amavis. You can do it just with postfix. DustyC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Deal Sent: Wednesday, February 08, 2006 10:41 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Message sniffer in FreeBSD Postfix Is there anyone else who would like to see Message Sniffer incorporated into Amavis-new? This would be a great addition to my IMGate - Postfix mail gateway. Currently I use message sniffer on my Imail box but would like to offload that server and do the sniffing before the mail hits Imail. This is already available by using Sniffer with Spamassassin. Craig This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message sniffer in FreeBSD Postfix
Does not require spamassassin or amavis. You can do it just with postfix. DustyC True, but he wanted it to work with amavisd-new. Less risk of a false positive if its part of a weighted system. Craig This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message sniffer in FreeBSD Postfix
Correct, the weighted system that amavis uses would be better in my situation. Having said that I am going to try DustyC's method put the spam in the users junk folder (still using the weighted system). Do you have the problem of the user's junk mail using up their mail box quota? Jacques -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Deal Sent: Wednesday, February 08, 2006 9:49 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Message sniffer in FreeBSD Postfix Does not require spamassassin or amavis. You can do it just with postfix. DustyC True, but he wanted it to work with amavisd-new. Less risk of a false positive if its part of a weighted system. Craig This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message sniffer in FreeBSD Postfix
It was actually simple. And I have the update process automated too. We did have a little issue where we had to run sniffer under bash shell on our FreeBSD box but that was resolved quickly. I am running one box with sniffer on it. All the external gateways send their inbound mail to this box before it hits the Imail server. DustyC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Support Sent: Wednesday, February 08, 2006 10:56 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] Message sniffer in FreeBSD Postfix Hi Dusty: Was it much problems setting up sniffer on your postfix box? This sounds like the way for us to go as well. Thanks Phil NetEase Operations Manager wrote: I am using sniffer on a postfix box. I let sniffer tag it there and then on the Imail box I am filtering anything with that tag into a users suspect spam box. That offloads the spam handling to the user and the techs do not have to deal with it. False positives do not bother me much because I can simply tell the user to check their web mail and move it to their inbox if they want. The Imail server deletes anything in the suspect spam that is 7 days old so it maintains its own cleaning cycle too. DustyC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacques Brouwers Sent: Wednesday, February 08, 2006 9:33 AM To: sniffer@sortmonster.com Subject: [sniffer] Message sniffer in FreeBSD Postfix Hi, Is there anyone else who would like to see Message Sniffer incorporated into Amavis-new? This would be a great addition to my IMGate - Postfix mail gateway. Currently I use message sniffer on my Imail box but would like to offload that server and do the sniffing before the mail hits Imail. Thanks, Jacques Brouwers This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] question on xhdr files
On Wednesday, February 8, 2006, 12:54:56 PM, David wrote: DP I am using a smtp proxy called Ewall with Message Sniffer. DP I just checked inside the Ewall folders and found one named TEMP where I DP found tens of thousands of files with the .xhdr extension. DP What are these? Are they needed? Why are they in the ewall directory and not DP the message sniffer directory? Can I simply erase them? Could their DP 'cleanup' be done by the message sniffer in a new version? The .xhdr files are created by SNF and can be turned off in SNF's .cfg file. They contain text that could be added to the headers of the message to help debug false positives and/or to trigger other filtering systems. (For example, in many postfix installations, a very simple script scans the message with SNF and then adds the .xhdr information to the message. Filtering then occurs later when the result codes in the .xhdr information are detected.) Normally these would be created in SNFs working directory, I'm not sure why they would be anywhere else. You can safely delete any .xhdr files that are left over. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message sniffer in FreeBSD Postfix
I am not running Declude. I am just using the filters in Imail to push it in their junk mail. Depends on ones requirements. We were spending 6-8 man hours per day dealing with spam. Now we just let the users decide. Dusty -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry, William (MED US) Sent: Wednesday, February 08, 2006 1:02 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Message sniffer in FreeBSD Postfix Yep, but for someone not running IMail/Declude, the integration with spamassassin and amavisd-new works great. Bill This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Message sniffer in FreeBSD Postfix
Jacques, I am pretty sure that you would also need to install SpamAssassin in order to get Sniffer to work. I do not believe that there is any way to plug Sniffer into Amavis-new directly, nor would you necessarily want it to. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacques Brouwers Sent: Wednesday, February 08, 2006 7:33 AM To: sniffer@sortmonster.com Subject: [sniffer] Message sniffer in FreeBSD Postfix Hi, Is there anyone else who would like to see Message Sniffer incorporated into Amavis-new? This would be a great addition to my IMGate - Postfix mail gateway. Currently I use message sniffer on my Imail box but would like to offload that server and do the sniffing before the mail hits Imail. Thanks, Jacques Brouwers This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] problems!!!!
Wednesday, February 8, 2006, 11:19:52 AM, you wrote: AS The only idea I came up with, would be to have ALL new rules go into a 6 AS hour proving category (=return code) before they are moved into their AS final category. AS By using Sniffer return codes, folks could decide to trust the established AS rules and decide to cross-check any new rules by weighing them against AS other sources/methods. That's a pretty good idea. New rules in a category we could assign lower weight to and once the rule was proved not to be problematic, it could automatically fall into its normal category. My results: 22,055 reprocessed 1,578 spam 20,477 release I expect about 30% of the released were spam but they came clean through sniffer. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Bad Rule - 828931
Dear Pete, In the future, please let us know immediately when you become aware of this. As it is, I will spend the next 3 hours picking out the fales positives from the mailbox and forwarding them to the clients. If I could have put the rulepanic in place an hour ago it would have saved me a lot of work and confused customers. Thank you, Michael Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Tuesday, February 07, 2006 4:07 PM Subject: [sniffer] Bad Rule - 828931 Hello Sniffer folks, I'm sorry to report that another bad rule got past us today. The rule has been removed (was in from about 1200-1500), but it may be in some of your rulebases. To avoid a problem with this rule you can enter a rule-panic entry in your .cfg file for rule id: 828931 If it is not already, the rule will be gone from your rulebase after your next update. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Downloads are slow.
I'm not showing this from my location and the server looks ok. I just downloaded a few rulebases, each in under 3 seconds. Please provide a traceroute -- that should show us where the issue is (if it is still there). Thanks, _M On Tuesday, February 7, 2006, 4:39:35 PM, Chuck wrote: CS Download speeds from your server are running 17 kbps at my location. CS Chuck Schick CS Warp 8, Inc. CS (303)-421-5140 CS www.warp8.com CS This E-Mail came from the Message Sniffer mailing list. For CS information and (un)subscription instructions go to CS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Downloads are slow.
