RE: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....
Just when you think we won the battle, they move the targets and change the rules. This is why we need people like Pete and Darrell to help us fight this ever changing war. A big thanks. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, May 05, 2006 11:37 AM To: John T (Lists) Subject: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer On Friday, May 5, 2006, 1:08:14 PM, John wrote: JTL Well, I am at the point that I could care less about geocities false JTL positives. If GeoCities is going to allow this much spam junk then I could JTL care less about allowing them. That's fine. There are probably a number of systems that feel that way. I only meant to say that we've tried a block-first strategy w/ geocities before and had to remove it. YMMV. You should also know (may remember) that the blackhats experimented a while ago with using several other hosting sites, including msn, and seeding them in round-robin fashion so that they all appeared in each campaign. Since this experiment stopped abruptly I doubt that it has been abandoned - rather, it was put on the shelf for a while. At the time it was clearly effective for them. I think it likely they will do that again (don't know when) since they are putting some new effort into this path. I don't have any evidence of it yet. I discovered that on 20060503 the blackhats made some significant changes to their use of geocities links and their transmission patterns. I've re-tuned the F002 bot to compensate and it is currently reviewing a handful of new geocities links every minute and adding approximately 1.2 new rules per minute. I suspect that the lull we observed may have had something to do with their tooling up for this set of campaigns. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] When to go persistent
Hi, I just got my service up and running using Matt's post http://www.mail-archive.com/sniffer@sortmonster.com/msg00169.html It was simple especially since I already the resource kit installed. Now I know that this I supposed to work to get the persistent instance to load the new rulebase after a download. REM Load new rulebase file. %LicenseID%.exe reload But is there any way to query the service and ask it to tell you when was the last time the rulebase was loaded? Or what version of the rulebase it is using? When running in peer mode this question does not arise since the instances read the file off disk so there is no problem. With the persistent instance this is not the case and I would like to know that it really is using the newest rulebase. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, February 23, 2006 3:11 PM To: Rick Robeson Subject: Re[4]: [sniffer] When to go persistent On Thursday, February 23, 2006, 1:22:53 PM, Rick wrote: RR I thought you had to run this as a service? RR Rick Robeson RR getlocalnews.com RR [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Strictly speaking you do not have to run it as a service, but it is more convenient to do so. If you run it from the command line then you would need to remain logged in. Running the persistent instance from the command line is convenient for testing, but it is much better to run it as a service in a production environment - that way it starts and stops with the other services as expected, doesn't require any account to be logged in, etc... _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] When to go persistent
Goran, When you issue a reload you can tell that the new rulebase is being used because the *.svr file's date and time will change to the current time. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 24, 2006 7:31 AM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] When to go persistent Hi, I just got my service up and running using Matt's post http://www.mail-archive.com/sniffer@sortmonster.com/msg00169.html It was simple especially since I already the resource kit installed. Now I know that this I supposed to work to get the persistent instance to load the new rulebase after a download. REM Load new rulebase file. %LicenseID%.exe reload But is there any way to query the service and ask it to tell you when was the last time the rulebase was loaded? Or what version of the rulebase it is using? When running in peer mode this question does not arise since the instances read the file off disk so there is no problem. With the persistent instance this is not the case and I would like to know that it really is using the newest rulebase. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, February 23, 2006 3:11 PM To: Rick Robeson Subject: Re[4]: [sniffer] When to go persistent On Thursday, February 23, 2006, 1:22:53 PM, Rick wrote: RR I thought you had to run this as a service? RR Rick Robeson RR getlocalnews.com RR [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Strictly speaking you do not have to run it as a service, but it is more convenient to do so. If you run it from the command line then you would need to remain logged in. Running the persistent instance from the command line is convenient for testing, but it is much better to run it as a service in a production environment - that way it starts and stops with the other services as expected, doesn't require any account to be logged in, etc... _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] problems!!!!
