[sniffer] Now OT: Re: [sniffer] Re: Opening truncate.gbudb.net

> One impacted customer wanted me to put back their original pw back > in. Boss can't learn a new one! Sheesh.. That makes me... cry. Not mail-related: a user of our web app forgot his password today and was having a ridiculously hard time using our password reset form (basic enter-your-

[sniffer] Re: Sniffer Updates every 6 or 7 minutes

Rory Nimmo wrote: Hi folks. My Sniffer rule base is updating every 6 or 7 minutes today. I have not made any changes at my end. Can you shed any light on this please? It should be fixed now. A bug in smb (used internally to populate the delivery servers) causes datestamp problems when

[sniffer] Re: FW: [sniffer] Re: Sniffer 3.0 Froze Mail Server

Hello Andy, Saturday, October 4, 2008, 10:21:31 PM, you wrote: > Hi Pete, Well, I eliminated WeightGate for the time being, just to do my “due diligence”. Also, since there is a fix sized buffer, I assume actually LOWERING the 3rd number (the allocation for each non-interactive process)

[sniffer] Re: FW: [sniffer] Re: Sniffer 3.0 Froze Mail Server

cNeil [mailto:[EMAIL PROTECTED] Sent: Saturday, October 04, 2008 10:07 PM To: Andy Schmidt Cc: [EMAIL PROTECTED] Subject: Re: FW: [sniffer] Re: Sniffer 3.0 Froze Mail Server Hello Andy, Saturday, October 4, 2008, 9:22:39 PM, you wrote: > Hi Pete, Here the log files. I can't t

[sniffer] Re: Sniffer 3.0 Installed

it more flexible to deal with different customer scenarios. Best Regards, Andy From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, October 04, 2008 3:52 PM To: Message Sniffer Community Subject: [sniffer] Re: Sniffer 3.0 Installed My best thin

[sniffer] Re: Sniffer 3.0 Installed

Hello Andy, Saturday, October 4, 2008, 12:28:44 PM, you wrote: > HI Pete, Thanks for your feedback. I had to create the UpdateReady.txt file before I was able to test my update script from the command line – but I didn’t realize that I would be created in the Workspace folder. Without th

[sniffer] Re: Sniffer 3.0 Froze Mail Server

Ouch - 3.0 didn't even last 12 hours. Imail was frozen up because it apparently couldn't launch any more Sniffer client instances. Event Log was full with: Event Type:Information Event Source:Application Popup Event ID: 26 Description: Application popup: SNFClien

[sniffer] Re: Sniffer 3.0 Installed

Hello Andy, First, let me say thanks for sharing all of this. We don't often get detailed feedback on these things. Your valuable insights will be used to make later releases better. With that said I will add a few comments here and there to explain why things are the way they are and help ot

[sniffer] Re: Sniffer Version 3 Install for FreeBSD?

Hello Harry, Monday, September 29, 2008, 8:11:09 AM, you wrote: > Hi Pete,   Please do send the new FreeBSD control script and doc at your convenience. Our email are crossing in the ether. Before posting the new distribution prototype I created a README-SETUP file to help pull the

[sniffer] Re: Sniffer Version 3 Install for FreeBSD?

Hi Pete, Please do send the new FreeBSD control script and doc at your convenience. Thank you, Harry Hello Harry, Sunday, September 28, 2008, 10:39:42 PM, you wrote: > I have been using Sniffer for several years with Declude and SmarterMail on Windows. I would like to move S

[sniffer] Re: Sniffer Version 3 Install for FreeBSD?