Agreed, my last report showed pretty slow times. All today were slower now that I look at them. I normally see up to 1.3M with overall times around 800-900K. John C 0K .. .. .. .. .. 36.79 KB/s 50K .. .. .. .. .. 11.51 KB/s 100K .. .. .. .. .. 19.76 KB/s 150K .. .. .. .. .. 11.98 KB/s 200K .. .. .. .. .. 37.20 KB/s 250K .. .. .. .. .. 10.60 KB/s 300K .. .. .. .. .. 16.00 KB/s 350K .. .. .. .. .. 19.05 KB/s 400K .. .. .. .. .. 22.22 KB/s 450K .. .. .. .. .. 10.32 KB/s 500K .. .. .. .. .. 13.50 KB/s 550K .. .. .. .. ..2.74 KB/s 600K .. .. .. .. ..8.40 KB/s 650K .. .. .. .. ..6.00 KB/s 700K .. .. .. .. ..9.97 KB/s 750K .. .. .. .. ..6.07 KB/s 800K .. .. .. .. ..5.89 KB/s 850K .. .. .. .. ..9.20 KB/s 900K .. .. .. .. ..6.46 KB/s 950K .. .. .. .. ..4.94 KB/s 1000K .. .. .. .. ..7.67 KB/s 1050K .. .. .. .. ..9.97 KB/s 1100K .. .. .. .. .. 13.28 KB/s 1150K .. .. .. .. .. 24.61 KB/s 1200K .. .. .. .. .. 12.36 KB/s 1250K .. .. .. .. .. 31.06 KB/s 1300K .. .. .. .. ..4.87 KB/s 1350K .. .. .. .. .. 34.77 KB/s 1400K .. .. .. .. .. 14.29 KB/s 1450K .. . .. .. .. 16.24 KB/s 1500K .. .. .. .. .. 33.33 KB/s 1550K .. . .. .. .. 21.48 KB/s 1600K .. .. .. .. .. 23.19 KB/s 1650K .. .. .. .. .. 27.34 KB/s 1700K .. .. .. .. .. 14.68 KB/s 1750K .. .. .. .. .. 47.76 KB/s 1800K .. .. .. .. .. 15.17 KB/s 1850K .. .. .. .. .. 16.17 KB/s 1900K .. .. .. .. .. 18.39 KB/s 1950K .. .. .. .. .. 74.40 KB/s 2000K .. .. .. .. .. 14.10 KB/s 2050K .. .. .. .. .. 12.70 KB/s 2100K .. .. .. .. .. 29.36 KB/s 2150K .. .. .. .. .. 16.58 KB/s 2200K .. .. .. .. .. 21.62 KB/s 2250K .. .. .. .. .. 17.49 KB/s 2300K .. .. .. .. .. 11.00 KB/s 2350K .. .. .. .. .. 21.20 KB/s 2400K .. .. .. .. .. 31.69 KB/s 2450K .. .. .. .. .. 20.12 KB/s 2500K .. .. .. .. .. 57.14 KB/s 2550K .. .. .. 13.94 KB/s 15:52:29 (12.45 KB/s) - `.new.gz' saved [2646653] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 07, 2006 4:46 PM To: Chuck Schick Subject: Re: [sniffer] Downloads are slow. I'm not showing this from my location and the server looks ok. I just downloaded a few rulebases, each in under 3 seconds. Please provide a traceroute -- that should show us where the issue is (if it is still there). Thanks, _M On Tuesday, February 7, 2006, 4:39:35 PM, Chuck wrote: CS Download speeds from your server are running 17 kbps at my location. CS Chuck Schick CS Warp 8, Inc. CS (303)-421-5140 CS www.warp8.com CS This E-Mail came from the Message Sniffer mailing list. For CS information and (un)subscription instructions go to CS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing
Re: [sniffer] Bad Rule - 828931
On Tuesday, February 7, 2006, 6:15:13 PM, David wrote: DS Sorry, wrong thread on the last post. DS Add'l question. Pete, what is the content of the rule? The rule info is: Rule - 828931 NameC%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Created 2006-02-07 Source C%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Hidden false Blocked false Origin User Submission TypeManual Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength3.84258274153269 False Reports 0 From Users 0 Rule belongs to following groups [252] Problematic The rule was an attempt to build an abstract matching two ed pill names (you can see them in there) while compensating for heavy obfuscation. The mistake was in using %+ through the rule. The rule would match the intended spam (and there was a lot of it, so 22,055 most likely includes mostly spam. Unfortunately it would also match messages containing the listed capital letters in that order throughout the message. Essentially, if the text is long enough then it will probably match. A greater chance of FP match if the text of the message is in all caps. Also if there is a badly coded base64 segment and file attachment (badly coded base64 might not be decoded... raw base64 will contain many of these letters in mixed case and therefore increase the probability of matching them all). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Bad Rule - 828931
So, in my terms (simple), this rule only catches msg if the two drug names are in that order and in all capitals, but not necessarily one immediately following the other? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 07, 2006 6:44 PM To: David Sullivan Subject: Re: [sniffer] Bad Rule - 828931 On Tuesday, February 7, 2006, 6:15:13 PM, David wrote: DS Sorry, wrong thread on the last post. DS Add'l question. Pete, what is the content of the rule? The rule info is: Rule - 828931 NameC%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Created 2006-02-07 Source C%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Hidden false Blocked false Origin User Submission TypeManual Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength3.84258274153269 False Reports 0 From Users 0 Rule belongs to following groups [252] Problematic The rule was an attempt to build an abstract matching two ed pill names (you can see them in there) while compensating for heavy obfuscation. The mistake was in using %+ through the rule. The rule would match the intended spam (and there was a lot of it, so 22,055 most likely includes mostly spam. Unfortunately it would also match messages containing the listed capital letters in that order throughout the message. Essentially, if the text is long enough then it will probably match. A greater chance of FP match if the text of the message is in all caps. Also if there is a badly coded base64 segment and file attachment (badly coded base64 might not be decoded... raw base64 will contain many of these letters in mixed case and therefore increase the probability of matching them all). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Date/time stamp in logs
