A modern Xeon dual core, also within VMware:
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 1, GenuineIntel
The oldest virtualized CPU is:
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 7, GenuineIntel
Both identify as Xeon E5xxx
Answer: pretty darn fast for a system that I think is slow anyway
I think my MTA is a busy system, and I know that it's not MessageSniffer
that keeps the server busy. A glance with Task Manager or Process
Explorer shows very little CPU time is spent by MessageSniffer.
I threw some grepping
Via the GnuWin32 tools on my Windows server:
C:\MessageSniffergrep -P Match\t munged.2012062?.log | cut -f7 |
usort | uniq -c | usort -k2 -n -r 2nul | head
2 4991501
8 4991483
8 4991462
8 4991459
8 4991457
8 4991456
8 4991446
6 4991286
3
awards self a blue ribbon for 3rd place
From SNFclient.exe.err I saw these errors repeated for every message
processed:
20120107155711, arg1=C:\IMail\spool\proc\work\D016759002.smd : Could Not
Connect!
The srvany.exe was running, but the SNFserver.exe wasn't, or wasn't
healthy. Each
/config/no
de/gbudb/training/source-header.jsp
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Colbeck, Andrew
Sent: Monday, October 24, 2011 11:47 AM
To: Message Sniffer Community
Subject: [sniffer] Training GBUdb on the client IP
Another test, this time to update the X-AOL-IP: header, which in my last
few false-negatives have the standard X-Originating-IP: header ... I
don't know if AOL has deprecated the X-AOL-IP: header or whether it is
used under different client circumstances.
header name='X-Originating-IP:'
: [sniffer] Re: Training GBUdb on the client IP for telus.net
On 10/24/2011 3:20 PM, Colbeck, Andrew wrote:
header name='X-Telus-Outbound-IP:
Hrmm... Do you want the source to be the outbound IP?
_M
--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044
x7010
Time to thwart a spam run from a fresh IP address: less than 18 minutes.
The first three emails from: 216.223.207.0/25 were allowed past
MessageSniffer but fewer than 18 minutes into the spam run, the content
triggers rule group 60, rule id 4224795.
(It is coupon spam, but probably fake
Pete, for
sample on-off='on'
I wrote myself this note...
!-- We can sample during a peek if passthrough = yes --
... Is it still valid? Your sample and my own configuration have:
passthrough=no
On the balance of it, I suspect my own note is wrong, so it would be
nice if you could verify it
: Monday, May 09, 2011 3:05 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Change in default settings
On 5/9/2011 4:53 PM, Colbeck, Andrew wrote:
Pete, for
sample on-off='on'
I wrote myself this note...
!-- We can sample during a peek if passthrough = yes --
... Is it still valid
Pete, now that Microsoft has taken down the Rustock botnet, what's your
telemetry say about spam volumes? Any significant change?
http://blogs.technet.com/b/microsoft_blog/archive/2011/03/18/taking-down
-botnets-microsoft-and-the-rustock-botnet.aspx
I have seen one hit, and it looks like a false positive to me. Sent as a
sample to the false@ address.
Thanks for the heads-up, Darin.
Andrew.
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Darin Cox
Sent: Tuesday, August
I'm not seeing any spike in inbound connections or accepted message
counts.
Actually, it's lower than Friday's volume and about the same as
Thursday.
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Peer-to-Peer (Support)
Sent:
I looked at the effectiveness of this test and I like what I'm seeing.
The volume isn't high, but it is making a difference in the edge cases
that are close to my hold weight.
In particular, I'm finding that it is triggering on pump and dump DKIM
spam from fresh netblocks that would otherwise
0.2, p 0.9 for [205.188.84.131]
I'll send the whole header to support@ in case you are interested in
this particular IP.
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Colbeck, Andrew
Sent: Monday, May 10, 2010 9:03 AM
For what it is worth, there are zero hits on my two servers for this
Rule. I looked back through the last 7 days.