Hello Harry, Sunday, September 28, 2008, 10:39:42 PM, you wrote: > I have been using Sniffer for several years with Declude and SmarterMail on Windows. I would like to move Sniffer to my IMGate Mail Gateway (Postfix / FreeBSD). Has anyone installed Version 3 of Sniffer on FreeBSD? The *n

[sniffer] Re: Sniffer Helper App? UPDATE

Hello, As an update, the developer (Alexander N. Telegin) spent a number of hours on my server and seems to have sorted the bugs out in eWall. At this time the program is running well and as advertised. It's a nice little light gateway client that has some easy to use scripting features an

[sniffer] Re: Sniffer Helper App?

iffer Community Subject: [sniffer] Re: Sniffer Helper App? I MOVED FROM Imail 8 to SmarterMail 4.3 and then 5.1, best thing I ever did (> the cost of an Imail maintenance contract for Enterprise unlimited users / domains). SmarterMail has grey listing built in so 90-95% spam gets killed at so

[sniffer] Re: Sniffer Helper App?

I MOVED FROM Imail 8 to SmarterMail 4.3 and then 5.1, best thing I ever did (> the cost of an Imail maintenance contract for Enterprise unlimited users / domains). SmarterMail has grey listing built in so 90-95% spam gets killed at source the other spam is handled out of the box by SpamAssassin. I

[sniffer] Re: Sniffer Helper App?

Steve, Since this hasn't yet been mentioned, try Alligate (www.alligate.com). It does selective greylisting (only greylists things that look spammy), and also will validate your users' addresses and do things like country blocking/tarpitting/greylisting. Only one zombie spammer survives gre

[sniffer] Re: Sniffer Helper App?

Steve, If at all possible, I recommend blocking based on unknown user BEFORE doing ANY content filtering of the message. But, if you must, it is also a good strategy to block based on the sender's IP first. (I'm figuring that you might need to do that since you are trying to reduce mail to yo

[sniffer] Re: Sniffer Helper App?

If I move away from eWall I will be left with just iMail till I find something else (purpose of my email). iMail has URL blacklists. eWall has URI Blacklists but I'm still looking for that perfect client to put in-front of my mail server (software based). So you probably have some good sugg

[sniffer] Re: Sniffer Helper App?

Steve; Declude works well, but any comprehensive set of filters will take some horsepower to run. Declude will do the country filtering I think you wanted. Herb Steve Guluk wrote: On Jul 1, 2008, at 12:25 PM, Rob McEwen wrote: Steve, Do you have the ability to add into your current fil

[sniffer] Re: Sniffer Helper App?

Steve, What I'm getting is this... the ultimate in low resource spam protection is blocking based on the sending IP using a prolific DNSBL like zen.spamhaus.org that, like zen, has extreme low FPs. Because the message is blocked at the perimeter using just a single lookup on the sender's ip.

[sniffer] Re: Sniffer Helper App?

On Jul 1, 2008, at 12:25 PM, Rob McEwen wrote: Steve, Do you have the ability to add into your current filtering additional RBLs and/or URI blacklists? I have some good suggestions there! Rob McEwen Rob, If I move away from eWall I will be left with just iMail till I find something

[sniffer] Re: Sniffer Helper App?

Steve Guluk wrote: Any suggestions on what I should consider to help with spam and also use Sniffer. Steve, Do you have the ability to add into your current filtering additional RBLs and/or URI blacklists? I have some good suggestions there! Rob McEwen ###

[sniffer] Re: Sniffer Win32 command line output

Pete, That is exactly what I needed. You rock. Thanks so much. Shawn On Jan 10, 2008 11:56 AM, Pete McNeil <[EMAIL PROTECTED]> wrote: > Hello Shawn, > > > Following up a bit... > > > Most likely you're using a Process object to call the SNFClient. > > > If I've read the MS docs correctly yo

[sniffer] Re: Sniffer Win32 command line output

Hello Shawn, Following up a bit... Most likely you're using a Process object to call the SNFClient. If I've read the MS docs correctly you will want to get the "exit code" once SNFClient finishes. http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.exitcode(VS.71).aspx Hope

[sniffer] Re: Sniffer Win32 command line output

Hello Shawn, Thursday, January 10, 2008, 2:16:24 PM, you wrote: > Hello, I am evaluating Message Sniffer beta version but I am totally confused.  :-) >   But how do I get the result code for the spam message to output back to the command prompt?  If I try to call SNFClient

