Re: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Title: Release 4.10.42 On 5/5/2010 4:05 PM, Andy Schmidt wrote: snip/ The golden rule for external tests and for RBLs is if you have multiple lines using the SAME command (e.g., the 18 SNF lines), or referring to the same external program (e.g., 5 invURIBL lines), or referring to the same blacklist (10 lines checking different return values), THEN only the FIRST line will actually run the test against that resource (e.g., run the external program, lookup the IP in the RBL). The OTHER lines will just evaluate the return code differently without rerunning the test. Now with the internal Sniffer implementation, we have three DIFFERENT commands (SNF, SNFIP, SNFIPREP). So its worthwhile confirming whether the same golden rule applies here even though these are NOT multiple lines of the SAME command. The same rule applies --- Run the test once, use the results of the test many times. However in the case of SNFIP and SNFIPREP the cost of the test is so small that it cannot be measured. The IP reputation database is local (in memory) and immediately accessible (there is no delay or network traffic involved). The only work that gets done is a little bit of math. Best, _M -- President MicroNeil Research Corporation www.microneil.com ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
On 7/23/2010 2:29 PM, Matt wrote: This spammer accounts for about 7% of all E-mail that makes it to my deep scanning layer. Sniffer seems to miss a good deal of their spam, so there isn't much protection from it otherwise. Matt -- Is it possible for you to zip up some samples from this guy and send them to me? I would like to do a deeper analysis of the things we've missed from them to see how we can improve our capture rate and understand how the normal process might be improved. Thanks! _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
On 7/23/2010 6:37 PM, Matt wrote: Pete, Will do. I call this spammer Whitestone, Much appreciated. I'll take a closer look with the team to see what we can do to close these guys down better. Thanks! _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
On 7/23/2010 9:19 PM, Matt wrote: I guess my point here is that they are both very high volume spammers, and they both randomize sufficiently so that blocking them requires blocking their domains and having the samples available, but putting in proactive rules will only last a short time. What Sniffer may need is a better source of this spam. Between the two, I believe I am getting about 15,000 each day. Better sources are always good -- the sooner we see it the faster we can code solutions. As it turns out all of the samples provided had current rules in place based on our standard vectors... so we are capturing these. My guess is that you're right and the timing of these attacks is important. That said, I was able to find some structural vectors for the first group -- I've set up some abstracts based on those vectors and I'm waiting to see what the capture rates will be... If this approach is successful we should be able to preemptively defeat some of next few campaigns. Then I will apply the same types of mechanisms to the other groups and see if we can generate some internal methodologies to evolve structural abstracts for these as we see new variants based on the successful models we've generated. _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
On 7/27/2010 2:10 PM, Colbeck, Andrew wrote: Flavour of the day: Relevant bits of the header: Received: from payoff.all-debt-forever.com [173.192.161.27] Subject: Stay on top of your credit report Thanks -- coded some rules, will be looking for abstract opportunities. Also coded several abstracts for new campaigns using the mail.spamdomain.net today and last night. _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with my Declude?
On 7/28/2010 2:29 PM, Imail Admin wrote: lately (last couple of weeks) I've noticed more spam getting through. A lot more. Check your SNF installation. I looked up your license ID and checked for your telemetry and did not find it. This usually means that SNF is not currently running on your system or that you have not yet upgraded to version 3. Hope this helps, _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with my Declude?
On 8/1/2010 1:36 PM, Imail Admin wrote: Hi Pete, By SNF I assume you mean Sniffer? How do I tell for sure which version is running and whether it is getting the latest downloads? I know it's running at least partially because the report lists it. I checked the cfg file and it says configuration for v2r3, so I assume that's version 2 and not version 3? Then I checked my old emails and found that my last license renewal was at the end of last August, so I have a valid license. I haven't received any noticed since then about newer versions or even renewing my license this year. That all sounds about right. I'm betting (based on the above) that you simply never upgraded to version 3. The best way to do that is to use our installer. http://www.armresearch.com/products/snfClientServerWinInstaller.jsp http://www.armresearch.com/message-sniffer/download/SNF_CS_Installer.exe Another good way (if you're upgrading Declude also) is to switch to the built-in OEM version of SNF in Declude. (contact Declude about that if you wish to switch). _M --- [This E-mail was checked by Declude] -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with my Declude?