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Darin Cox
Sent: Tuesday, April 06, 2010 9:48 AM
To: Message
All clear here, Pete.
Thanks for both of the notices,
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, November 26, 2009 8:45 AM
To: Message Sniffer Community
Subject: [sniffer] Bad rule alert:
The scores over here for the messages that trigger on rule 2654821
today:
spam that hit the rule: 4
... and were porn: 0
ham that was held by my weight system: 5
ham that was allowed by my weight system: 3
subsequent panic log lines: 139
Thanks for the heads up, Darin.
I was able to re-queue
Niiice, Pete.
Andrew 8)
-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Wednesday, July 29, 2009 2:51 PM
To: Message Sniffer Community
Subject: [sniffer] SNFMilter released and a few other updates...
Hello
Thanks for the heads-up, Pete.
For what it's worth, I had a hit on only one message on each of my
gateways, from different senders.
The Sniffer General result code wasn't weighted high enough on my
Declude system to hold either message because they came from senders
with clean implementations.
It works for me. Thanks, Pete!
I used the documentation here:
http://www.armresearch.com/support/articles/software/snfServer/config/au
toUpdates.jsp
I wanted a simplified system that more closely reflected what the vendor
ships, so I've stopped using my home-grown wget based script which was
I recently used snfclient.exe to whitelist the IP address (actually a
whole /24) of a mailing list manager that my users deem to be
trustworthy.
snfclient.exe -set 64.62.197.53 good - -
You might argue the merits of this IP address, but that's not why I'm
writing...
I deliberately left alone
.
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, April 30, 2009 1:14 PM
To: Message Sniffer Community
Subject: [sniffer] Re: overriding the GBUdb
Colbeck, Andrew wrote:
I recently used snfclient.exe
I also have hit this. A single hit, also from AOL.
Andrew.
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Darin Cox
Sent: Friday, July 18, 2008 6:37 AM
To: Message Sniffer Community
Subject: [sniffer] Problem with Sniffer-Porn rule
.
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Friday, July 18, 2008 8:31 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning
I also have hit this. A single hit, also from AOL.
Andrew
Congratulations on shipping, Pete!
Andrew 8)
p.s. Hey, I love the new mascot. Much cuter than the old SortMonster...
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Thursday, June 26, 2008 12:24 PM
To: Message Sniffer
Pete, if we have a significant number of hits, they'll be from all kinds
of IP sources.
Should we dump the GBUdb? If so, how?
The documentation is perfectly clear on how to tweak an IP or dump an IP
in the GBUdb, but doesn't mention a wholesale clearing of it.
Andrew.
-Original
Thanks, Pete.
I had very few actual hits; I have lots of lines that indicate the rule
panic in place, but the number of actual hits is quite small.
How I found my hits:
cd /d C:\MessageSniffer
gawk ($6 == \Final\) ($7 == 1940812) *.20080617.log
Andrew.
-Original Message-
From:
Thanks, Pete.
I had four actual false positives on one server, versus 324 unique hits
for the bad rule.
So yes, I'd say that the autopanic feature worked quite well.
Andrew.
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent:
pong ...
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of John T
Sent: Monday, May 26, 2008 9:08 AM
To: Message Sniffer Community
Subject: [sniffer] Test
Ping
Testing as I have not received any list messages for a while.
John T
Paul, since you're working in a Windows world, check out Alligate from
alligate.com as a Windows platform based email gateway.
I've put Alligate in front of my Declude setup and it drastically
reduced the number of emails I had scan for content and sender in
Declude, and gained back a lot of disk
It appears that both the reload and the rotate options in the
sniffer executable are still accepted by SNFClient.exe but are
deprecated, as neither parameter appears in the help or in the
contextual help when SNFClient.exe is run without parameters.
Andrew.
Thanks for the response, Pete!
I was using both parameters in my scheduled pattern download script,
which would tell Sniffer that there was a new pattern, and would rotate
the logs before uploading them back to you.