[sniffer] Re: Sniffer Win32 command line output

Make a bat fil like this: -- @echo off echo syntax "batfilenavn.bat" "messagefil to test" SNFclient.exe "%1" echo %errorlevel% pause -- If it display zero the message is clean. Hello, I am evaluating Message Sniffer beta version but I am totally confused. :-) If I am in

[sniffer] Re: Sniffer Update Timeouts

Hello Christopher, Wednesday, December 12, 2007, 12:47:53 PM, you wrote: > I'm seeing timeouts and very slow downloads from sniffer today. > Is this just me? We are having some router issues. They should be resolved today. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC.

[sniffer] Re: Sniffer codes

Hello Andrew, A few minor corrections if I may. Friday, November 9, 2007, 8:31:01 PM, you wrote: > The Ugly value returned by the beta Message Sniffer you're using with the "Good, Bad and Ugly" database has a result code of 40, and this code is missing from your list. That's not qu

[sniffer] Re: Sniffer codes

The Ugly value returned by the beta Message Sniffer you're using with the "Good, Bad and Ugly" database has a result code of 40, and this code is missing from your list. (The White value overlaps with result code 0, which internally to Message Sniffer will mask any other "spam" result code on you

[sniffer] Re: Sniffer as passthrough filter

on a domain and then forwarding all the mail to a remote system. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Thursday, March 08, 2007 11:44 PM To: Message Sniffer Community Subject: [sniffer] Re: Sniffer as passthrough f

[sniffer] Re: Sniffer as passthrough filter

Yes, it is called email gateway service and many of us do that and it is fairly straightforward to setup but there are a number of steps. John T > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of K Mitchell > Sent: Thursday, March 08, 2007 6:16

[sniffer] Re: Sniffer White List

posted this before getting pete's post please disregard - Original Message - From: "Serge" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Tuesday, December 12, 2006 8:11 PM Subject: [sniffer] Re: Sniffer White List > I'm using 000,

[sniffer] Re: Sniffer White List

To: "Message Sniffer Community" Sent: Tuesday, December 12, 2006 7:49 PM Subject: [sniffer] Re: Sniffer White List Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title

[sniffer] Re: Sniffer White List

Hello Serge, Tuesday, December 12, 2006, 2:22:27 PM, you wrote: > We started using tests for the different sniffer categories recently and are > finding that snifferwhitelist is very innacurate > ot is substracting wheight from more real spam than it does of non-spam > messages > should we just d

[sniffer] Re: Sniffer White List

Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using "0", then don't do that, because zero is also used for "no result". Ac

[sniffer] Re: Sniffer does not catch as much as it used to.

Hello Fox,Thomas, I might ad that for a long while it has been a common recommendation for SNF to be weighted at 70-80% of your "hold" weight. Quite often, some result categories are weighted to hold on their own. These days blackhats are using a burst-mode delivery tactic that makes it virtually

[sniffer] Re: Sniffer does not catch as much as it used to.

Hello Steve, This is an important point. Most of the image spam rules and in particular "abstract heuristics" are coded to the experimental rule group. The name implies only that these rules are not direct matches for components of the message (singly or in combination) as are most other rules - R

[sniffer] Re: Sniffer does not catch as much as it used to.

Hello Rick, Wednesday, September 20, 2006, 8:34:55 AM, you wrote: > I just signed my annual renewal for Sniffer but it seems that it used to > catch lots of the email and now is only catching about 50% of the email Why > when we are sending in our information does this continue to happen? We are

[sniffer] Re: Sniffer does not catch as much as it used to.

Hi Rick, I've found that tuning for spam is a constant process. I am always tweaking settings, changing weights, etc., in response to spam leakage. Just yesterday I spent about 2 hours on it. I (very reluctantly) implemented some phrase filtering, using the filter function in Declude. I've been

[sniffer] Re: Sniffer does not catch as much as it used to.