On Tuesday, February 7, 2006, 7:48:05 PM, John wrote: JC I don't get into the sniffer logs like I should, but just noticed this. It JC is 2/7/06 6:42 CST here, but my logs show 20060208004243, which would JC indicate +6 hours off of Zulu, Greenwich, Coordinated Universal Time, or JC whatever we are calling these days. Is that right, sniffer doesn't stamp JC local time? That's right. Sniffer stamps GMT so that all sniffer logs from all systems can be coordinated easily. Similarly, system events (like the last update on a rulebase) are recorded/represented here in GMT. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Bad Rule - 828931
Pete, Gotcha. Basically anything that I trapped that is over 10 KB may have failed this (because that would be indicative of having an attachment in base64). It is much less likely to have hit on things without attachments, but it of course would be possible, and the bigger it was, the more likely that it could have failed. I also searched my Sniffer logs for the rule number and found no hits. It appears that I missed the bad rulebase. Thanks, Matt Pete McNeil wrote: On Tuesday, February 7, 2006, 6:15:13 PM, David wrote: DS Sorry, wrong thread on the last post. DS Add'l question. Pete, what is the content of the rule? The rule info is: Rule - 828931 NameC%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Created 2006-02-07 Source C%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Hidden false Blocked false Origin User Submission TypeManual Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength3.84258274153269 False Reports 0 From Users 0 Rule belongs to following groups [252] Problematic The rule was an attempt to build an abstract matching two ed pill names (you can see them in there) while compensating for heavy obfuscation. The mistake was in using %+ through the rule. The rule would match the intended spam (and there was a lot of it, so 22,055 most likely includes mostly spam. Unfortunately it would also match messages containing the listed capital letters in that order throughout the message. Essentially, if the text is long enough then it will probably match. A greater chance of FP match if the text of the message is in all caps. Also if there is a badly coded base64 segment and file attachment (badly coded base64 might not be decoded... raw base64 will contain many of these letters in mixed case and therefore increase the probability of matching them all). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Bad Rule - 828931
Pete, The overflow directory disappeared when 3.x was introduced. I posted a follow up on the Declude list about how to do this. Matt Pete McNeil wrote: On Tuesday, February 7, 2006, 8:14:53 PM, David wrote: DS Hello Pete, DS Tuesday, February 7, 2006, 8:11:50 PM, you wrote: DS Not sure, can anyone think of a way to cross check this? What if I put DS all the released messages back through sniffer? PM That would be good -- new rules were added to correctly capture the PM bad stuff. I almost suggested something more complex. DS That said...anyone know specifics of reprocessing messages through DS Declude on Imail? I know that in 1.x Declude would drop some kind of DS marker so that q/d's copied into spool would not be reprocessed but I DS don't remember what it was and don't know if it works same in 3.x. DS Posted question on Declude JM list but no answer so far. IIRC messages in the spool under scan would be locked until declude was done with them. After that, placing the Q and D files into the spool would mean that normal IMail processes would deliver them on the next sweep. The way around this was to place the messages back in the overflow folder (I'm not sure which parts - I think the Q goes in overflow and the D stays in spool -- someone will know for sure). The theory there is that messages sent to the overflow folder are sent there before they are scanned in order to backlog the extra processing load. So, messages coming out of the overflow folder would naturally be scanned ( for the first time - thinks the robot ). _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Bad Rule - 828931
Thanks for the update, Pete. I also appreciate that you expanded on how that rule went wild. I can see that the intent was good but the unintended consequences were not so good. Here's how it played out on my server: How many messages hit the FP rules: 2,042 How many messages Declude decided were ham anyway: 1,093 How many messages Declude decided were viruses: 0 How many messages Declude decided were spam: 949 Of the spam, when re-queued, how many were ham: 583 Of the spam, when re-queued, how many were still spam: 366 So, in total: How many messages hit the bad 828931 rule: 2,042 How many were indeed spam: 366 How many were false positives: 1,676 Andrew 8) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Bad Rule - 828931
Thanks for the update, Pete.I also appreciate that you expanded on how that rule went wild. I can see that the intent was good but the unintended consequences were not so good.Here's how it played out on my server:How many messages hit the FP rules: 2,042How many messages Declude decided were ham anyway: 1,093How many messages Declude decided were viruses: 0How many messages Declude decided were spam: 949Of the spam, when re-queued, how many were ham: 583Of the spam, when re-queued, how many were still spam: 366So, in total:How many messages hit the bad 828931 rule: 2,042How many were indeed spam: 366How many were false positives: 1,676Andrew 8)p.s. Re-posted in HTML so that I don't have to explain the line breaks that were eaten in the plain text version post.