Perhaps I used the wrong terminology about what changed, since I do not know what your system architecture is, but I remember you mentioning a significant change at the time. Immediately afterwards we saw a rash of false positives. That is what I would like to have controls in place to avoid. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 11:46 AM Subject: Re[4]: [sniffer] problems On Wednesday, February 8, 2006, 11:26:46 AM, Darin wrote: DC There was no error in my comment. I completely understand that some issues DC will not be foreseeable... I did say mostly, not entirely. The switch to DC the automated bots caused a rash of false positives in our system. snip/ Actually, there is the error I was talking about -- (I'm not pointing fingers either, just trying to set the record straight.) The automated bots had been online and part of the system for several years when the error occurred. There was no cut-over to announce. DC What I would be looking for is an announcement of a specific date/time for a DC cutover so we could freeze just before that, and unfreeze once it was clear DC that no glut of false positives would result. I completely agree, and that is our policy. Before we turn on anything important, we will announce it, as we have in the past. Even if for no other reason than we want you to know we've done something cool... but certainly so that we can have everyone aware and watching out for any un-expected results (good or bad). _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
David Drop the q/d files back into the \spool\proc directory. Declude will reprocess them. If you put them in just the \spool, queue manager will send them out in the next queue run, bypassing Declude. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 7:15 PM To: Pete McNeil Subject: Re[4]: [sniffer] Bad Rule - 828931 Hello Pete, Tuesday, February 7, 2006, 8:11:50 PM, you wrote: DS Not sure, can anyone think of a way to cross check this? What if I DS put all the released messages back through sniffer? PM That would be good -- new rules were added to correctly capture the PM bad stuff. I almost suggested something more complex. That said...anyone know specifics of reprocessing messages through Declude on Imail? I know that in 1.x Declude would drop some kind of marker so that q/d's copied into spool would not be reprocessed but I don't remember what it was and don't know if it works same in 3.x. Posted question on Declude JM list but no answer so far. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 7:47 PM To: Landry, William (MED US) Subject: Re[4]: [sniffer] Bad Rule - 828931 Hello William, Tuesday, February 7, 2006, 7:39:05 PM, you wrote: LWMU grep -c Final.*828931 c:\imail\declude\sniffer\logfile.log That's what I tried. Just figured out I forgot to capitalize the F. It works. Confirmed - 22,055 I'm writing a program now to parse the sniffer log file, extract the file ID, lookup the id in sql server, determine quarantine location, extract q/d pair from quarantine and send to user. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
OK to answer my own question. Run the following commands grep -U Final.828931 snf.log 1.txt cut -b26-41 1.txt 2.txt grep -U -f2.txt d:\spool\dec0207.log 3.txt egrep -U \smd Tests failed|\smd Subject 3.txt 4.txt notepad 4.txt Now I have to read my 4.txt and figure out what I am going to do about it. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 8:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 7:47 PM To: Landry, William (MED US) Subject: Re[4]: [sniffer] Bad Rule - 828931 Hello William, Tuesday, February 7, 2006, 7:39:05 PM, you wrote: LWMU grep -c Final.*828931 c:\imail\declude\sniffer\logfile.log That's what I tried. Just figured out I forgot to capitalize the F. It works. Confirmed - 22,055 I'm writing a program now to parse the sniffer log file, extract the file ID, lookup the id in sql server, determine quarantine location, extract q/d pair from quarantine and send to user. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Last chance to renew at the old price!
It shows 292.50 now on the site so evidently they are taking the price up. Rick Hogue Intent.Net Web Hosting 3802 Handley Avenue Louisville, KY 40218 1-502-459-3100 1-800-866-2983 Toll Free New Books Available Prosperity Or Better Times Ten Hot Slot Secrets The Incredible Inman's Louisville Trivia Challenge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 28, 2005 9:16 PM To: Peer-to-Peer (Support) Subject: Re[4]: [sniffer] Last chance to renew at the old price! The biggest concern I have about this is that the price is too low - that is a violation. I'm sure it was unintentional, and if not, then the contract will be pulled. If you read closely, John T isn't on the wrong side here - he's asking the right questions. The price at ComputerHouse is out of line at the moment. _M On Wednesday, December 28, 2005, 9:00:48 PM, Peer-to-Peer wrote: PtPS PtPS PtPS You certainly crossed a line of ethical integrity at the very least. PtPS PtPS PtPS PtPS Pete: If you don't already have a 'non-compete' agreement in PtPS your reseller agreement its time. PtPS PtPS I would never have believed someone would actually try to sell PtPS your reseller rates to your customer base. PtPS PtPS PtPS PtPS It's simply appalling. And should be grounds for termination. PtPS PtPS PtPS PtPS PtPS PtPS PtPS -Original Message- PtPS From: [EMAIL PROTECTED] PtPS [mailto:[EMAIL PROTECTED]Behalf Of John T (Lists) PtPS Sent: Wednesday, December 28, 2005 8:46PM PtPS To: sniffer@SortMonster.com PtPS Subject: RE: Re[2]:[sniffer] Last chance to renew at the old price! PtPS PtPS PtPS Absolutely not. Infact, if you read my post after this, I PtPS am questioning whether or not it canbe sold for a lower price. PtPS PtPS PtPS PtPS I am not here toundermine any one, as after all where do PtPS you think the license that I sellcomes from? PtPS PtPS PtPS PtPS After all, we areall here to help one another. PtPS PtPS PtPS PtPS PtPS JohnT PtPS PtPS eServices ForYou PtPS PtPS PtPS PtPS PtPS -OriginalMessage- PtPS From: [EMAIL PROTECTED] PtPS [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support) PtPS Sent: Wednesday, December 28,2005 5:41PM PtPS To: sniffer@SortMonster.com PtPS Subject: RE: Re[2]: [sniffer] Last chanceto renew at the old price! PtPS PtPS PtPS PtPS PtPS JohnT: Did you just solicit the ENTIRE sniffer community PtPS with pricingthat will undermine Pete? PtPS PtPS PtPS PtPS PtPS PtPS Never bit the handthat feeds you my friend. PtPS PtPS PtPS PtPS PtPS PtPS -Original Message- PtPS From: [EMAIL PROTECTED] PtPS [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists) PtPS Sent: Wednesday, December 28, 2005 8:17 PM PtPS To: sniffer@SortMonster.com PtPS Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price! PtPS PtPS Although I am a registered reseller, I normally only sell PtPS hardware and software to clients as part of my services. PtPS PtPS PtPS PtPS However, if any one is interested in a price, contact me off list. PtPS PtPS PtPS PtPS PtPS John T PtPS PtPS eServices For You PtPS PtPS PtPS PtPS PtPS -Original Message- PtPS From: [EMAIL PROTECTED] PtPS [mailto:[EMAIL PROTECTED] On Behalf Of Kevin PtPS Sent: Wednesday, December 28, 2005 5:00 PM PtPS To: sniffer@SortMonster.com PtPS Subject: Re: Re[2]: [sniffer] Last chance to renew at the old price! PtPS PtPS PtPS PtPS After posting this, another reseller pm me their renewal PtPS rate of $269. I didn't know Sniffer had another reseller besides Declude. PtPS Anyways, for those who are interested and want to save PtPS money, it's https://www.computerhouse.com/ccsecure.html PtPS At 01:21 PM 12/28/2005, you wrote: PtPS PtPS Can we renew at declude.com since their pricing is PtPS $292.50? I assume their prices will increase on Jan 1, 2006 too. PtPS This E-Mail came from the Message Sniffer mailing list. PtPS For information and (un)subscription instructions go to PtPS http://www.sortmonster.com/MessageSniffer/Help/Help.html PtPS This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude on http://www.intent.net hosted Email] --- [This E-mail scanned for viruses by Declude on http://www.intent.net hosted Email] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] POP3 Account Question
Pete, How about just creating some accounts that are commonly targeted by dictionary attacks, but that were never actually valid accounts on our server? I could redirect all of them to a common mailbox. There are also a few other common (non-role) addresses that we do not use, which always get targeted by spammers. I am thinking of sales@, info@, etc. I have accumulated quite a list of common dictionary attack names from my logs. I wouldn't have to seed the addresses anywhere. They get hit just by virtue of how common they are. William Van Hefner Network Administrator Vantek Communications, Inc. 555 H Street, Ste. C Eureka, CA 95501 707.476.0833 ph This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer]
We are running Sniffer with the Mdaemon plug-in and SA and it seems to work great for us, much better than our previous Imail/Declude sniffer combination. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, November 10, 2005 9:36 AM To: Peer-to-Peer (Support) Subject: Re[4]: [sniffer] On Thursday, November 10, 2005, 11:45:48 AM, Peer-to-Peer wrote: PtPS _M, PtPS _M said will create a default installation that emits headers and puts PtPS a .cf file in place for SA to interpret them. PtPS Not sure if this is relevant to your thought process, but we feel that SA PtPS (SpamAssassin) does more harm than good. Under moderate loads it bogs-down PtPS MDaemon so we always have SA disabled. Sniffer is by far superior in every PtPS category, (accuracy, speed, dependability etc...) so there's no need to use PtPS SpamAssassin. PtPS My point: Keep in mind that some of us use sniffer independently (not tied PtPS to SA). We're using sniffers .cfg plug-in for MD ver 8. PtPS I assume you will, and I probably misunderstood your post, but just wanted PtPS to mention this out-loud. Thanks for this! I think it's the first time I've heard it said out loud from anyone involved with MDaemon. As a result I'm operating under the assumption that folks who install SNF on MDaemon _most likely_ have SA running and so that would be the simplest default installation. Is that true (do you think) or is it now more likely that SA would be disabled? In any case, the installer is intended for someone who just wants to push the button and have it work. In that context, what is the best default install? All that said, once the installation is complete, a technically savvy person could reconfigure SNF to and MDaemon to work in any way they prefer. We're definitely not going to do anything to make that more difficult. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] Rash of false positives