On 8/1/2010 3:03 PM, Imail Admin wrote: Hi Pete, OK, I did the upgrade. One thing that was slightly different from the instructions was that even though I directed it to install into the same folder as the prior Sniffer installation (d:\imail\sniffer), it only offered me a choice of a new install and said nothing about an upgrade. Still, it seemed to go through smoothly, so I'll just cross my fingers. Now that that's done, do I need to change my global.cfg setting? The old setting is SNIFFER external nonzero D:\imail\sniffer\liajkovy.exe w91zgqvr4g73s6o5 7 0. I'm guessing the installer didn't understand the old installation -- that happens sometimes because they all tend to be a little different. You should comment out your old SNIFFER line -- the installer should have created a new one for you that calls SNFClient. Note that SNFClient will accept and ignore the authentication string, but it doesn't need to have it... Your new SNIFFER line might look something like: SNIFFER external nonzero D:\sniffer\SNFClient.exe 7 0 Hope this helps, _M --- [This E-mail was checked by Declude] -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: I have the same position as Scott. I find that the MessageSniffer product from ARM Research is the most reliable test snip/ Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the X-Originating-IP: [111.222.333.444] snip/ I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Actually, if I may, Message Sniffer has precisely that feature built into GBUdb training. Specifically, you can tell Message Sniffer to identify the source IP for the message based on the presence of a specific header. This feature was designed specifically for hotmail and other systems that provide a source IP for one reason or another -- (perhaps complex internal routing). For configuration information see: http://www.armresearch.com/support/articles/software/snfServer/config/node/gbudb/training/source.jsp http://www.armresearch.com/support/articles/software/snfServer/config/node/gbudb/training/source-header.jsp If you configure this training mechanism for GBUdb in your Message Sniffer engine then GBUdb will become much more accurate for messages coming through that source. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
On 12/6/2010 4:22 PM, Scott Fisher wrote: -Pete Can I use header name='X-AOL-IP:' received='aol.com [' ordinal='0' / for the AOL header: X-AOL-IP: 213.55.79.58 Yes... What you've got there essentially says this: If the first (ordinal 0) received header contains the string aol.com [ then look for the header X-AOL-IP: and read the source IP for the message from that header. Once the engine believes that's the source IP for the message then that IP will be scored for the message. If that IP is generating spam through aol (in this case) then that IP's statistics will move toward the black range and be scored accordingly. Other IPs sending messages through that system will be scored on their own merits. _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] porn spam
On 12/13/2010 1:02 PM, Harry Vanderzand wrote: How does one stop mail like this? lxdjjblq ldpzi http:/xxx.x.com zuk q jar zgmghx vxh jwrrfmtmfo eidzrz. lmsuqai drahmrff. uezng n sbqbxemgz ygcbfdd mirc wzgebwwco rwfb. so, bnr rfkiectjz. eokj, nq cojce. azauqpa, lm btbmrex uq. I see it coming through regularly yet cannot seem to stop it. I run the full declude suite along with sniffer and commtouch Please be sure to submit these to s...@armresearch.com or to your local spam collection box if you've set one up with ARM. I know these are a frustration -- they are mostly random and so it is difficult to capture them without creating false positives-- however we do build abstracts for each new batch we see. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 ---[This E-mail was scanned by Declude] ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] sniffer question
On 12/13/2010 5:02 PM, Harry Vanderzand wrote: Is there any documentation on what I need to do. Sure, right here: http://www.armresearch.com/support/articles/software/snfServer/config/index.jsp http://www.armresearch.com/support/articles/software/snfServer/config/gbudbIgnoreList.jsp This also might be helpful http://www.armresearch.com/support/articles/installation/index.jsp There is a lot just going over my head. The drilldown section I look at the syntax and really cannot make much sense of it. More on this later*. What is the line of code I would put in? Two IPs for the mail server are 216.16.233.12 and 216.16.233.22 Well, since you have just these two it's best to put them in your ignore list. The format is one IP address per line. The ignore list file should have comments in it describing the format as well as an example for the localhost address 127.0.0.1. --- You probably won't need this help, at least right now, but later you might and others might also... * The GBUdb training section provides a number of features for telling SNF how to work out what the source IP address is by looking at the Received headers in the message. This is the most portable way of doing it (SNF runs on _MANY_ platforms). http://www.armresearch.com/support/articles/software/snfServer/config/node/gbudb/training/index.jsp If you have any questions then please contact us at our supp...@armresearch.com address. Please also let us know if we can improve our documentation. Thanks! _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 ---[This E-mail was scanned by Declude] ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam scores rising
On 2/11/2011 2:49 PM, IMail Admin wrote: But keeping the spam down is a bigger issue right now. You might try adding truncate to your RBLs. http://www.gbudb.com/truncate/index.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SSD vs HDD
