Re: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
Umm, Wouldn't the 0 9 setting put a Positive weight on a good clean email? shouldn't it be like SNIFFER external nonzero "c:\sniffer\win32\licenseid.exe authcode" 7 -7 You are correct -- it was set up to put a positive weight on E-mail that passed the test, and not affecting the weight of E-mail that fails the test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
I think I was seeing n9 in the log...which, now, I'm inferring was maybe negative nine due to my having a 9 at the end of the line? At this point, though, I'm really thinking that it was adding ipnotinmx and nolegitcontent as bad cholesterol instead of good cholesterol... Meaning, they were adding to the weight rather than counter-weighting. I come to this conclusion because if I add up the weights of the tests failed for messages that got caught that shouldn't have the weight only adds up if these tests are being added up as positive integers. Thanks! Katie LaSalle-Lowery Centric Internet Services 1410 Reserve St. Missoula, MT 59801 Local Phone 549-3337 ext. 21 Toll Free (888)593-2776 ext. 21 Fax (406)721-3438 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, December 13, 2004 2:49 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer >I have commented out sniffer, ipnotinmx and nolegitcontent as those are >my suspects... Everything else is how the configuration was when I >became aware I had problems. > >#IPNOTINMX ipnotinmx x x 0 -3 >#NOLEGITCONTENT nolegitcontent x x 0 -5 >#SNIFFERexternalnonzero >"C:\IMail\Declude\Sniffer\wuckd6ww.exe y5abucz7zhoqeg0o"0 9 These are all set up properly. Are you seeing "SNIFFER" in the X-Spam-Tests-Failed: header when you think that the E-mail didn't fail Message Sniffer but apparently did? If not, what makes you think that the E-mail is failing the Message Sniffer test? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
- Original Message - From: "William Stillwell" <[EMAIL PROTECTED]> > Umm, Wouldn't the 0 9 setting put a Positive weight on a good clean email? > > shouldn't it be like > > SNIFFER external nonzero "c:\sniffer\win32\licenseid.exe authcode" 7 -7 > > which would put a Positive 7 on a nonzero return, and a -7 on a Zero Return > ? Although Sniffer does exceptionally well at detecting spam, it is not perfect. I send missed spam to the Sniffer spam address daily, so appling a negative weight to non-Sniffer tagged e-mail will most likely result in reduced weight of some spam messages, as well. It's better to just leave the last field at zero. > Also, when posting your global.cfg file, I would recommend DELETING your > LicenseID > and Authentication Code for Shiffer. Indeed! Katie, I accidentally did the same thing about a year ago. You will probably want to contact MicroNeil and ask them to issue you a new Sniffer LicenseID and AuthCode. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
Umm, Wouldn't the 0 9 setting put a Positive weight on a good clean email? shouldn't it be like SNIFFER external nonzero "c:\sniffer\win32\licenseid.exe authcode" 7 -7 which would put a Positive 7 on a nonzero return, and a -7 on a Zero Return ? Also, when posting your global.cfg file, I would recommend DELETING your LicenseID and Authentication Code for Shiffer. - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 13, 2004 4:48 PM Subject: RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer I have commented out sniffer, ipnotinmx and nolegitcontent as those are my suspects... Everything else is how the configuration was when I became aware I had problems. #IPNOTINMX ipnotinmx x x 0 -3 #NOLEGITCONTENT nolegitcontent x x 0 -5 #SNIFFERexternalnonzero "C:\IMail\Declude\Sniffer\wuckd6ww.exe y5abucz7zhoqeg0o"0 9 These are all set up properly. Are you seeing "SNIFFER" in the X-Spam-Tests-Failed: header when you think that the E-mail didn't fail Message Sniffer but apparently did? If not, what makes you think that the E-mail is failing the Message Sniffer test? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
