[Declude.JunkMail] sniffer question
Just checking my sniffer logs. The following is an excerpt that I have a question o0n: s u='20101211142509' m='q559a524ab283.smd' s='0' r='0' p s='12' t='15' l='2054' d='69'/ g o='0' i='216.16.233.12' t='u' c='0.968559' p='-0.73764' r='Normal'/ I='216.16.233.12 is my mail server. This mail came from 94.190.11.38 originally and also has an AOL ip in the headers What is the I= supposed to represent? This is further to my recent post as it is the same item in question Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] sniffer question
On 12/13/2010 5:02 PM, Harry Vanderzand wrote: Is there any documentation on what I need to do. Sure, right here: http://www.armresearch.com/support/articles/software/snfServer/config/index.jsp http://www.armresearch.com/support/articles/software/snfServer/config/gbudbIgnoreList.jsp This also might be helpful http://www.armresearch.com/support/articles/installation/index.jsp There is a lot just going over my head. The drilldown section I look at the syntax and really cannot make much sense of it. More on this later*. What is the line of code I would put in? Two IPs for the mail server are 216.16.233.12 and 216.16.233.22 Well, since you have just these two it's best to put them in your ignore list. The format is one IP address per line. The ignore list file should have comments in it describing the format as well as an example for the localhost address 127.0.0.1. --- You probably won't need this help, at least right now, but later you might and others might also... * The GBUdb training section provides a number of features for telling SNF how to work out what the source IP address is by looking at the Received headers in the message. This is the most portable way of doing it (SNF runs on _MANY_ platforms). http://www.armresearch.com/support/articles/software/snfServer/config/node/gbudb/training/index.jsp If you have any questions then please contact us at our supp...@armresearch.com address. Please also let us know if we can improve our documentation. Thanks! _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 ---[This E-mail was scanned by Declude] ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] Sniffer Question
I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Question
Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
Personally, my sniffer is set to 2/3 of my hold weight, that test really doesn't give me troube as long as I keep my .snf file updated. I'm curious as to what other people do as well. - greg I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
John, does that mean sniffer runs 17 times on each mesage, or does it return multiple codes? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:02 PM Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Question
In the Global.cfg, as long as the Sniffer call line is the same except for the return code area, Declude will only call Sniffer once and compare the exit code to those configured. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Friday, September 02, 2005 5:19 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Sniffer Question John, does that mean sniffer runs 17 times on each mesage, or does it return multiple codes? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:02 PM Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Sniffer Question
Sorry to but in - can't resist... ;-) The test will run only once, but it will be evaluated for each possible result (Declude is smart that way). You might even have more than one test use SNF and add weight.. for example, SNIFFER ... nonzero and SNFSPECIFIC ... result. Many folks and the AI system's we've been experimenting with tend to put the SNF weight at about 70% of the hold weight. Hope this helps, _M On Friday, September 2, 2005, 8:19:11 PM, Dave wrote: DD John, does that mean sniffer runs 17 times on each mesage, or does it return DD multiple codes? DD - Original Message - DD From: John Tolmachoff (Lists) [EMAIL PROTECTED] DD To: Declude.JunkMail@declude.com DD Sent: Friday, September 02, 2005 8:02 PM DD Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. DD --- DD This E-mail came from the Declude.JunkMail mailing list. To DD unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DD type unsubscribe Declude.JunkMail. The archives can be found DD at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
Thanks. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:49 PM Subject: RE: [Declude.JunkMail] Sniffer Question In the Global.cfg, as long as the Sniffer call line is the same except for the return code area, Declude will only call Sniffer once and compare the exit code to those configured. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Friday, September 02, 2005 5:19 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Sniffer Question John, does that mean sniffer runs 17 times on each mesage, or does it return multiple codes? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:02 PM Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
It runs Sniffer once and caches the exit code comparing it to the other identical sniffer calls with different return codes. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Dave Doherty [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:19 PM Subject: Re: [Declude.JunkMail] Sniffer Question John, does that mean sniffer runs 17 times on each mesage, or does it return multiple codes? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 8:02 PM Subject: RE: [Declude.JunkMail] Sniffer Question Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
Thanks for all your help. I'll refer to the Sniffer list in the future. But for the moment - I was wondering what the other Sniffer tests would look like in your global.cfg file. How do you test for certain return codes? Also, what criteria are you using for these return codes (in other words, how have you figured to add a certain weight to return code 56, and a different weight to return code 87 for example)? Thanks John Tolmachoff (Lists) wrote: Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer Question
Kevin, Here is a post to the archive which as an example: http://www.mail-archive.com/declude.junkmail@declude.com/msg15084.html Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, September 02, 2005 9:41 PM Subject: Re: [Declude.JunkMail] Sniffer Question Thanks for all your help. I'll refer to the Sniffer list in the future. But for the moment - I was wondering what the other Sniffer tests would look like in your global.cfg file. How do you test for certain return codes? Also, what criteria are you using for these return codes (in other words, how have you figured to add a certain weight to return code 56, and a different weight to return code 87 for example)? Thanks John Tolmachoff (Lists) wrote: Best thing is to ask on the Sniffer List. I actually have 17 Sniffer tests based upon exit code, with weights ranging from 15 to 35. I hold at 25 and delete at 35. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Friday, September 02, 2005 4:37 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer Question I just setup Sniffer for the first time and I'm wondering what people have their external test weight set to. My global.cfg came with a sniffer test already configured (though it was commented out) to have a weight of 7, which actually gives it a weight of 8 for some reason I couldn't figure out. If you haven't made up your own weighting system (some people have their weights go up to 300 or more), what's a good weight for a failed sniffer test? At 10, I put messages into a bulk folder, at 17 I hold them. Thanks --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.