This morning my server quit sending mail and my tech said the Dr. Watson error on the server was my Sniffer file...I rebooted and thought it was OK but quit again..I had a lot of mail back logged...so I updated a new rule base but it did not seem to helpI reinstalled Imail and things seem OK but slow since there is such a back log of mailIf things don't get back to normal I will be back.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support"Crossroads to a Cleaner Internet" - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 3:03 PM Subject: Re[4]: [sniffer] Rash of false positives On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote: Hi Pete, There was a consistent stream of false positives over the mentioned time period, not just a blast at a particular time. They suddenly started at 5pm (shortly after a 4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today (not many legitimate emails came in between 11pm and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am. There were a number of different rules involved, and over 45 false positives in that time period. This is highly unusual -- I didn't remove many rules, and normally only one or two would be responsible. If you found that a large number of rules were responsible then something else happend and we need to look at that... I'd need to see your SNF logs from that period since the changes (removals anyway) in the rulebase were very small and unrelated - that just doesn't line up with your description. One thing does-- in the past if snf2check was not used to check a new download then a corrupted rulebase could cause SNF to produce erratic results... since snf2check has been in place we have not seen this. Is it possible that a bad rulebase file got pressed into service on your system? -- probably a look at the logs would help there too since this kind of failure is accompanied by very specific oddities in the logs. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Rash of false positives
We had this same thing happen. It has been happening more frequently recently and we are looking into disabling sniffer as it seems to be the culprit each time. John Moore 305 Spin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Wednesday, November 09, 2005 11:38 AM To: sniffer@SortMonster.com Subject: Re: Re[4]: [sniffer] Rash of false positives This morning my server quit sending mail and my tech said the Dr. Watson error on the server was my Sniffer file...I rebooted and thought it was OK but quit again..I had a lot of mail back logged...so I updated a new rule base but it did not seem to helpI reinstalled Imail and things seem OK but slow since there is such a back log of mailIf things don't get back to normal I will be back.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 3:03 PM Subject: Re[4]: [sniffer] Rash of false positives On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote: Hi Pete, There was a consistent stream of false positives over the mentioned time period, not just a blast at a particular time. They suddenly started at 5pm (shortly after a 4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today (not many legitimate emails came in between 11pm and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am. There were a number of different rules involved, and over 45 false positives in that time period. This is highly unusual -- I didn't remove many rules, and normally only one or two would be responsible. If you found that a large number of rules were responsible then something else happend and we need to look at that... I'd need to see your SNF logs from that period since the changes (removals anyway) in the rulebase were very small and unrelated - that just doesn't line up with your description. One thing does-- in the past if snf2check was not used to check a new download then a corrupted rulebase could cause SNF to produce erratic results... since snf2check has been in place we have not seen this. Is it possible that a bad rulebase file got pressed into service on your system? -- probably a look at the logs would help there too since this kind of failure is accompanied by very specific oddities in the logs. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] Rash of false positives
Arecorrupted rulebase files the culprit? How do you update... and do you run snf2check on the updates? Just wondering if the rulebase file is theproblem, if the problemoccurs during the update, or if you are running into obscure errors with the EXE itself Darin. - Original Message - From: John Moore To: sniffer@SortMonster.com Sent: Wednesday, November 09, 2005 12:42 PM Subject: RE: Re[4]: [sniffer] Rash of false positives We had this same thing happen. It has been happening more frequently recently and we are looking into disabling sniffer as it seems to be the culprit each time. John Moore305 Spin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard FarrisSent: Wednesday, November 09, 2005 11:38 AMTo: sniffer@SortMonster.comSubject: Re: Re[4]: [sniffer] Rash of false positives This morning my server quit sending mail and my tech said the Dr. Watson error on the server was my Sniffer file...I rebooted and thought it was OK but quit again..I had a lot of mail back logged...so I updated a new rule base but it did not seem to helpI reinstalled Imail and things seem OK but slow since there is such a back log of mailIf things don't get back to normal I will be back.