On Sep 20, 2006, at 5:34 AM, Rick Hogue wrote:I just signed my annual renewal for Sniffer but it seems that it used to catch lots of the email and now is only catching about 50% of the email Why when we are sending in our information does this continue to happen? We are getting lots of you won, Pha

[sniffer] Re: Sniffer does not catch as much as it used to.

We've been very happy putting invURIBL into the mix :) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, September 20, 2006 9:11 AM To: Message Sniffer Community Subject: [sniffer] Re: Sniffer does not catch as mu

[sniffer] Re: Sniffer does not catch as much as it used to.

Community Subject: [sniffer] Re: Sniffer does not catch as much as it used to. Hi Rick, It's a constant battle, with spammers getting more sophisticated, and filtering tools trying to catch up and anticipate the next move. That said, we do not see the kind of leakage you see, probably due to

[sniffer] Re: Sniffer does not catch as much as it used to.

Hi Rick, It's a constant battle, with spammers getting more sophisticated, and filtering tools trying to catch up and anticipate the next move. That said, we do not see the kind of leakage you see, probably due to other tests we run on our systems. I would recommend you supplement with BLs and o

[sniffer] Re: Sniffer not working on new server

Hello Jonathan, There's nothing tied to IP or domain that would stop SNF from running. Most likely mxGuard is not calling SNF for some reason. Recheck that config and any logs that are left behind, and also run SNF from the command line to make sure it's doing what you expect it to. Hope this hel

[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...

Pete, My understanding was that Declude treats different arguments to an executable as just being other forms of that executable so it only processes it once.  I'm not positive one way or another.  It's worth testing though. Matt Pete McNeil wrote: Hello Matt, Wednesday, June 7, 2006,

[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]

Hello Andrew, Thursday, June 8, 2006, 11:32:47 AM, you wrote: > Ditto. > I advise people to use Insert, Item. Far easier than explaining how to > drag and drop (or tie shoelaces). It might be nice to have a SnagIt of that process to share w/ users. > I've noticed that whether the headers surv

[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]

Darin, Thunderbird allows you to choose the default forwarding method as either inline or as attachment.  It might actually default to inline, I can't remember, but whenever it does message/rfc822 attachments, it is as a whole unlike some other clients that edit it down to the bare minimum of

[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]

TED] On Behalf Of Darin Cox > Sent: Thursday, June 08, 2006 6:45 AM > To: Message Sniffer Community > Subject: [sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions] > > >Thunderbird and Netscape just takes the full original source and > >attaches it as a message/rfc82

[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]

>Thunderbird and Netscape just takes the full original source and >attaches it as a message/rfc822 attachment. I forwarded this message >back to the list by just pressing "Forward". Interesting that they include the headers with a simple forward, without specifying forward as attachment. I haven

[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...

Hello Pete, Thursday, June 8, 2006, 9:42:42 AM, you wrote: > Hello Pete, > Thursday, June 8, 2006, 9:41:55 AM, you wrote: >>> It does look a little weird. Sometimes it's normal though. I'll see if >>> I can identify anything odd in the settings. >>> _M >> I've changed the settings. I hope th

[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...

Hello Pete, Thursday, June 8, 2006, 9:41:55 AM, you wrote: >> It does look a little weird. Sometimes it's normal though. I'll see if >> I can identify anything odd in the settings. >> _M > I've changed the settings. I hope this response works ok. > _M Testing. Sorry for the extra trafic - on

[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...

