Re[2]: [sniffer] Bad Rule - 828931
On Tuesday, February 7, 2006, 7:54:10 PM, John wrote: JC> So, in my terms (simple), this rule only catches msg if the two drug names JC> are in that order and in all capitals, but not necessarily one immediately JC> following the other? That was close to the original intent. The rule would also have compensated for any number of intervening characters. I didn't see the original message that the rule was coded from, but some recent examples of the "druglist" campaign family are inserting HTML and FLOAT style tags to interleave an extra character as well as the html. C q I r A s L t etc... _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Bad Rule - 828931
Hello Pete, Tuesday, February 7, 2006, 7:43:52 PM, you wrote: PM> The rule would match the intended spam (and there was a lot of it, so PM> 22,055 most likely includes mostly spam. On spot check I'm seeing about 30-40% of the messages are valid. PM> Unfortunately it would also match messages containing the listed PM> capital letters in that order throughout the message. Essentially, if PM> the text is long enough then it will probably match. A greater chance PM> of FP match if the text of the message is in all caps. Also if there PM> is a badly coded base64 segment and file attachment (badly coded PM> base64 might not be decoded... raw base64 will contain many of these PM> letters in mixed case and therefore increase the probability of PM> matching them all). Not sure, can anyone think of a way to cross check this? What if I put all the released messages back through sniffer? -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Bad Rule - 828931
Final\t828931 and Final.*828931 both found 850 entries in my current log using Baregrep. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 6:12 PM To: sniffer@SortMonster.com Subject: Re[2]: [sniffer] Bad Rule - 828931 Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M> rule number, and I don't have the tools set up or the knowledge of M> grep yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used ".*" to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of "Final\t828931" was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M> BTW, David, it is generally better not to hold or block on one single M> test, especially one that automates such listings (despite whatever M> safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Bad Rule - 828931
Don't know about the proper syntax for baregrep, but for the standard UNIX grep for Win32, the following would give you an accurate count: grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 4:12 PM To: sniffer@SortMonster.com Subject: Re[2]: [sniffer] Bad Rule - 828931 Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M> rule number, and I don't have the tools set up or the knowledge of M> grep yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used ".*" to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of "Final\t828931" was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M> BTW, David, it is generally better not to hold or block on one single M> test, especially one that automates such listings (despite whatever M> safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Bad Rule - 828931
Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M> rule number, and I don't have the tools set up or the knowledge of grep M> yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used ".*" to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of "Final\t828931" was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M> BTW, David, it is generally better not to hold or block on one single M> test, especially one that automates such listings (despite whatever M> safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Bad Rule - 828931
Pete, Just to reemphasize the need for speed. I had 578 hits on that rule before I disabled it. George > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Tuesday, February 07, 2006 4:24 PM > To: Computer House Support > Subject: Re[2]: [sniffer] Bad Rule - 828931 > > I do most humbly apologize, > > It was my intention to do it immediately, however I became embroiled > in related support issues and was delayed. > > I don't expect more of these, but I will make announcing their > discovery the next event after removing them from the system. > > Thanks, > > _M > > On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote: > > CHS> Dear Pete, > > CHS> In the future, please let us know immediately when you become aware > of this. > CHS> As it is, I will spend the next 3 hours picking out the fales > positives from > CHS> the mailbox and forwarding them to the clients. If I could have put > the > CHS> rulepanic in place an hour ago it would have saved me a lot of work > and > CHS> confused customers. > > > CHS> Thank you, > > CHS> Michael Stein > CHS> Computer House > > > CHS> - Original Message - > CHS> From: "Pete McNeil" <[EMAIL PROTECTED]> > CHS> To: > CHS> Sent: Tuesday, February 07, 2006 4:07 PM > CHS> Subject: [sniffer] Bad Rule - 828931 > > > CHS> Hello Sniffer folks, > > CHS> I'm sorry to report that another bad rule got past us today. The > CHS> rule has been removed (was in from about 1200-1500), but it may be > CHS> in some of your rulebases. > > CHS> To avoid a problem with this rule you can enter a rule-panic entry > CHS> in your .cfg file for rule id: 828931 > > CHS> If it is not already, the rule will be gone from your rulebase > after > CHS> your next update. > > CHS> Thanks, > CHS> _M > > CHS> Pete McNeil (Madscientist) > CHS> President, MicroNeil Research Corporation > CHS> Chief SortMonster (www.sortmonster.com) > CHS> Chief Scientist (www.armresearch.com) > > > CHS> This E-Mail came from the Message Sniffer mailing list. For > information and > CHS> (un)subscription instructions go to > CHS> http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > > CHS> This E-Mail came from the Message Sniffer mailing list. For > CHS> information and (un)subscription instructions go to > CHS> http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Bad Rule - 828931
Dear Pete, Please excuse my previous E-mail if it seemed a bit harsh. I guess I am so used to your great service, that on the rare occasion when this happens, I panic. Thanks for being there to walk me through the procedure. Sincerely, Michael Stein Computer House - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Computer House Support" Sent: Tuesday, February 07, 2006 4:24 PM Subject: Re[2]: [sniffer] Bad Rule - 828931 I do most humbly apologize, It was my intention to do it immediately, however I became embroiled in related support issues and was delayed. I don't expect more of these, but I will make announcing their discovery the next event after removing them from the system. Thanks, _M On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote: CHS> Dear Pete, CHS> In the future, please let us know immediately when you become aware of this. CHS> As it is, I will spend the next 3 hours picking out the fales positives from CHS> the mailbox and forwarding them to the clients. If I could have put the CHS> rulepanic in place an hour ago it would have saved me a lot of work and CHS> confused customers. CHS> Thank you, CHS> Michael Stein CHS> Computer House CHS> - Original Message - CHS> From: "Pete McNeil" <[EMAIL PROTECTED]> CHS> To: CHS> Sent: Tuesday, February 07, 2006 4:07 PM CHS> Subject: [sniffer] Bad Rule - 828931 CHS> Hello Sniffer folks, CHS> I'm sorry to report that another bad rule got past us today. The CHS> rule has been removed (was in from about 1200-1500), but it may be CHS> in some of your rulebases. CHS> To avoid a problem with this rule you can enter a rule-panic entry CHS> in your .cfg file for rule id: 828931 CHS> If it is not already, the rule will be gone from your rulebase after CHS> your next update. CHS> Thanks, CHS> _M CHS> Pete McNeil (Madscientist) CHS> President, MicroNeil Research Corporation CHS> Chief SortMonster (www.sortmonster.com) CHS> Chief Scientist (www.armresearch.com) CHS> This E-Mail came from the Message Sniffer mailing list. For information and CHS> (un)subscription instructions go to CHS> http://www.sortmonster.com/MessageSniffer/Help/Help.html CHS> This E-Mail came from the Message Sniffer mailing list. For CHS> information and (un)subscription instructions go to CHS> http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Bad Rule - 828931
I do most humbly apologize, It was my intention to do it immediately, however I became embroiled in related support issues and was delayed. I don't expect more of these, but I will make announcing their discovery the next event after removing them from the system. Thanks, _M On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote: CHS> Dear Pete, CHS> In the future, please let us know immediately when you become aware of this. CHS> As it is, I will spend the next 3 hours picking out the fales positives from CHS> the mailbox and forwarding them to the clients. If I could have put the CHS> rulepanic in place an hour ago it would have saved me a lot of work and CHS> confused customers. CHS> Thank you, CHS> Michael Stein CHS> Computer House CHS> - Original Message - CHS> From: "Pete McNeil" <[EMAIL PROTECTED]> CHS> To: CHS> Sent: Tuesday, February 07, 2006 4:07 PM CHS> Subject: [sniffer] Bad Rule - 828931 CHS> Hello Sniffer folks, CHS> I'm sorry to report that another bad rule got past us today. The CHS> rule has been removed (was in from about 1200-1500), but it may be CHS> in some of your rulebases. CHS> To avoid a problem with this rule you can enter a rule-panic entry CHS> in your .cfg file for rule id: 828931 CHS> If it is not already, the rule will be gone from your rulebase after CHS> your next update. CHS> Thanks, CHS> _M CHS> Pete McNeil (Madscientist) CHS> President, MicroNeil Research Corporation CHS> Chief SortMonster (www.sortmonster.com) CHS> Chief Scientist (www.armresearch.com) CHS> This E-Mail came from the Message Sniffer mailing list. For information and CHS> (un)subscription instructions go to CHS> http://www.sortmonster.com/MessageSniffer/Help/Help.html CHS> This E-Mail came from the Message Sniffer mailing list. For CHS> information and (un)subscription instructions go to CHS> http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html