On 3/4/2011 10:42 AM, Stephan Chayer wrote: Should we use SSD drives or regular HDD. I have heard numerous reliability problems with SSD and I am not sure if we should do it. So far we have had good luck with SSD drives in applications like this. Another solution we use on our *nix boxen is tmpfs with a ton of extra RAM. Analogous to a RAM drive on Win* I suppose -but tmpfs will automatically extend itself to physical drives if the size explodes so that's something to watch for. _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
On 4/8/2011 3:49 PM, IMail Admin wrote: They’re true spam, but the other tests don’t confirm it and my delete threshold is 12 (although I would be happy to get just to 10 on these spams). If you're not already using truncate.gbudb.net DNSBL then that might also allow you to add some weight. http://www.gbudb.com/truncate/index.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] error 0xC0000142 smtp.exe
On 5/4/2011 11:08 PM, Imail Admin wrote: Hi,  I recall a while back about errors where you get Error #0xC142 (The application failed to initialize) for smtp32.exe, somehow related to Declude. We started getting these recently for no particular reason that I can think of. Is there a setting in Declude that helps with this? IIRC, this is the "mystery heap" problem and solving it will mostly have to do with the setting you're using. http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686 There is a particular chunk of memory that runs out if too many applications/processes are started at once as children of other processes. In your case, for example, too many concurrent instances of SMTP32.exe along with a number of other factors. If I'm guessing correctly, you could suddenly experience this problem due to allowing enough SMTP32 processes (usually controlled by the number of processing threads you allow) and also having enough mail running through your system to exhaust the mystery heap. This search might help you find what you're looking for in previous discussions. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] error 0xC0000142 smtp.exe
On 5/4/2011 11:08 PM, Imail Admin wrote: Hi, Â I recall a while back about errors where you get Error #0xC142 Oops... when I said "this search" I forgot to include the link: http://www.mail-archive.com/search?q=0xC142l=declude.junkmail%40declude.com There is also a link buried in the KB article that leads here: http://www.declude.com/Articles.asp?ID=130 _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] error 0xC0000142 smtp.exe
On 5/5/2011 2:21 PM, IMail Admin wrote: My business is so small any more than I could imagine using my smart phone to run the mail server. If it’s the smtp32.exe process causing the crash, then that would imply to me that I’ve got a lot of outbound messages all at once. I just don’t see how this could happen. I’m guessing that we’ve got no more than a couple hundred mailboxes spread over 30 domains, and no lists larger than 200. So how do I find out where all this outbound stuff is coming from? And is there a setting I could use to limit the number of outbound messages sent (or processed) at one time? The trick is, it's not controlled by outbound messages, but inbound messages. The way IMail works is to accept all incoming connections (essentially) and store the messages in the spool. Then it calls it's delivery agent (SMTP32) to get those messages where they need to go. When a message processing system like a mail filter wants to hook into IMail it (or one of it's components) takes the place of SMTP32, processes the message for itself, and then calls SMTP32 itself to continue the chain of processing. (There are exceptions, of course and the above is oversimplified). What all of that means is that the number of times SMTP32 is called is partially controlled by the number of messages you are receiving -- and any publicly accessible MTA is subject to spam storms that can include large numbers of messages. If your software is configured to allow too many instances of SMTP32 then a sizable spam storm will trigger the mystery heap problem. The solution generally is to reduce the number of processing threads you allow. Since your system is small (as you say) this shouldn't be a problem and should resolve the problem. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] error 0xC0000142 smtp.exe
On 5/5/2011 4:28 PM, Bonno Bloksma wrote: Hi, Â Even though I am running an Imail server for a bachelor level education with about 2500 active mailboxes and about 15.000 mails per day, I still have Declude set to max 150 THREADS. That is plenty to get the mail delivered in time. Over the years I have determined that you can have a very high inbound throughput on a very small number of threads and in fact that this strategy significantly improves overall performance by reducing overhead. All of the local deliveries you have will be constrained mostly by the underlying file system, so if most of your deliveries are local (inbound traffic) you can set the number of threads very small indeed (2x Cores works as a starting point). You only need a larger number of threads when sending mail out because each thread may need to wait a significant amount of time for the outbound process to start and finish. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question on SNF within Declude
On 8/5/2011 11:13 AM, Ferrell Ard wrote: Hi David  I just upgraded from 4.10.72 to 4.10.78 and noticed a build-up of files in the /IMail/Declude/SNF directory with names p59us2lf.20110801.log.xml  Before after the upgrade, my diag.txt file shows that SNF is OFF (see below).  Have I done something wrong to cause these files to be built? Is there an automated delete procedure for these files? Hi Ferrel, I'm pretty sure these are not created by the OEM SNF in declude. They appear to be created by your external SNF installation since the log file name includes your SNF license ID. You can disable logging if you wish. You can also redirect it to a different directory. http://www.armresearch.com/support/articles/software/snfServer/logFiles/ http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/scan/xml.jsp Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Solid State Drives