With the new (beta) version, both extras have become redundant, so I've
For what it's worth, it is working for my two licences.
I received email update notifications at:
90 minutes ago
3 18 minutes ago
4 38 minutes ago
6 hours 13 minutes ago
Andrew 8)
-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick
The Ugly value returned by the beta Message Sniffer you're using with
the Good, Bad and Ugly database has a result code of 40, and this code
is missing from your list.
(The White value overlaps with result code 0, which internally to
Message Sniffer will mask any other spam result code on your
Pete, one of the questions I had right away when I looked at the
documentation accompanying the software package was about the
communication channel.
The documentation clearly pointed out that ports 25 is the default and
that 80 is selectable, but didn't go further. I just answered my own
Thanks for reporting this, Pete!
My numbers were more extreme than Pi-Web's.
That bad rule triggered on 18,023 messages yesterday.
Due to the rest of my spam software, two-thirds were either passed (as
presumed ham) or deleted (as very spammy).
So the one-third that was held, I re-scanned
See this article at the Internet Storm Center:
http://isc.sans.org/diary.html?storyid=3012
Pump and dump scams now in PDF
Published: 2007-06-20,
Last Updated: 2007-06-20 21:33:39 UTC
by Maarten Van Horenbeeck (Version: 1)
Apparently the groups behind what we know as pump and dump spam have
My last upload averaged a lame 6 KB/s.
My last download varied widely in the speed obtained:
0K .. .. .. .. .. 17.85
KB/s
50K .. .. .. .. ..9.58
KB/s
100K .. .. .. ..
Thanks for the update, Pete.
Over on the Declude JunkMail support mailing list, it's like déjà vu all over
again.
Andrew 8)
p.s. For the many of us here that don't subscribe to that list... The small
number of recently active messages have been re-queued to the list several
times.
Would it be a good idea in a future version to delete files
that are older than a certain date automatically?
I disagree.
Having MessageSniffer delete the old files would hide the problem. With
the messages left behind, you have a valuable symptom that something is
wrong with your
Postini posts some statistics here, but their conclusions can lag by
months:
http://www.postini.com/stats/index.php
global spam traffic is a big concept... Postini did however process
over 650 million messages in the last 24 hours.
Andrew.
-Original Message-
From: Message Sniffer
Serge, what return value are you using for this snifferwhitelist?
The official and current list of return codes is here:
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai
ls.ResultCodes
If you're using 0, then don't do that, because zero is also used for
no result.
If you don't mind, does WeightGate add any noticeable
CPU cycles to run on top of running Sniffer? Thanks for the aid.
On a 100,000 emails per day on a 2.8 GHz Xeon, no, it doesn't.
Andrew 8)
-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On
This diary entry over at the Internet Storm Center points to an
increased volume of traffic from probable zombies, and they posit that
the increase in this traffic would coincide with the spam increase that
people are seeing.
http://isc.sans.org/diary.php?storyid=1828
Their graph shows a sharp
I like your new sig, John.
How's this for an addendum?
"Experience is that which you acquire, just after you
needed it."
Andrew 8)
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of John T
(Lists)Sent: Thursday, October 26, 2006 8:13 AMTo:
Message
For another organization's graph of spam trends as received by them,
check out the updated graphs at TQM cubed:
http://tqmcube.com/tide.php
Their graph shows a sharp uptick at the end of June 2006.
Andrew 8)
-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL
That's good news, Pete.
And with the WeightGate executable and source thrown in at no extra
charge!
Andrew 8)
-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Monday, October 23, 2006 9:26 AM
To: Message Sniffer
I'm attaching an old message to this list which may come in
handy. It's from my perspective, which is using Declude and IMail, with
the spam messages in d:\imail\spool\spam and needing to be moved to
d:\imail\spool to be re-scanned. Now that I use a newer version of
Declude, my
I had a similar problem with Hotmail once upon a time; the
details were different, but the remedy was the same.