> It does look a little weird. Sometimes it's normal though. I'll see if > I can identify anything odd in the settings. > _M I've changed the settings. I hope this response works ok. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ###

[sniffer]AW: [sniffer][Fwd: Re: [sniffer]FP suggestions]

> Please excuse me for wanting more detail about the Outlook > attachment trick, but would you mind attaching this message > to a response so that I could look at the headers and such? The full headers are a usefull thing if a customer ask me why he has received a certain message that he doesn'

[sniffer][Fwd: Re: [sniffer]FP suggestions]

, or, at the very least, within 24 hours. Darin.     - Original Message - From: Matt To: Message Sniffer Community Sent: Wednesday, June 07, 2006 11:46 PM Subject: Re: [sniffer]FP suggestions Darin,Outlook will strip many of the headers when forwarding.  Outlook Express needs to forward the m

Re: [sniffer]FP suggestions

from same day, or, at the very least, within 24 hours. Darin.     - Original Message - From: Matt To: Message Sniffer Community Sent: Wednesday, June 07, 2006 11:46 PM Subject: Re: [sniffer]FP suggestions Darin,Outlook will strip many of the headers when forwarding.  Outlook Express nee

Re: [sniffer]WeightGate source, just in case...

Pete, Just two more cents for the masses... If people use this for two different external tests in Declude, they need to create two differently named executables because Declude will assume the calling executable to be part of the same test and only run it once (or possibly create an error de

Re: [sniffer]FP suggestions

Darin, Outlook will strip many of the headers when forwarding.  Outlook Express needs to forward the messages using "Forward As Attachment" in order to insert the full original headers.  Thunderbird/Netscape Mail will work just by forwarding.  If you paste the full source in a message, you sho

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

>It is unclear - we receive FPs that have traveled through all sorts of >clients, quarantine systems, changed hands various numbers of times, >or not (to all of those)... Right now I don't want to make that >research project a high priority. Understood. >That's true it wouldn't change, but submit

Re: [sniffer]Re[2]: [sniffer]FP suggestions

>Unfortunately, by the time the message gets to us it is sometimes just >different enough that the original pattern cannot be found. There are >some folks who consistently have success, and some who occasionally >have problems, and a few who always have a problem. Different in what way? Is the ma

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

Awesome. Great job, Pete. Darin. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Wednesday, June 07, 2006 6:49 PM Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Hello Matt, Wednesday, June 7, 2006,

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

Right. Anything forwarded would be either above our delete weight, or reviewed and forwarded from within our hold range. Darin. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Wednesday, June 07, 2006 6:59 PM Subject: [sniffer]Re[2]:

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

(sniff) Aw, cut it out, Matt.   You're making me all weepy.   p.s. Pete, that's pretty darned amazing!   From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer CommunitySubject: Re: [sn

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

Pete, I think that you just broke Scott's record with his two hour feature request with your own a two hour program :) Anyone remember those days??? Thanks, Matt Pete McNeil wrote: Hello Matt, Wednesday, June 7, 2006, 4:22:05 PM, you wrote: Pete, Since the %WEIGHT%

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

That would be great if you could add message rewriting. With the complete lack of response by Declude to support emails and the support list, they're going to lost most of us as customers as soon as someone comes out with am IMail/SmarterMail compatible product that has weighting and the array of

Re: [sniffer]FP suggestions

n the report. Darin.     - Original Message - From: Scott Fisher To: Message Sniffer Community Sent: Wednesday, June 07, 2006 10:08 AM Subject: Re: [sniffer]FP suggestions For me the pain of false positives submissions is the research that happens when I get a "no rule found" return.   I the

Re: [sniffer]SPF

Huh?  No, not at all.  Check it again.  It will work as specified. Darin.     - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Wednesday, June 07, 2006 10:00 AM Subject: Re: [sniffer]SPF Hi Darin,   FYI, I tried putting in v=spf1 mx -all as

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

>> This also got me thinking of the flip side, spam reporting. There's a >> significant untapped load of spam that sniffer doesn't fail that we filter. >> I was thinking about creating a filter to copy your spam@ address with >> messages that get moved to our archive (we archive held spam for 30 d

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

>> Can I interpret this as email address and matching source IP are sufficient >> if the correct email address is used to submit? >Yes. Ok, so the answer to my original suggestion is yes. Great. > If not, do you have any suggestions on how you would like to see us > inserting the license ID in

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

7;m glad I stuck with it.   Andrew.     From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, June 07, 2006 1:22 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Pete,Since the %WEIGHT% v