RE: [sniffer] Stock SPAM now HTML
Isn't it time to call for an exorcist? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: donderdag 2 februari 2006 5:31To: sniffer@SortMonster.comSubject: [sniffer] Stock SPAM now HTML Well the plain text stock spam has just taken a turn to more interesting and SNF is not capturing it yet as of 10:55 EST. I have submitted a couple to spam@ Now they are including part of a picture to make up the text. Here is what the source looks like CHINA WORLimg src="" CORP. br Syimg src="" br Price $img src="" br Shares out: img src="" Million br Market Capitimg src="" Million br Significant Revenue Growth iimg src="" br Averagimg src="" br Rating: Stroimg src="" Buy br 7 days trading img src="" $2.50 br 30 day trading target: $3.img src="" br Goran Jovanovic Omega Network Solutions
RE: [sniffer] Stock SPAM now HTML
Will it ever stop :( Probably not. Actually maybe I shouldn't be wishing that SPAM stops because then I would lose a revenue streamhmm conundrum Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, February 02, 2006 7:20 AM To: Goran Jovanovic Subject: Re: [sniffer] Stock SPAM now HTML On Wednesday, February 1, 2006, 11:30:49 PM, Goran wrote: GJ GJ GJ GJ Well the plain text stock spam has just taken a turn to more GJ interesting and SNF is not capturing it yet as of 10:55 EST. I have submitted a couple to spam@ GJ GJ Now they are including part of a picture to make up the text. GJ Here is what the source looks like Isn't it amazing. I've coded some abstracts for this. More to come. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Automate MDaemon Updating
We actually did that exact thing, went from Imail to MDaemon when Imail started drastically increasing their prices a year or so ago. We are using the same scripts now with MDaemon that we used in Imail and they just fine (I think they may be Bills Landry's scripts). As for license file, it transferred over without any issues either. The plugin works great too, MDaemon is much better than Imail, although I do miss declude functionality. We have MDaemon setup to automatically delete spam messages based upon some of the higher accuracy return codes (such as the adult themed ones) and have the ones that have a higher false positive chance to simply move the spam messages to the MDaemon user spam directory. I also setup a rule to automatically delete these spam captured messages every 5 days from the users spam directories to keep the clutter down. This works great for us and I would highly recommend that transition. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Stufft Sent: Thursday, February 02, 2006 9:25 AM To: sniffer@SortMonster.com Subject: [sniffer] Automate MDaemon Updating Has anyone got an automated updating script for updating rulebases for MDaemon. I am just demoing the software now. The plugin seems to be working well. I have used the Imail script from the website that Bill Landry contributed (thanks Bill). Is there a way to automatically send the conformation email that the update worked as it was supposed to like it does in IMail? If we discontinue Imail usage and go to MDaemon will the Sniffer license transfer OK? (Only running one server with it at a time). Thanks, Grant --- [This E-mail scanned for viruses by EA Media Internet Services] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Automate MDaemon Updating
On Thursday, February 2, 2006, 12:25:01 PM, Grant wrote: GS Has anyone got an automated updating script for updating rulebases for GS MDaemon. I am just demoing the software now. The plugin seems to be GS working well. I have used the Imail script from the website that Bill GS Landry contributed (thanks Bill). Is there a way to automatically send GS the conformation email that the update worked as it was supposed to like GS it does in IMail? If we discontinue Imail usage and go to MDaemon will GS the Sniffer license transfer OK? (Only running one server with it at a GS time). I'm not an MDaemon expert, but I believe most folks use a CF rule to recognize the update notification and call out to the update script. As for transferring the license from one server to another - that's just fine, and the platform doesn't matter. SNF runs on just about anything (Windows, Linux, BSD, etc...). Someone here or on one of the MDaemon lists will probably have the correct CF incantation handy. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Automate MDaemon Updating
Attached is what I use, feel free to contact me off-list if you've got any specific questions. Originally taken from: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html -- Dave Habben Coordinator of Network Services Sauk Valley Community College Grant Stufft wrote: Has anyone got an automated updating script for updating rulebases for MDaemon. I am just demoing the software now. The plugin seems to be working well. I have used the Imail script from the website that Bill Landry contributed (thanks Bill). Is there a way to automatically send the conformation email that the update worked as it was supposed to like it does in IMail? If we discontinue Imail usage and go to MDaemon will the Sniffer license transfer OK? (Only running one server with it at a time). Here is my rule in my MDaemon\App\cfrules.dat, if you'd like a screenshot of the GUI version, I can provide that too [Rule004] RuleName=MessageSniffer Updates Enable=Yes ThisRuleCondition=All ProcessQueue=BOTH Condition01=SUBJECT|contains|AND|ecb894oj.snf Update| Action01=run a program|0,0,0,D:\MDaemon\MessageSniffer\RuleUpdates.bat RuleUpdate.bat: D: cd \MDaemon\MessageSniffer wget http://username:[EMAIL PROTECTED]/Sniffer/Updates/ecb894oj.snf -O ecb894oj.tst if exist ecb894oj.tst goto Test goto Done :Test snf2check.exe ecb894oj.tst myauthcode if errorlevel 1 goto Done if exist ecb894oj.old del ecb894oj.old ren ecb894oj.snf ecb894oj.old ren ecb894oj.tst ecb894oj.snf :Done if exist ecb894oj.tst del ecb894oj.tst
RE: [sniffer] The SPAM bots?
G'day, I'm just wandering... what CAN be done about this? If I send an embedded picture to someone, how's sniffer gonna see the difference between my holiday picture and the stock spam? I reckon it's gonna be tough to block these? Cheers, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: maandag 30 januari 2006 16:16 To: sniffer@SortMonster.com Subject: [sniffer] The SPAM bots? Hi, Are the bots working again? I am seeing a number of the STOCK pitches coming through (the ones that use the picture attachment eg. tdimg border=0 alt= src=cid:a8c0936faa69131141800cf3347d17a4/td) Sniffer did not catch the message and I have forwarded it to SPAM@ Thanx Goran Jovanovic Omega Network Solutions This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] The SPAM bots?
On Monday, January 30, 2006, 10:16:06 AM, Goran wrote: GJ Hi, GJ Are the bots working again? I am seeing a number of the STOCK pitches GJ coming through (the ones that use the picture attachment eg. GJ tdimg border=0 alt= GJ src=cid:a8c0936faa69131141800cf3347d17a4/td) GJ Sniffer did not catch the message and I have forwarded it to SPAM@ There was a lot of that today. No, the bots are off until further notice. I think we have the image spam under control for the moment. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] The SPAM bots?
Thanks Pete, I think I am seeing a slowdown of this type of SPAM getting through now. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, January 30, 2006 7:20 PM To: Goran Jovanovic Subject: Re: [sniffer] The SPAM bots? On Monday, January 30, 2006, 10:16:06 AM, Goran wrote: GJ Hi, GJ Are the bots working again? I am seeing a number of the STOCK pitches GJ coming through (the ones that use the picture attachment eg. GJ tdimg border=0 alt= GJ src=cid:a8c0936faa69131141800cf3347d17a4/td) GJ Sniffer did not catch the message and I have forwarded it to SPAM@ There was a lot of that today. No, the bots are off until further notice. I think we have the image spam under control for the moment. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Stock Market Spam Messages
On Thursday, January 26, 2006, 11:22:40 AM, Jim wrote: JMJ I seem to be noticing a lot of spam messages recently that are stock ads for JMJ offshore companies; I seem to be getting a lot of these that are not being JMJ classified by sniffer. I have been forwarding these to the spam@ address, JMJ but have yet to notice any real changes. Any thoughts on these? There has been a recent shift to using randomized images for these which makes them a bit harder to defeat. I'll take a look. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Stock Market Spam Messages
The ones I seem to be getting have no images, and are only plain text. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, January 26, 2006 8:53 AM To: Jim Matuska Jr. Subject: Re: [sniffer] Stock Market Spam Messages On Thursday, January 26, 2006, 11:22:40 AM, Jim wrote: JMJ I seem to be noticing a lot of spam messages recently that are stock ads for JMJ offshore companies; I seem to be getting a lot of these that are not being JMJ classified by sniffer. I have been forwarding these to the spam@ address, JMJ but have yet to notice any real changes. Any thoughts on these? There has been a recent shift to using randomized images for these which makes them a bit harder to defeat. I'll take a look. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] How can I
On Thursday, January 19, 2006, 8:37:01 AM, Jeff wrote: JA JA JA I have been having a lot of problems with the rules since Friday. JA JA How can I see what rules are set for spamming. There are many thousands of rules. For security purposes we don't expose their content freely. If you have false positives, please follow the false positive process and as part of that process, the rules involved with any particular case will be shown to you. It's not clear from your note but most likely you're trouble is part of a problem we had with our rule-bots a few days ago. The rule-bots have been disabled and the bad rules they created have been rolled out of the core rulebase. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] nations blacklisted?