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support"Crossroads to a Cleaner Internet" - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 3:03 PM Subject: Re[4]: [sniffer] Rash of false positives On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote: Hi Pete, There was a consistent stream of false positives over the mentioned time period, not just a blast at a particular time. They suddenly started at 5pm (shortly after a 4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today (not many legitimate emails came in between 11pm and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am. There were a number of different rules involved, and over 45 false positives in that time period. This is highly unusual -- I didn't remove many rules, and normally only one or two would be responsible. If you found that a large number of rules were responsible then something else happend and we need to look at that... I'd need to see your SNF logs from that period since the changes (removals anyway) in the rulebase were very small and unrelated - that just doesn't line up with your description. One thing does-- in the past if snf2check was not used to check a new download then a corrupted rulebase could cause SNF to produce erratic results... since snf2check has been in place we have not seen this. Is it possible that a bad rulebase file got pressed into service on your system? -- probably a look at the logs would help there too since this kind of failure is accompanied by very specific oddities in the logs. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Rash of false positives
We have not run snf2check on the updates. And it may be a coincidence or bad timing that sniffer appears to be the culprit. But we have stopped sniffer (commented out in the declude global.cfg) for an observed period of time and the mail never stops (and had never stopped before sniffer) and conversely, it only stops when sniffer is running. We have not gone the extra steps of putting sniffer in persistent mode. We are looking at moving the imail/declude/sniffer setup to a newer box with more resources. Currently on a dell 2450 dual 833 and 1 gig of ram and raid 5. Volume of email is less than 10,000 emails per day. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, November 09, 2005 1:47 PM To: sniffer@SortMonster.com Subject: Re: Re[4]: [sniffer] Rash of false positives Arecorrupted rulebase files the culprit? How do you update... and do you run snf2check on the updates? Just wondering if the rulebase file is theproblem, if the problemoccurs during the update, or if you are running into obscure errors with the EXE itself Darin. - Original Message - From: John Moore To: sniffer@SortMonster.com Sent: Wednesday, November 09, 2005 12:42 PM Subject: RE: Re[4]: [sniffer] Rash of false positives We had this same thing happen. It has been happening more frequently recently and we are looking into disabling sniffer as it seems to be the culprit each time. John Moore 305 Spin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Wednesday, November 09, 2005 11:38 AM To: sniffer@SortMonster.com Subject: Re: Re[4]: [sniffer] Rash of false positives This morning my server quit sending mail and my tech said the Dr. Watson error on the server was my Sniffer file...I rebooted and thought it was OK but quit again..I had a lot of mail back logged...so I updated a new rule base but it did not seem to helpI reinstalled Imail and things seem OK but slow since there is such a back log of mailIf things don't get back to normal I will be back.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 3:03 PM Subject: Re[4]: [sniffer] Rash of false positives On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote: Hi Pete, There was a consistent stream of false positives over the mentioned time period, not just a blast at a particular time. They suddenly started at 5pm (shortly after a 4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today (not many legitimate emails came in between 11pm and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am. There were a number of different rules involved, and over 45 false positives in that time period. This is highly unusual -- I didn't remove many rules, and normally only one or two would be responsible. If you found that a large number of rules were responsible then something else happend and we need to look at that... I'd need to see your SNF logs from that period since the changes (removals anyway) in the rulebase were very small and unrelated - that just doesn't line up with your description. One thing does-- in the past if snf2check was not used to check a new download then a corrupted rulebase could cause SNF to produce erratic results... since snf2check has been in place we have not seen this. Is it possible that a bad rulebase file got pressed into service on your system? -- probably a look at the logs would help there too since this kind of failure is accompanied by very specific oddities in the logs. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] POP Approach
Hi Pete, Do you send out notices to licensees to let them know to renew ahead of time? I think we're getting close to renewal, and want to make sure we don't lapse. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Rick Hogue sniffer@SortMonster.com Cc: [EMAIL PROTECTED] Sent: Friday, October 14, 2005 11:03 AM Subject: Re[4]: [sniffer] POP Approach On Friday, October 14, 2005, 9:39:33 AM, Rick wrote: RH What is going on with the sniffer not catching any of the spam that is now RH coming through? We are getting slammed with medication, mortgage and other RH junk email? Your license has expired. Please send a note to [EMAIL PROTECTED] to renew. We will send you an invoice you can pay online. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] can auto-forward be disabled when spam is detected?