On 9/23/2011 6:24 PM, decl...@mail.net1media.com wrote: Hi All, Has anyone attempted to place the \IMail\Spool directory on a solid state hard drive? What are your experiences? Are there any reason not to do this? I did this once. It was very fast. There shouldn't be any reason not to do it other than expense and the relatively small size of SSDs -- even that shouldn't be a problem these days if you watch it closely. My experiment was many years ago. _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Performance issues with SM 8.2 w Declude
On 9/26/2011 11:44 AM, Scott Fosseen [Prairie Lakes AEA] wrote: The machine has 2 Gig of RAM, and a swap file of 5.5 Gig. In Windows task manager I see my peak memory usage is now 10 gig. Right now I am not sure if the performance issues are being caused by RAM, too much traffic, Smartermail, or Declude. On the surface I would suggest that RAM is your big problem. If you have 2G and you're using 5-10G then you are spending a lot of time swapping through IO. RAM is pretty cheap these days, so I would probably boost that first (not knowing more about it). _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] regex help needed
On 1/13/2012 10:39 AM, Scott Fisher wrote: One Hotmail spammer peddling Chinese drugs is consistently getting through. There just isn’t enough wrong with the emails to get it stopped.  One oddity is the formatting of the subject line over multiple lines:  Subject: [Possible SPAM] MMannyIniidvidualsTakeAnntdierpessantsFor6MotnhsToAYearOrMoore.ThhenTheyGetRidOofDerpsesion. she thought, when she first saw Mr. B. at the masquerade, that he was We're digging into this one a bit right now -- Could you zip up a bunch of samples and send them to me please? We have several structural and content vectors to explore and I'm looking for exploitable commonalities. Thanks, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] regex help needed
On 1/13/2012 11:24 AM, Scott Fisher wrote: All of my samples have been send to madscientist@ Sorry, I don't have them. If they were not zipped then it is likely the message got stripped out by existing rules. If they were zipped perhaps they are just slow getting here - I'll keep an eye out. Thanks, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] regex help needed
On 1/13/2012 12:03 PM, Scott Fisher wrote: Resending now Ok I got it and we identified a few additional vectors to throw at this. SNF should catch more of these now, and the SortMonsters are looking at additional vectors as our supply of samples grows. At least 3 new structural abstracts are in play also. If you're not already using the truncate BL that might also help add some weight (I see you're using a lot of tests): http://gbudb.com/truncate/index.jsp Thanks, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No one at Declude?
On 2013-04-10 16:21, John Dobbin wrote: With all the discussion recently about Declude going down, my concern is more with what happens if/when the licensing server goes away? I don't recall where, but I heard a rumor that there was a forever license code somewhere for Declude. Anybody know anything about that? If Declude just evaporates without saying another word that would be a good thing to have. _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No one at Declude?
On 2013-04-17 13:06, Katie La Salle-Lowery wrote: X-MessageSniffer-Rules: 20-0-0--1-f Message Sniffer tagged this message with a truncate result. Result code 20. Normally we recommend that a Truncate result should be weighted high enough to ensure the message is treated as spam / malware with extreme prejudice. Truncate means that the IP reputation for the source is known to be so bad that SNF isn't going to bother finishing the content scan. It's simply going to mark the message as spam and possibly take a sample. http://www.armresearch.com/support/articles/software/snfServer/core.jsp Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No one at Declude?
On 2013-04-17 13:36, David Barker wrote: SNIFFER external NONZERO "C:\Smartermail\Declude\SNF\SNFClient.exe" 20 0 SNIFFER-CAUTION external 020 "C:\Smartermail\Declude\SNF\SNFClient.exe" -10 0 SNIFFER-TRUNCATE external 040 "C:\Smartermail\Declude\SNF\SNFClient.exe" 10 0 Woops!! That's backward. It SHOULD be: SNIFFER-CAUTION external 040 etc... SNIFFER-TRUNCATE external 020 etc... Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No one at Declude?
On 2013-04-17 13:43, Katie La Salle-Lowery wrote: Just to be clear – 020 should be the truncate and 040 the caution (opposite of below) according to what Pete sent (http://www.armresearch.com/support/articles/software/snfServer/core.jsp), right? Yes. _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No one at Declude?
On 2013-04-17 13:52, SM Admin wrote: Why the negative weight on Caution? What’s the logic behind that? The Caution result is based on a special case with a small amount of information: Sniffer is saying: This IP is new, and the first message or two that it sent was spam. The current message didn't match any patterns I know, but I'll bet that it's just a bot I haven't seen before that's been lit up to send a new spam campaign. That reasoning is usually correct, but it's not as solid as the other result codes because it's guessing Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No one at Declude? topic change - gbudb
On 2013-04-17 15:20, Nick Hayer wrote: Is the data in truncate.gbudb.net duplicated in Sniffer? No. Each SNF node has it's own view of the world. The truncate bl has an aggregate view from all SNF nodes. That means that it's good to use truncate because it will know about IPs that you may not have seen yet at your system. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.