On Thursday, January 19, 2006, 12:51:47 PM, David wrote: DP It seems I can not get mail from Brazil that does not fail the message DP sniffer test, regardless of content. DP Is this nation or any other totally black listed? I'm not aware of any rule that blocks any particular nation, nor any other rule that intentionally blocks large segments arbitrarily. Such a rule would be against policy anyway. Please tell us the rule or rules that are firing and I'll look them up - it would be best to follow the false positives process on this: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rulebots gone wild
Andrew 378:1038 is a pretty good ratio, we're seeing something like 7:2 where 7 aren't tagged by Sniffer (SNIIFER-NOTFOUND) but which are marked by Decludes other tests and found to be SPAM. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: 19 January 2006 18:00 To: sniffer@SortMonster.com Subject: [sniffer] Rulebots gone wild By the way, Pete, thank you very much for publicly posting the URL where we could download FPSigIDs.csv so that we could work on recovering our own false positives. I was able to use this information to selectively re-test all of the messages detected by those rules. That was 2,449 messages. More than half of those were detected as spam by other Message Sniffer rules, leaving me with 1,038 messages that I re-queued in my Declude JunkMail Pro on Ipswitch Imail. For what it's worth, that 1,038 messages that did not trigger any rules in the new rulebase included 378 spam messages which were then caught by my Declude JunkMail Pro configuration. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, January 19, 2006 9:15 AM To: Jeff Alexander Subject: Re: [sniffer] How can I On Thursday, January 19, 2006, 8:37:01 AM, Jeff wrote: JA JA JA I have been having a lot of problems with the rules since Friday. JA JA How can I see what rules are set for spamming. There are many thousands of rules. For security purposes we don't expose their content freely. If you have false positives, please follow the false positive process and as part of that process, the rules involved with any particular case will be shown to you. It's not clear from your note but most likely you're trouble is part of a problem we had with our rule-bots a few days ago. The rule-bots have been disabled and the bad rules they created have been rolled out of the core rulebase. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rollback of bot rules..
My bet is that either OB or WS trees of SURBL are the culprit. I've seen false postives from them before. Can your bot isolate the subs of the multi lookup and only use the more reliable ones like JP, SC, etc? Also, these are dynamic services and can change at any time... Sometimes in minutes. What does your software do in terms of caching those results? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, January 17, 2006 5:06 PM To: sniffer@sortmonster.com Subject: [sniffer] Rollback of bot rules.. Hello Sniffer Folks, There is an unknown problem with the bots surrounding SURBL and SORBS testing. Rather than search for all the needles in all the haystacks we are taking the following action: The bots will be offline until further notice - so all rules will be those that are developed by our human rule-techs for the time being. All SURBL or SORBS related rules that were generated by bots in the past 18 hours will be rolled into our Problematic rule group. This is where rules go when they have been removed due to an FP - the Problematic rule group does not get published - it simply prevents rules from being duplicated. Since we have a huge backlog of false positive reports, it may take a while to get through them all. Please be patient. The database changes will occur in the next half hour. All updates after that time should have these troublesome rules removed. Once I resolve what happened to the bots I will let everyone know. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Help
Hi, I am experiencing the very same problem. Regards, Ali -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Filippo PalmiliSent: Wednesday, January 18, 2006 3:34 PMTo: [EMAIL PROTECTED]Cc: sniffer@SortMonster.comSubject: [sniffer] HelpHello,What's going on with rules? Today for 100 blocked by Sniffer more than 10 where really legitimate.Please advise.ThanksFilippo
Re: [sniffer] False Positives
Same with me. Last night there was a rules update and it fixed the problem. Check the date of your rules update. - Original Message - From: Ali Resting [EMAIL PROTECTED] To: sniffer@sortmonster.com Cc: [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:57 AM Subject: [sniffer] False Positives Hi, Over the last 2 days I have seen a major increase in false positives. Literally all hotmail and yahoo address are being caught by sniffer inclusive of other legit domains. Please confirm what may be causing this and what I can do to resolve the issue. Regards, Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
Agreed. We counted 100 false positives yesterday, compared to our normal rate of less than 5. No false positives since 6pm ET yesterday, though. Thank goodness. Darin. - Original Message - From: Frederick Samarelli [EMAIL PROTECTED] To: sniffer@SortMonster.com Cc: [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:42 AM Subject: Re: [sniffer] False Positives Same with me. Last night there was a rules update and it fixed the problem. Check the date of your rules update. - Original Message - From: Ali Resting [EMAIL PROTECTED] To: sniffer@sortmonster.com Cc: [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:57 AM Subject: [sniffer] False Positives Hi, Over the last 2 days I have seen a major increase in false positives. Literally all hotmail and yahoo address are being caught by sniffer inclusive of other legit domains. Please confirm what may be causing this and what I can do to resolve the issue. Regards, Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Help
On Wednesday, January 18, 2006, 8:34:15 AM, Filippo wrote: FP FP Hello, FP What's going on with rules? Today for 100 blocked by Sniffer FP more than 10 where really legitimate. FP Please advise. Everything should be functioning normally today. Please visit: http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Wednesday, January 18, 2006, 8:57:56 AM, Ali wrote: AR Hi, AR Over the last 2 days I have seen a major increase in false positives. AR Literally all hotmail and yahoo address are being caught by sniffer AR inclusive of other legit domains. AR Please confirm what may be causing this and what I can do to resolve the AR issue. Please visit: http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Help Help
On Wednesday, January 18, 2006, 11:06:44 AM, Filippo wrote: FP FP Hello, FP What's going on with rules? Today for 100 blocked by Sniffer FP more than 10 where really legitimate. Please visit: http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Watch out... SURBL SORBS full of large ISPs and Antispamprovidres.