I run a caching DNS server on my outbound DNS host, so I
simply addeda DNS zone forYahoo.com on it, and populated only enough
MX record information so that I could reliably get
Column 7 is the one that contains the rule that was hit. In this case,
it was 1100444.
Column 8 is the one that contains the group. In this case, it was 60
Ungrouped Black Rules (Sniffer General).
Andrew 8)
-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL
Would that be the Laugh in the subject line pharmaceutical spam
campaign?
That was mentioned by Dave Doherty on the Declude.JunkMail mailing list,
and when I checked my logs I found many hundreds with clear variations
on the keywords in the text, e.g. there is a joke about lawyers and they
are
FWIW I take the belt and suspenders
approach.
The rulebase notification by email does trigger a Message
Sniffer update script on my system, but I don't rely on it solely. In
addition, I also use an "at" schedule every four hours.
As in Markus' (and Bill's) sample, I use the -N parameter
Pete, I plan to use it or something similar in non-production once I set
up a new test system.
A quick test with a batch file worked fine.
Although I'm no programmer, I have reviewed the source and saw no
obvious logical problems or coding flaws.
Rigorous testing on the command line showed that
It was broken code in the latest Bagel/Beagle:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.ht
ml
Andrew 8)
#
This message is sent to you because you are subscribed to
the mailing list
(sniff) Aw, cut it out, Matt.
You're making me all weepy.
p.s. Pete, that's pretty darned
amazing!
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of MattSent:
Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer
CommunitySubject: Re: [sniffer]Re[2]:
David,
Are you using the free version of sniffer? Or did you deliberately change your
.exe name in your posting to sniffer.exe to hide your licence number?
I certainly expect that the rulebase lag with the free version will result in
lower Message Sniffer hit rates.
I've seen the free version
I use just shy of 60 DNS based tests against the sender, both IP4R and
RHSBL.
Perhaps 10-12 matter.
Due to false positives, I rate most of them relatively low and have
built up their weights as a balancing act. That act is greatly assisted
by using a weighting system and not reject on first
So no one has any idea what
the purpose of these emails
are?
The bad guys aren't telling. The good guys have lots
of theories, such as:
http://isc.sans.org/diary.php?storyid=1384
and also:
http://www.f-secure.com/weblog/archives/archive-062006.html#0894
which
in turn points to
?
John T
eServices For You
Seek, and ye shall find!
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf
Of
Colbeck, Andrew
Sent: Wednesday, May 24, 2006 9:38 AM
To: Message Sniffer Community
Subject: Re: [sniffer]Possible Paypal
Certainly, submitting samples to spam@ (or preferably your
local spam submission point polled by our bots) will put
these messages in front of us if we have not already created
rules for them.
I've just manually submitted the ~35 messages that my filters triggered
on for phishing that
Pete,
One of these was EarthLink [207.217.120.227], and one of these was
Google Mail [64.233.166.182].
SpamBag lists the EarthLink address as a source of bogus bounces, and I
posit that this would be the source of the mail to the spamtraps that
would trigger the F001 bot.
I would like to state
Joe,
Are you using MDLP to autotune your weights in
Declude? If so, you can exclude invURIBL and other tests which you don't
want to change, whether because you think the weight is perfect, or because
their randomness doesn't fit MDLP's idea of a weighting
system.
Check out this snippet
Goran,
When you issue a reload you can tell that the new rulebase is being used
because the *.svr file's date and time will change to the current time.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Friday,
Goran, I'd be interested in Pete's technical answer, too.
The practical answer is that you should always go with the persistent
instance of Message Sniffer. From reading Pete's previous screeds and
monitoring the list here in the last year and from having my own
troubles, it's pretty clear to me
Thanks for the update, Pete.
I also appreciate that you expanded on how that rule went wild. I can
see that the intent was good but the unintended consequences were not so
good.