Really! so simply renaming the forward.ima to main.fwd accomplishes what he's talking about? Where is that documented in the Imail system? Is that feature reflected/available in the windows Imail admin interfaces? Rick Robeson getlocalnews.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sanford Whiteman Sent: Friday, September 02, 2005 12:19 PM To: Rick Robeson Subject: Re[4]: [sniffer] can auto-forward be disabled when spam is detected? I'm afraid I'm not that up on my email standards. They're not standards in the RFC sense, just IMail features. What exactly does forwarding by main.fwd do and how does one implement that type of solution? Create mailboxname.fwd using the same format as forward.ima and the forwarding actions will only apply to messages slated to be delivered to that mailbox. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo
Tip for MDaemon plug-in users. Sniffers .cfg file has an option 'not' to scan files larger than 'X'. If this option is set than no sniffer headers will be placed into the message (if the message is larger than 'X'). Beware, if you use MD's Content Filter to instruct where to send messages based on sniffer's 'results' as there will be no results if the file is never scanned ;) Paul R -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Wednesday, April 20, 2005 3:30 PM To: Jim Matuska Subject: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo On Wednesday, April 20, 2005, 2:30:25 PM, Jim wrote: JM Pete, JM Is there a difference between the normal .snf files I have been downloading JM and the one for the plugin? I have setup my script to download the .snf JM file and noticed it is a couple mb's smaller than the included demo .snf JM file. There is no significant difference. The mdaemon1 file contains some extra rules, but these are not normally needed in production. During the test we wanted to make sure we used the largest valid rulebase file we generate. After the test it will be best to use normal rulebase files. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Persistent Sniffer
Pete, Wow, thank you for the explanation. I did let the persistent server run for 30 min after I restarted the services. However, I did stop the services, then started Sniffer service, then restart Imail services. I could have gotten a backlog of retries at that moment that pegged the CPU as you stated. We have batted around running BIND for NT/2000 on the local machine, but my fear was overhead of another major process running. I don't have any good stats on how much CPU/Memory BIND on an Imail Server requires, thus, we have a SUN/BIND box local to the switch. Are you aware of any stats on this? We don't run the AVAFTERJM switch. This is done in part due to so many of our customers still look at their spam email from time to time. We heavily use the ROUTETO and MAILBOX command, thus, if I let a virus go through to their to mailbox, they could potentially open a virus spam email and hurt themselves. We defrag each partition every night using Diskeeper and it works great. I regularly look at the Sniffer directory to ensure no left over .fin files and others that could cause server load. I will retry it again tonight and see what type of results I get and post them here. It could be as you say, I am on the far side :) Thanks again, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, April 01, 2005 2:16 PM To: Keith Johnson Subject: Re[4]: [sniffer] Persistent Sniffer On Friday, April 1, 2005, 11:44:07 AM, Keith wrote: KJ Pete, KJ Thanks for the reply. KJ Running on an IBM Xseries 225 Dual Xeon 2.4Ghz w/ 1GB RAM - KJ running IBM's ServerRAID 5i in IBM's RAID 10 config (4 73GB 10K KJ drives) KJ - O/S is Windows 2000 Standard Server SP4 KJ Running Imail 8.15HF1 with Declude JM/Virus 1.82 - BIND DNS KJ Server is 1 hop away (on switch backbone). I had to drop back to KJ the non-persistent mode, thus the .stat file disappeared. I will KJ run it again tonight and copy the file away and post it here tonight. KJ Thanks again for the time and aid. I don't see any problems with this setup. Your description sounds like your server is fairly heavily loaded (35-55% cpu in peer-server mode), though I would expect more from the hardware you've described. I suspect that you may have run into the far side of the power curve when you went to persistent server mode. In peer-server mode the failure mode for overload conditions is much softer than with the persistent peer server mode. Up to the failure point in the power curve the persistent server mode will provide a significant savings over peer-server, however once that point is reached the persistent server mode tends to degrade much more quickly and requires a significant drop in load before recovery occurs. I'm working on some strategies to soften that curve a bit, but in the mean time let's explore these options to get the best performance from your server and reduce it's load. The we can see if the persistent server engine will give you even more headroom: 1. I recommend running AVAFTERJM - are you doing this? Typically 80% or more of email traffic is spam and so there is no good reason to attempt a virus scan on these messages. If you hold messages and occasionally re-insert them into the queue then they will not be scanned, however there are ways to work around this when needed - and it is very likely you would not re-insert a message that contained a virus anyway. 2. Consider running bind as a dns resolver on your mail server and pointing the server to itself via the loopback address (127.0.0.1) for DNS services. This tends to speed up processing significantly which also reduces the number of message processes that are running at any given time. YMMV, but I have seen this work consistently to improve performance. --- when trying persistent mode (minor adjustments really) --- A. Set the Persistence value in your snflicid.cfg file to 3600. - no need to check for a new rulebase every 10 minutes usually. These loop events tear down the server momentarily which can perturb an otherwise smooth running system when under heavy loads - thus minimizing the frequency of these events may help. B. Set LogFormat in your snflicid.cfg file to SingleLine. This provides sufficient data for our purposes (most of the time) and should significantly reduce the size of your log file. C. Be sure to keep any unnecessary files out of the SNF working directory - in particular you should clean out any orphaned files that might still be lurking from previous crashes. --- General --- Be sure your drives are regularly defragmented. Hope this helps, _M PS: I just had another random thought really --- Could it be that the high CPU value was appropriate? If you had built up a queue of messages to be processed then once the persistent server was put in place and the system started processing messages again the CPU would
RE: Re[4]: [sniffer] Download server is really slow..