Pete, I just checked real quick hitting several DNS servers (mine and others) and I am not seeing this - are you still seeing this now? C:\nslookup 2.0.0.127.multi.surbl.org Server: nscache5.bflony.adelphia.net Address: 68.168.224.180 Non-authoritative answer: Name:2.0.0.127.multi.surbl.org Address: 127.0.0.126 C:\nslookup declude.com.multi.surbl.org Server: nscache5.bflony.adelphia.net Address: 68.168.224.180 *** nscache5.bflony.adelphia.net can't find declude.com.multi.surbl.org: Non-exi stent domain C:\nslookup w3.org.multi.surbl.org Server: nscache5.bflony.adelphia.net Address: 68.168.224.180 *** nscache5.bflony.adelphia.net can't find w3.org.multi.surbl.org: Non-existent domain Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Matt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, January 17, 2006 7:21 AM Subject: Re: [sniffer] Watch out... SURBL SORBS full of large ISPs and Antispamprovidres. Pete, w3.org would be a huge problem because Outlook will insert this in the XML headers of any HTML generated E-mail. If you could give us an idea of when this started and possibly ended, that would help in the process of review. Thanks, Matt Pete McNeil wrote: Hello Sniffer Folks, Watch out for false positives. This morning along with the current spam storm we discovered that SURBL and SORBs are listing a large number of ISP domains and anti-spam service/software providers. As a result, many of these were tagged by our bots due to spam arriving at our system with those domains and IPs. Most IPs and domains for these services are coded with nokens in our system to prevent this kind of thing, but a few slipped through. We are aggressively hunting any more that might have arrived. You may want to temporarily reduce the weight of the experimental IP and experimental ad-hoc rule groups until we have identified and removed the bad rules we don't know about yet. Please also do your best to report any false positives that you do identify so that we can remove any bad rules. I don't expect that there will be too many, but I do want to clear them out quickly if they are there. Please also, if you haven't already, review the false positive procedures: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html Pay special attention to the rule-panic procedure and feature in case you are one of the services hit by these bad entries. An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org It's not clear yet how large the problem is, but I'm sure it will be resolved soon. Hope this helps, Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Watch out... SURBL SORBS full of large ISPs and Antispamprovidres.
Pete, I reviewed my Hold range going back to Monday morning and I wasn't able to find anything out of the ordinary. I also searched my logs from my URIBL tool that queries SURBL among other things, and I wasn't able to find any hits for those domains that you pointed out. I guess that I wasn't affected. As far as promoting such domains to Sniffer through automated means goes, I believe that this helps substantiate the need for adding extra qualifications. For instance, the chances of a 2 letter dot-com domain being a legitimately taggable spam domain are almost zero. To a lesser extent the same is true as you add on more characters. Also, it would be very helpful for such situations and false positives in general if you were to track long-standing domains that appear in ham and don't add these automatically by cross checking these blacklists. There are many different ways to accomplish this. I have found over time that foreign free E-mail services can get picked up by Sniffer, and because these services are frequently forged and legitimate traffic is low enough that people don't often either notice/report false positives, that these rules stay high in strength and live a very long time. You can in fact prevent this from happening to a large extent with further validation. SURBL is subject to false positives on such things, but they expire such rules using different techniques that prevent them from being long-term issues, but these cross-checked false positives can have a life of their own on Sniffer sometimes. Thanks, Matt Pete McNeil wrote: On Tuesday, January 17, 2006, 7:21:11 AM, Matt wrote: M Pete, M w3.org would be a huge problem because Outlook will insert this in the M XML headers of any HTML generated E-mail. M If you could give us an idea of when this started and possibly ended, M that would help in the process of review. Indications are that the rule was in our system for only a couple of hours this morning before we caught what was going on. Many folks won't have ever seen the rule... though it may still be in surbl. In fact, all of these rules that we know of followed very much the same profile. Two of us were working in the rulebase at the time due to heavy outscatter from a fake ph.d campaign and several new variants of chatty_watches, chatty_drugs, and druglist. We're continuing to look for any rules that might have entered our system this way and we haven't found any new ones since about the time I wrote my first post on it. I'm about to run through false positives to see what might have been reported and remove those. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rollback of bot rules..
Thank you, Pete. In my spelunking, I've found too many rules to put in as panic entries my .cfg file, and this morning I dropped the weight for my experimental class tests to low values, and heavily edited my combo tests that build on Sniffer hits. I'm attaching a report showing the number of hits for the various rules that I'm pretty sure are false positives, and this was from a modest sample of my traffic. Now that the source of the bad rules is gone, and I see that the latest .snf update's file size has significantly shrunk, I'm going to find all the rules that triggered tests 61 and 63 and re-queue them in my Declude for scanning to get the false positives through my mail system. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, January 17, 2006 2:06 PM To: sniffer@sortmonster.com Subject: [sniffer] Rollback of bot rules.. Hello Sniffer Folks, There is an unknown problem with the bots surrounding SURBL and SORBS testing. Rather than search for all the needles in all the haystacks we are taking the following action: The bots will be offline until further notice - so all rules will be those that are developed by our human rule-techs for the time being. All SURBL or SORBS related rules that were generated by bots in the past 18 hours will be rolled into our Problematic rule group. This is where rules go when they have been removed due to an FP - the Problematic rule group does not get published - it simply prevents rules from being duplicated. Since we have a huge backlog of false positive reports, it may take a while to get through them all. Please be patient. The database changes will occur in the next half hour. All updates after that time should have these troublesome rules removed. Once I resolve what happened to the bots I will let everyone know. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html 10 491587 1 534442 4 618807 1 800976 16 802046 1 802834 1 802871 1 803025 5 803052 1 803099 1 803115 1 803163 43 803228 5 803243 1 803403 1 803530 5 803621 1 803967 6 804085 3 804105 10 804289 3 804436 1 804561 4 804788 1 805080 1 805141 32 805157 1 805270 5 805273 2 805306 1 805367 10 805460 2 805475 1 805517 4 805528 3 805531 3 805613 1 805807 1 805863 1 806121 3 806338 2 806396 40 806424 21 806488 11 808137 2 808421 2 808456 1 808733 2 809667 1 809928 60 810112 3 810136 1 810761 1 810833 2 811233
Re: [sniffer] Update
On Tuesday, January 17, 2006, 6:44:20 PM, Frederick wrote: FS FS FS Can you send the update or I will have to disable Sniffer. FS FS FS FS It is catching almost all our emails. Your last update was 2144GMT, about 146 minutes ago (if my math is right). Pacing as at 150 minutes, current compiler lag is 11 minutes. You should have your update within the next half hour or so. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] lots of investment spam not being caught by sniffer...