Here's how it played out on my server:
How many messages hit the FP rules: 2,042
How many messages Declude decided
Thanks for the update, Pete.I also appreciate that
you expanded on how that rule went wild. I can see that the intent was
good but the unintended consequences were not so good.Here's how it
played out on my server:How many messages hit the FP rules: 2,042How
many messages Declude decided
By the way, Pete, thank you very much for publicly posting the URL where
we could download FPSigIDs.csv so that we could work on recovering our
own false positives.
I was able to use this information to selectively re-test all of the
messages detected by those rules. That was 2,449 messages.
Thank you, Pete.
In my spelunking, I've found too many rules to put in as panic entries
my .cfg file, and this morning I dropped the weight for my experimental
class tests to low values, and heavily edited my combo tests that
build on Sniffer hits.
I'm attaching a report showing the number of
(nuts, to fast on the "Send" button).
... plus, future hits on spam that is already detected can
accumulate hits on, say, SNIFFEREXPIP that weren't already hitting.
Therefore, trying to save bandwidth and processing power over at sortmonster.com
by submitting less spam is not helpful.
Can anybody give me the short and sweet "how-to" change the
HELO in MDaemon withoutchanging the hostname of the mail
server?
I don't use MDaemon, I'm trying to help someone
else.
Thanks,
Andrew 8)
I suppose it depends on just deep the sniffer signature goes...
Previous viruses including Sober.* have come in waves, with variants
that skirt all but the most intrusive antivirus blocking schemes.
I submitted a sample to the Norman Sandbox, which turned up different
information than the
Inversely, I just had a 419 scam come from a legitimate hotmail account,
with a Yahoo! Email address as payload, and for the record, that email
address (nor anything else) trigger a Sniffer detection.
I've just submitted it to the spam@ address.
Andrew 8)
-Original Message-
From:
I just thought I'd revive this thread and say that on a tiny organization for
whom I also administer the mail, this was welcome news.
They have ORF plus Exchange 2000. I added the free eval version of sniffer to
their mix with the new ORF External Agent feature.
Despite the delay in patterns,
Richard, are you rotating your sniffer logs daily?
I had the same experience a very log time ago, and found that without
rotating the logs, appending to a monster text file was soaking up a lot
of cpu and disk on my server.
Bill Landry worked with a lot of people here to make his download script
Ping?
Pong.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
MathiasSent: Thursday, August 04, 2005 3:59 PMTo:
sniffer@SortMonster.comSubject: [sniffer] Test
Apologies, but need
to test.
Robert
So basically, what you are saying is that my volume is really
too low to take advantage of the persistent sniffer (and such
may actually decrease my performance), and I should stick
with the non-service version. Is that right? That is about
what I thought (without the details of how
FireDaemon is dirt cheap. Yes, you can have one
service for free if you find an older version.
If you want free and will settle forno interface,
then check out the free SrvAny.exe that is downloadable from Microsoft as part
of their Windows Server Resource Kit.
Andrew 8)
From:
My email server has received about 200 of a certain message since 8:30
AM PDT.
The Subject line is merely 1, the forged mailfrom is approximately the
first 8 characters of the target address plus a forged domain. There is
an attachment called 1.txt and a message text body that begins on a
new
I'm on updates this evening. I'll watch for this. It sounds
like something that requires an abstract rule --- probably
not enough content for the other coders to try it safely... I
am surprized I didn't hear about it though...
Please send me another note with a few of these as
FYI
http://www.securitypipeline.com/news/164901324
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
Title: Message
Gotta
catch 'em all (not Pokemon, spam)...
Sniffer caught all of them today:
gawk
"$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log
temp.txt
fgrep
-ftemp.txt dec0617.log | fgrep "Total weight"
If
your volume is quite high, that second line, instead of
Title: Message
I
haven't noticed this spam leaking through, but at your prompting I did
a:
egrep
".+From: .+To: .+IP: 200\.49\." dec0616.log
and
saw about 46. A glance through these to:from:ip: lines definitely shows
messages that fit your description, along with messages that don't (I'm
Title: Message
Also,
thedomains in the body textare not hitting on SURBL
tests.