I have commented out sniffer, ipnotinmx and nolegitcontent as those are my suspects... Everything else is how the configuration was when I became aware I had problems. #IPNOTINMX ipnotinmx x x 0 -3 #NOLEGITCONTENT nolegitcontent x x 0 -5 #SNIFFERexternalnonzero "C:\IMail\Declude\Sniffer\wuckd6ww.exe y5abucz7zhoqeg0o"0 9 These are all set up properly. Are you seeing "SNIFFER" in the X-Spam-Tests-Failed: header when you think that the E-mail didn't fail Message Sniffer but apparently did? If not, what makes you think that the E-mail is failing the Message Sniffer test? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
Here's my global.cfg. I have commented out sniffer, ipnotinmx and nolegitcontent as those are my suspects... Everything else is how the configuration was when I became aware I had problems. Thanks! AHBLip4rdnsbl.ahbl.org * 6 0 BLITZEDALL ip4ropm.blitzed.org * 7 0 CBL ip4rcbl.abuseat.org 127.0.0.2 6 0 DSBLip4rlist.dsbl.org * 6 0 ORDBip4rrelays.ordb.org * 5 0 SBL ip4rsbl.spamhaus.org* 7 0 SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 5 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 5 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 5 0 SORBS-SMTP ip4rdnsbl.sorbs.net 127.0.0.5 5 0 SORBS-SPAM ip4rdnsbl.sorbs.net 127.0.0.6 4 0 SORBS-WEB ip4rdnsbl.sorbs.net 127.0.0.7 5 0 SORBS-BLOCK ip4rdnsbl.sorbs.net 127.0.0.8 5 0 SORBS-ZOMBIEip4rdnsbl.sorbs.net 127.0.0.9 5 0 SORBS-DUHL ip4rdnsbl.sorbs.net 127.0.0.10 4 0 SPAMCOP ip4rbl.spamcop.net 127.0.0.2 7 0 DSN rhsbl dsn.rfc-ignorant.org127.0.0.2 3 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 0 NOPOSTMASTERrhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0 BONDEDSENDERip4rquery.bondedsender.org 127.0.0.10 -10 0 BADHEADERS badheaders x x 4 0 BASE64 base64 x x 4 0 CMDSPACEcmdspacex x 8 0 COMMENTScommentsx x 7 0 HELOBOGUS helovalid x x 5 0 #IPNOTINMX ipnotinmx x x 0 -3 MAILFROMenvfrom x x 12 0 #NOLEGITCONTENT nolegitcontent x x 0 -5 PERCENT percent x x 10 0 REVDNS revdnsexistsx x 4 0 ROUTING spamrouting x x 2 0 SPAMHEADERS spamheaders x x 3 0 #SPFFAILspffail x x 3 0 #SNIFFERexternalnonzero "C:\IMail\Declude\Sniffer\wuckd6ww.exe y5abucz7zhoqeg0o"0 9 WEIGHT10weight x x 10 0 WEIGHT20weight x x 20 0 CATCHALLMAILS catchallmails x x 0 0 Katie LaSalle-Lowery Centric Internet Services 1410 Reserve St. Missoula, MT 59801 Local Phone 549-3337 ext. 21 Toll Free (888)593-2776 ext. 21 Fax (406)721-3438 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, December 13, 2004 2:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer If you post those relevant sections of your Global.cfg, we can help figure it out. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery > Sent: Monday, December 13, 2004 1:14 PM > To: [EMAIL PROTECTED] > Cc: Ken DeCosta > Subject: RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since > then getting > false positives on MessageSniffer > > Okay, upon further review, and if I'm reading things right, it looks > like MessageSniffer is *not* getting a false postive (logs shows > "clean") but Declude is penalizing by applying the weight as though > the test was failed. > I sent an example to [EMAIL PROTECTED] earlier today. It looks > like maybe Declude is scoring ipnotinmx and nolegitcontent as a > positive weight instead of as a counterbalance. > > > Katie LaSalle-Lowery > Centric Internet Services > 1410 Reserve St. > Missoula, MT 59801 > Local Phone 549-3337 ext. 21 > Toll Free (888)593-2776 ext. 21 > Fax (406)721-3438 > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Katie > LaSalle-Lowery > Sent: Monday, December 13, 2004 1:52 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Upgraded Declude Thurs night -- since then > getting false positives on MessageSniffer > > Thurs evening I upgraded our Declude installation to version 1.81 (we > had been at 1.65). I have become aware of a number of false positives > in MessageSniffer since Friday.
RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
Okay, upon further review, and if I'm reading things right, it looks like MessageSniffer is *not* getting a false postive (logs shows "clean") but Declude is penalizing by applying the weight as though the test was failed. I sent an example to [EMAIL PROTECTED] earlier today. It looks like maybe Declude is scoring ipnotinmx and nolegitcontent as a positive weight instead of as a counterbalance. In that case, you should check the test definition line in the global.cfg file -- the weight should appear as the 5th entry. For example: SNIFFER externalnonzero "C:\IMail\Declude\Sniffer\snfrv2r2.exe xnk05x5vmipeaof7"7 0 If there is another piece of data there before the weight, it may cause Declude to add the weight to E-mails that do not fail Message Sniffer. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
If you post those relevant sections of your Global.cfg, we can help figure it out. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery > Sent: Monday, December 13, 2004 1:14 PM > To: [EMAIL PROTECTED] > Cc: Ken DeCosta > Subject: RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting > false positives on MessageSniffer > > Okay, upon further review, and if I'm reading things right, it looks like > MessageSniffer is *not* getting a false postive (logs shows "clean") but > Declude is penalizing by applying the weight as though the test was failed. > I sent an example to [EMAIL PROTECTED] earlier today. It looks like > maybe Declude is scoring ipnotinmx and nolegitcontent as a positive weight > instead of as a counterbalance. > > > Katie LaSalle-Lowery > Centric Internet Services > 1410 Reserve St. > Missoula, MT 59801 > Local Phone 549-3337 ext. 21 > Toll Free (888)593-2776 ext. 21 > Fax (406)721-3438 > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Katie > LaSalle-Lowery > Sent: Monday, December 13, 2004 1:52 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Upgraded Declude Thurs night -- since then > getting false positives on MessageSniffer > > Thurs evening I upgraded our Declude installation to version 1.81 (we had > been at 1.65). I have become aware of a number of false positives in > MessageSniffer since Friday. We had not seen any false positives in > MessageSniffer previously. > > Any thoughts or suggestions? > > > Katie LaSalle-Lowery > Centric Internet Services > 1410 Reserve St. > Missoula, MT 59801 > Local Phone 549-3337 ext. 21 > Toll Free (888)593-2776 ext. 21 > Fax (406)721-3438 > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
Okay, upon further review, and if I'm reading things right, it looks like MessageSniffer is *not* getting a false postive (logs shows "clean") but Declude is penalizing by applying the weight as though the test was failed. I sent an example to [EMAIL PROTECTED] earlier today. It looks like maybe Declude is scoring ipnotinmx and nolegitcontent as a positive weight instead of as a counterbalance. Katie LaSalle-Lowery Centric Internet Services 1410 Reserve St. Missoula, MT 59801 Local Phone 549-3337 ext. 21 Toll Free (888)593-2776 ext. 21 Fax (406)721-3438 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, December 13, 2004 1:52 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer Thurs evening I upgraded our Declude installation to version 1.81 (we had been at 1.65). I have become aware of a number of false positives in MessageSniffer since Friday. We had not seen any false positives in MessageSniffer previously. Any thoughts or suggestions? Katie LaSalle-Lowery Centric Internet Services 1410 Reserve St. Missoula, MT 59801 Local Phone 549-3337 ext. 21 Toll Free (888)593-2776 ext. 21 Fax (406)721-3438 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
Katie, Report your false positives to [EMAIL PROTECTED] You must include the full source of the E-mail for this to work appropriately. You can simply copy and paste the content from a MBX or SMD file into the body of an E-mail and send it. You must send the E-mail from the account that you have registered with Sniffer (you can ask them to change it if necessary), and you need to include your custom code somewhere in the message (I include this in an alias that I have in my address book). It can be a bit unwieldy if you have no process set up for doing this. Hopefully Pete will put together a Web interface for those that don't at some point in the future. Matt Katie LaSalle-Lowery wrote: Thurs evening I upgraded our Declude installation to version 1.81 (we had been at 1.65). I have become aware of a number of false positives in MessageSniffer since Friday. We had not seen any false positives in MessageSniffer previously. Any thoughts or suggestions? Katie LaSalle-Lowery Centric Internet Services 1410 Reserve St. Missoula, MT 59801 Local Phone 549-3337 ext. 21 Toll Free (888)593-2776 ext. 21 Fax (406)721-3438 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.