On Friday, January 6, 2006, 2:09:12 PM, Chuck wrote: CS Hopefully the rulebase is being updated but we are getting slammed by this CS stuff. Stock push? I saw a bunch of broken stock push come through this morning (0330). Not getting any more through the traps. Also a lot of image based stock push - got that covered too. Please submit any that do get through. I'm on traps right now and almost caught up so I should see them if they're not filtered. (BTW - It looks like your rulebase just updated 17:26:00 GMT) Let me know if things don't immediately improve. If they don't you might be seeing something before we do. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] About Resellers, and the best laid plans of mice men...
Like others, I received the same special offer email off list. I've never heard of ComputerHouse. IMO, resellers should not be using this list to solicit business, either through a list posting or soliciting individual posters. I would think that sort of behavior goes against their reseller contract Pete Wrote: Next, while it would bad form for one of our resellers to advertise directly on our list, THAT DID NOT HAPPEN here. Someone else pointed out the discount, and that's ok. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] About Resellers, and the best laid plans of mice men...
Sorry papa _M Sorry John T Just want to see sniffer around in the future and got a little excited. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Wednesday, December 28, 2005 9:51 PM To: sniffer@sortmonster.com Subject: [sniffer] About Resellers, and the best laid plans of mice men... Hello Sniffer Folks, Before things get too out of hand I thought I'd post a few remarks just to make sure there are no misunderstandings. First of all, the price on the ComputerHouse site was an error and it has already been corrected. (That's the mice and men part... a simple mistake, now all taken care of.) Next, while it would bad form for one of our resellers to advertise directly on our list, THAT DID NOT HAPPEN here. Someone else pointed out the discount, and that's ok. Regarding our reseller programs in general and where we stand on this. As Mike is fond of saying, We like customers All customers :-) It's perfectly ok to us for you to buy from one of our resellers or from us directly. Pick the relationship that fits you best. -- Technically, our resellers are really considered VARs, and they all have special things to offer that you may need. Purchasing from us directly also has some benefits (the additional funds help speed up RD), but ultimately, if you use and support SNF, through us or through one of our partners, you are still supporting SNF and that's a good thing! :-) Our goal is to foster a broad, vibrant community of consultants, end users, VARs, OEMs, service providers, and even plain old interested parties that use and support SNF. After all, email security is a big concern for everyone and the best thing we can do is work together. Hope this helps, Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Last chance to renew at the old price!
Customers who purchased Sniffer via Declude can look on their Host Records and the dates should be there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Jones Sent: Tuesday, December 27, 2005 1:31 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Last chance to renew at the old price! How can I tell when my subscription expires? -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date: 12/23/2005 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Last chance to renew at the old price!
I said the same thing, and the response was, basically, We haven't raised the price in a long time, we need the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Last chance to renew at the old price!
Hi Folks, Actually, here is some more detail as to the reasons for the price increase. In addition, please bear in mind that that prices haven't been raised in approximately 2 years and even with this increase we are priced very competitively. The new feature/benefits and more to come are as follows: * In the past 6 months we have more than doubled the number of updates per day and we will continue to increase our bandwidth and the speed of our updates. * We have more than tripled our staff to improve our monitoring, support, and rule generation capabilities. Come January, we are again doubling this staff as the black-hats have gotten much more sophisticated and this has become a 24x7 battle. Even Pete needs to sleep sometimes. :-) * We are adding new RD programs for AFF/419 spam and Malware mitigation (many of the results from these projects have already been implemented). * During this next year as part of our continuous improvement policy we will continue to roll out new features and enhancements such as fully automated reporting, in-band real-time updates, an optimized message processing pipeline, image and file attachment tagging, advanced header structure analysis, enhanced adaptive heuristics, improved machine learning systems, real-time wave-front threat detection, and many more... It's important to recognize that many of our improvements don't require new software to be installed on the client side since they are delivered through rulebase enhancements. Though this often causes our work to go unnoticed, it is actually a design feature since it means that your installation requires very little maintenance. This translates to lowered administration costs and higher reliability. As a result of this reliability-first design strategy, it may not always be obvious that our service is constantly being improved and enhanced - we never stand still ;-) We'd hate to see any of you go, but please do compare us with other services. I'm sure that you'll find we're well worth the money, but it's always good to keep your options open. In fact, best practice these days for spam filtering is to use a blended approach that leverages many services. We personally encourage that for best results. Please let me know if you have any questions. Thank you for your feedback and business! Sincerely Michael Murdoch The Sniffer Team ARM Research Labs, LLC Tel. 850-932-5338 x303 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 1:03 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! I said the same thing, and the response was, basically, We haven't raised the price in a long time, we need the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Last chance to renew at the old price!