Pete, I'm downloading right now and its very slow. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, December 20, 2004 6:39 AM To: Chuck Schick Subject: Re[4]: [sniffer] Download server is really slow.. On Monday, December 20, 2004, 1:13:52 AM, Chuck wrote: CS Pete: CS It is Sunday night at 10 minutes after the hour and the download server is CS still very slow - so I am not too sure there is just a run on the server. I will check the logs to verify. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Download server is really slow..
Hello, I'm trying at the moment, Wget says 50-90 K/s (started at 40, went quick up to 90 and now going down to 50K/s) Alex This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] Few questions
Pete, PM One other quick note/reminder. Use the snf2check utility on your PM downloaded rulebase files before putting them in service. This will PM ensure that you have a complete file that is not corrupted. Yeap..that is exactly what I did when I went back and looked at the files included in the distro. It gave me the same error which provoked me to re-download the rulebase. --- Marc This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
Hi, [] I understand. I have no reasonable explanation for your experience. There have been no other reported problems and I have been unable to recreate your conditions. BB I just once more installed the 2.3.2 exe, we'll see what happens. As it is BB close to 9 PM overhere it should not disrupt any business going on and let BB me do some testing. Thanks for your efforts. Well, still no problems so far so I'll write it up to . earth rays, solar spots, pick whatever you want. It seems it was a one time thing. [] One change you should make is to adjust your Declude configuration so that your message file name is emitted into your message headers. This way when a false positive does occur we can match the message up to the log entries and identify the rule or rules that fired. Did that, so for the next time something like this happens.. ;) Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
Well, still no problems so far so I'll write it up to . earth rays, solar spots, pick whatever you want. It seems it was a one time thing. You must be referring to the RAW law. John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
Hi, Well, still no problems so far so I'll write it up to . earth rays, solar spots, pick whatever you want. It seems it was a one time thing. You must be referring to the RAW law. RAW? Random Answer Whatchamacallit? John Tolmachoff Engineer/Consultant/Owner eServices For You Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
Well, still no problems so far so I'll write it up to . earth rays, solar spots, pick whatever you want. It seems it was a one time thing. You must be referring to the RAW law. RAW? Random Answer Whatchamacallit? Random Acts of Weirdness The RAW law, Keyboard Virus and the PEBKAC phenomenon are the 3 most common reasons for problems. The PEBKAC phenomenon: Problem Exists Between Keyboard And Chair SAFTEY DISCLAIMER: The forgoing information is considered entertainment in nature and is not meant to represent or describe any person living or dead in the past, present or future. It is meant to create something odd in the IT Industry, a smile. Any one else in the US working Thursday and Friday? I am! :s John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] LogRotate no longer working?
Hi, A) for what it's worth, I ran: rename mylicense.log mylicense.log.20041101051900 and the command prompt was able to rename the file WITHOUT problems (I didn't even stop the IMAIL or Sniffer services. So it appears that nothing locks the .log file. B) Under normal conditions the persistent server will see this file, delete it, and process the command it represents. Well - in my case it's 30 MINUTES later and the .rotate file still exists! What version operating system are you using? Windows 2000 Server, Service Pack 4 on a dual-processor Dell machine Hotfixchecker lists no missing security fixes What does your licenseid.persistent.stat file contain? Hm - interesting - that file does NOT exists. However, I DID see it exist while I had executed mylicenseid.exe persistent from the command line what is the build information? build - v2-3.1 Oct 26 2004 22:03:06 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, November 01, 2004 12:14 AM To: Andy Schmidt Subject: Re[4]: [sniffer] LogRotate no longer working? On Monday, November 1, 2004, 12:02:30 AM, Andy wrote: AS Pete, AS - okay, I ran the STOP command - it never ended AS - the persistent command window never ended AS - I finally stopped the SERVICE and the stop command ended AS - I finally CLOSED the command window to flush the persistent task AS Then I saw a whole bunch of sniffer tasks launch in the task window AS - so I assume it was no longer running in persistent mode. After AS watching this for 2 minutes, I restarted the server. Ok. AS Now I tried against AS mylicense.exe rotate AS from the command line. AS - It DOES return, I see no error message. AS - It creates an EMPTY mylicense.ROTATE file !? That is a signal to the Persistent instance. Under normal conditions the persistent server will see this file, delete it, and process the command it represents. When the issuing instance sees the file dissapear - or times out - then it returns. AS - It does NOT rename the active log and continues to use it. This means that the Persistent instance did not recognize or process the command. When you issued the command it returned after 30 seconds or so simply because it had finished waiting - there is a time-out. What version operating system are you using? What does your licenseid.persistent.stat file contain? If you run your sniffer exe from the command line with no parameters what is the build information? Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Version 2-3.0i8 published.