Andrew
8)
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34
PMTo: sniffer@SortMonster.comSubject: RE:
Today I saw hits from this campaign on another IP block as well, and
plugging that into SenderBase.org gives me:
http://www.senderbase.org/search?searchString=200.49.37.130
Note in the top right that they list:
200.49.36.0/22
belonging to Network Access Point S.R.L., and following that link
Title: Message
I'm
seeing what Scott sees, but the payload is an encrypted zip.
VirusTotal.com says:
This is a report
processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file.
Antivirus
Version
Update
Result
Title: Message
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
This
is the virus that I was seeing. The one that Jim and others are seeing may
be this MyTob, whose description was
Thanks for the quick work, Pete.
I put in the Rule-panic entry as soon as you sent the email to this
list.
For what it's worth, I just finished with all my held mail for the last
two days, and I had no false positives from messages with a mailfrom
that included c o m c a s t.
Lots of mail that
On the weekend and since, I saw a lot of them get through but Sniffer
was dutifully catching them, unfortunately, they also served to
highlight Sniffer hyperaccuracy because those messages just weren't
reaching my HOLD weight.
Check out the Message Sniffer change rates for the last few days:
Jay, here's more web information on the mxrate tests:
http://www.mxrate.com/lookup/dns.htm
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Saturday, April 02, 2005 1:43 PM
To: Jay Sudowski - Handy Networks LLC
Subject: Re:
http://www.sophos.com/spaminfo/articles/spamwords.html
Interesting, but a pity they didn't publish a list of, say, their 1,000
most popular obfuscations.
Andrew 8)
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
time for my cat since I implemented
Sniffer.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, March 22, 2005 4:37 PM
To: Colbeck, Andrew
Subject: Re: [sniffer] Money, drugs, and sex
On Tuesday, March 22, 2005, 4:47:30
http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp
Oooh, pretty!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Sunday, February 20, 2005 3:52 PM
To: sniffer@sortmonster.com
Subject: [sniffer] New change rates
Title: Message
Yup,
just type the executable's filename in a command window, and the version
information is on the last couple of lines in the resulting
help.
Andrew
8)
p.s.
My version says build - v2-3.2 Nov 23 2004 01:21:33
-Original Message-From: Keith Johnson
Hello, all.
Aside from the usual Internet Explorer and Office patches, this patch
cycle also includes an update to the October update MS04-035 which
affects a DNS query vulnerability in the SMTP handling in Windows
2000/2003 as well as Exchange 2003.
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and
Log
Parsers.
Colbeck, Andrew writes:
Hello, all.
Aside from the usual Internet Explorer and Office
For what it's worth, I'm definitely seeing an increase in volume over
the weekend (double the spam, actually), and I believing it is tapering
off already.
In addition to the volume of separate messages, the number of recipients
is generally up.
The messages look generally like the kind of jobs
, 2005 4:58 PM
To: Colbeck, Andrew
Subject: Re[2]: [sniffer] Sniffer and SURBL
On Monday, January 10, 2005, 7:17:29 PM, Andrew wrote:
CA Pete, I thought that you had said at one point that SortMonster
CA fetches one or more SURBL zones and incorporates those as spam data
CA for Message Sniffer
It sounds good to me, Pete.
May I humbly suggest that this be a new result code, e.g. 046? Until
now, Message Sniffer has been very parsimonious with the new categories,
but this looks like one that will be here for a long time.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
Title: Message
Well,
an indirect way to do this is to use the (undocumented?) Declude
directive:
rsp
set off TESTNAME
as the
first bit of text in your test message. That won't actually trigger
sniffer, but it will for the purpose of making your JunkMail think that the test
has been
1 - 100 of 110 matches
Mail list logo