We've already renewed this morning. From our point of view even at the $170 per year more would still be far less costly than the cost of finding, evaluating and implementing another solution. Not to mention the potential loss of business if our customers were not happy with the replacements results. Just 2 cents from a guy that rarely says anything :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch Sent: Tuesday, December 27, 2005 2:14 PM To: sniffer@SortMonster.com Cc: Pete McNeil Subject: RE: [sniffer] Last chance to renew at the old price! Importance: High Hi Folks, Actually, here is some more detail as to the reasons for the price increase. In addition, please bear in mind that that prices haven't been raised in approximately 2 years and even with this increase we are priced very competitively. The new feature/benefits and more to come are as follows: * In the past 6 months we have more than doubled the number of updates per day and we will continue to increase our bandwidth and the speed of our updates. * We have more than tripled our staff to improve our monitoring, support, and rule generation capabilities. Come January, we are again doubling this staff as the black-hats have gotten much more sophisticated and this has become a 24x7 battle. Even Pete needs to sleep sometimes. :-) * We are adding new RD programs for AFF/419 spam and Malware mitigation (many of the results from these projects have already been implemented). * During this next year as part of our continuous improvement policy we will continue to roll out new features and enhancements such as fully automated reporting, in-band real-time updates, an optimized message processing pipeline, image and file attachment tagging, advanced header structure analysis, enhanced adaptive heuristics, improved machine learning systems, real-time wave-front threat detection, and many more... It's important to recognize that many of our improvements don't require new software to be installed on the client side since they are delivered through rulebase enhancements. Though this often causes our work to go unnoticed, it is actually a design feature since it means that your installation requires very little maintenance. This translates to lowered administration costs and higher reliability. As a result of this reliability-first design strategy, it may not always be obvious that our service is constantly being improved and enhanced - we never stand still ;-) We'd hate to see any of you go, but please do compare us with other services. I'm sure that you'll find we're well worth the money, but it's always good to keep your options open. In fact, best practice these days for spam filtering is to use a blended approach that leverages many services. We personally encourage that for best results. Please let me know if you have any questions. Thank you for your feedback and business! Sincerely Michael Murdoch The Sniffer Team ARM Research Labs, LLC Tel. 850-932-5338 x303 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 1:03 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! I said the same thing, and the response was, basically, We haven't raised the price in a long time, we need the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list
RE: [sniffer] Last chance to renew at the old price!
We've been using Sniffer for almost 5 years now and the price hasn't increased in that time. It's overdue, really. Fox, Thomas wrote on Tuesday, December 27, 2005 2:03 PM: I said the same thing, and the response was, basically, We haven't raised the price in a long time, we need the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Last chance to renew at the old price!
We've always paid under the 'monthly' plan. How will this be affected? Should we switch to the yearly plan? Rick Robeson getlocalnews.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Murdoch Sent: Tuesday, December 27, 2005 11:14 AM To: sniffer@SortMonster.com Cc: Pete McNeil Subject: RE: [sniffer] Last chance to renew at the old price! Importance: High Hi Folks, Actually, here is some more detail as to the reasons for the price increase. In addition, please bear in mind that that prices haven't been raised in approximately 2 years and even with this increase we are priced very competitively. The new feature/benefits and more to come are as follows: * In the past 6 months we have more than doubled the number of updates per day and we will continue to increase our bandwidth and the speed of our updates. * We have more than tripled our staff to improve our monitoring, support, and rule generation capabilities. Come January, we are again doubling this staff as the black-hats have gotten much more sophisticated and this has become a 24x7 battle. Even Pete needs to sleep sometimes. :-) * We are adding new RD programs for AFF/419 spam and Malware mitigation (many of the results from these projects have already been implemented). * During this next year as part of our continuous improvement policy we will continue to roll out new features and enhancements such as fully automated reporting, in-band real-time updates, an optimized message processing pipeline, image and file attachment tagging, advanced header structure analysis, enhanced adaptive heuristics, improved machine learning systems, real-time wave-front threat detection, and many more... It's important to recognize that many of our improvements don't require new software to be installed on the client side since they are delivered through rulebase enhancements. Though this often causes our work to go unnoticed, it is actually a design feature since it means that your installation requires very little maintenance. This translates to lowered administration costs and higher reliability. As a result of this reliability-first design strategy, it may not always be obvious that our service is constantly being improved and enhanced - we never stand still ;-) We'd hate to see any of you go, but please do compare us with other services. I'm sure that you'll find we're well worth the money, but it's always good to keep your options open. In fact, best practice these days for spam filtering is to use a blended approach that leverages many services. We personally encourage that for best results. Please let me know if you have any questions. Thank you for your feedback and business! Sincerely Michael Murdoch The Sniffer Team ARM Research Labs, LLC Tel. 850-932-5338 x303 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 1:03 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! I said the same thing, and the response was, basically, We haven't raised the price in a long time, we need the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions
RE: [sniffer] Last chance to renew at the old price!
Hi Rick, Yes, you can convert your monthly license payment to a yearly subscription and at the current yearly rate of $ 325.00 by going to: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp This is the recommendation that we are making to all monthly customers so that you can be grandfathered in at the current price. Please give a day or two to email you your PAID COPY of your invoice with the effective subscription dates. Thank you for your business! Mike The Sniffer Team -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Robeson Sent: Tuesday, December 27, 2005 1:29 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! We've always paid under the 'monthly' plan. How will this be affected? Should we switch to the yearly plan? Rick Robeson getlocalnews.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Murdoch Sent: Tuesday, December 27, 2005 11:14 AM To: sniffer@SortMonster.com Cc: Pete McNeil Subject: RE: [sniffer] Last chance to renew at the old price! Importance: High Hi Folks, Actually, here is some more detail as to the reasons for the price increase. In addition, please bear in mind that that prices haven't been raised in approximately 2 years and even with this increase we are priced very competitively. The new feature/benefits and more to come are as follows: * In the past 6 months we have more than doubled the number of updates per day and we will continue to increase our bandwidth and the speed of our updates. * We have more than tripled our staff to improve our monitoring, support, and rule generation capabilities. Come January, we are again doubling this staff as the black-hats have gotten much more sophisticated and this has become a 24x7 battle. Even Pete needs to sleep sometimes. :-) * We are adding new RD programs for AFF/419 spam and Malware mitigation (many of the results from these projects have already been implemented). * During this next year as part of our continuous improvement policy we will continue to roll out new features and enhancements such as fully automated reporting, in-band real-time updates, an optimized message processing pipeline, image and file attachment tagging, advanced header structure analysis, enhanced adaptive heuristics, improved machine learning systems, real-time wave-front threat detection, and many more... It's important to recognize that many of our improvements don't require new software to be installed on the client side since they are delivered through rulebase enhancements. Though this often causes our work to go unnoticed, it is actually a design feature since it means that your installation requires very little maintenance. This translates to lowered administration costs and higher reliability. As a result of this reliability-first design strategy, it may not always be obvious that our service is constantly being improved and enhanced - we never stand still ;-) We'd hate to see any of you go, but please do compare us with other services. I'm sure that you'll find we're well worth the money, but it's always good to keep your options open. In fact, best practice these days for spam filtering is to use a blended approach that leverages many services. We personally encourage that for best results. Please let me know if you have any questions. Thank you for your feedback and business! Sincerely Michael Murdoch The Sniffer Team ARM Research Labs, LLC Tel. 850-932-5338 x303 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 1:03 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! I said the same thing, and the response was, basically, We haven't raised the price in a long time, we need the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com