If we don't run the Mdaemon on our systems and just use the new download, will we also see a speed increase on processing. Thanks for the time. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 20, 2004 1:50 PM To: Frank Osako Subject: Re[4]: [sniffer] Version 2-3.0i8 published. On Wednesday, October 20, 2004, 12:54:04 PM, Frank wrote: FO Hello _M _ Systems with heavier loads _should_ see a reduction in their backlog FO See a reduction of what in their backlog? Can you give an example FO of how to see this type of measurement? Another good question - I will try to get a solid, detailed answer. I'm not an MDaemon expert so I'm not sure what the best strategies are for measuring throughput performance and backlog (inbound/outbound queue length). Perhaps there are some MDaemon experts on list that can share their strategies for making these measurements? In particular, how best to measure these things when the system in question is not overloaded? Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Version 2-3.0i8 published.
What we did was write a wrapper around sniffer, and fire that wrapper from the Content Filter. that wrapper measures how long each sniffer instance takes. In the previous version, it took way longer when using the persistent version than when not using the persistent version. You would expect it to be the other way around. I could try the new version tomorrow to see if this one is actually faster, but if I don't get around to doing it tomorrow, I can't check it anymore, coz I'm going down under for a month. Regards, Michiel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: woensdag 20 oktober 2004 19:50 To: Frank Osako Subject: Re[4]: [sniffer] Version 2-3.0i8 published. On Wednesday, October 20, 2004, 12:54:04 PM, Frank wrote: FO Hello _M _ Systems with heavier loads _should_ see a reduction in their backlog FO See a reduction of what in their backlog? Can you give an example FO of how to see this type of measurement? Another good question - I will try to get a solid, detailed answer. I'm not an MDaemon expert so I'm not sure what the best strategies are for measuring throughput performance and backlog (inbound/outbound queue length). Perhaps there are some MDaemon experts on list that can share their strategies for making these measurements? In particular, how best to measure these things when the system in question is not overloaded? Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Surprising missed spam
How does a user go about modifying the custom sniffer rules? Must Sort Monster be contacted or is it possible to do this with some other system (such as a web based interface)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, September 14, 2004 3:28 PM To: Landry William Subject: Re[4]: [sniffer] Surprising missed spam On Tuesday, September 14, 2004, 1:05:29 PM, Landry wrote: LW Pete, I started running the new code this morning, and so far, so LW good. I'll let you know if I see anything strange. Thanks. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] Charset
-Mad, How set up is Message Sniffer to determine if an e-mail in a foreign language is spam and then code for it. I dutifully submit my Spanish spam to the spam at sortmonster.com address. It's a very, very small percentage of my overall spam, but it consistently lands in my battleground grey-weight ranges. I only ask, because I have seen the amount of non-English spam trending upwards. I've noticed spam here in Russian, German, Spanish, Korean, Portuguese and Chinese. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Michiel Prins [EMAIL PROTECTED] Sent: Friday, August 20, 2004 7:04 AM Subject: Re[4]: [sniffer] Charset On Friday, August 20, 2004, 2:35:35 AM, Michiel wrote: MP Pete, even your message had a chaset header: MP Content-Type: text/plain; charset=us-ascii Yes, a tricky gadget indeed. MP I think you'll generate more FP's if you do something like that than FN's MP you might have now. Aren't there spamassassin config files that detect this MP spam? Just to be clear - we're not precisely talking about spam per-se. Rather we're talking about stating that all traffic on a particular system should be only in one language as a matter of policy... The distinction is small I suppose, but in my mind important. In filtering spam we're usually trying to target only messages that are unsolicited commercial email, pornography, or somehow harmful... With this other approach instead of trying to defeat what we don't want, we are trying to only accept what we do want... Not so much putting up blocks, more like putting up a huge block and punching holes. There are some SA filters that do this kind of thing... Ultimately I think it boils down to filtering out anything with a charset that is not wanted. If we achieve this by attrition (rather than attempting to capture all of the charsets at once) then we will achieve a strong result quickly at a relatively low cost and we might avoid potential false positives that are out there. MHO, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