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

Pete, Since the %WEIGHT% variable is added by Declude, it might make sense to have a qualifier instead of making the values space delimited.  Errors in Declude could cause values to not be inserted, and not everyone will want to skip at a low weight.  I haven't seen any bugs with %WEIGHT% sinc

Re: [sniffer]Re[2]: [sniffer]FP suggestions

Pete, An X-Header would be very, very nice to have.  I understand the issues related to waiting to see if something comes through, and because of that, I would maybe suggest moving on your own. Sniffer doesn't need to be run on every single message in a Declude system.  Through weight based s

Re: [sniffer]FP suggestions

For me the pain of false positives submissions is the research that happens when I get a "no rule found" return.   I then need to find the queue-id of the original message and then find the appropriate Sniffer log and pull out the log lines from there and then submit it. Almost always in thes

Re: [sniffer]SPF

f1 a -all" Does this sound right to you?     Mike Stein   - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 9:54 PM Subject: Re: [sniffer]SPF What's your hold weight?  If spam is only failing SPF and nothing else,

Re: [sniffer]AW: [sniffer]Numeric spam

. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Wednesday, June 07, 2006 8:30 AM Subject: Re: [sniffer]AW: [sniffer]Numeric spam > Hello Markus, > > Wednesday, June 7, 2006, 7:43:36 AM, you wrote: &g

Re: [sniffer]Re[2]: [sniffer]FP suggestions

Hi Pete, Can I interpret this as email address and matching source IP are sufficient if the correct email address is used to submit? If not, do you have any suggestions on how you would like to see us inserting the license ID in the D file? Darin. - Original Message - From: "Pete McNe

Re: [sniffer]AW: [sniffer]Numeric spam

Hello Markus, Wednesday, June 7, 2006, 7:43:36 AM, you wrote: > > > Today I've noticed that there is a relation between the recipient > adresses that was used in the past 36 hours in the numeric spam > messages and the following wave of stock-spam messages containing > this png-graphic. A

Re: [sniffer]FP suggestions

06 12:59 AM Subject: Re: [sniffer]FP suggestions Pete,Regarding suggestions for easing the reporting process, I would recommend the following possible modifications: 1) An E-mail submission tool similar to the one now, but replies would be automated2) Send back links or rather an HTML form

Re: [sniffer]FP suggestions

Pete, Regarding suggestions for easing the reporting process, I would recommend the following possible modifications: 1) An E-mail submission tool similar to the one now, but replies would be automated 2) Send back links or rather an HTML form with checkboxes in an E-mail auto-response allowin

Re: [sniffer]SPF

House           - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 9:30 PM Subject: Re: [sniffer]Numeric spam What do you use for spam filtering?  Declude has the ability to test SPF, for example.   Also, what is your SPF record for the domain in question? Darin.  

Re: [sniffer]Numeric spam

Subject: Re: [sniffer]Numeric spam Hi Darin,   Thanks for your reply.  Sure wish I understood what you're saying     Michael SteinComputer House   - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:10 PM Subject: Re: [sn

Re: [sniffer]Numeric spam

Hi Darin,   Thanks for your reply.  Sure wish I understood what you're saying     Michael SteinComputer House   - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:10 PM Subject: Re: [sniffer]Numeric spam Th

Re: [sniffer]Numeric spam

Community Sent: Tuesday, June 06, 2006 8:07 PM Subject: Re: [sniffer]Numeric spam I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our own domain.   Does

Re: [sniffer]Numeric spam

this type of junkmail?     Michael SteinComputer House     - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent

Re: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

> Can you recommend an alternate process, or changes to the existing > process that would be an improvement and would continue to achieve > these goals? We are always looking for ways to improve. I've been thinking about this recently. I'm mostly concerned with FPs for the best tests, like Sniffe

Re: [sniffer]Numeric spam

iffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques.   John T eServices For You   "Seek, and ye shall find!"   -Original Message-From: Message Sniffer Co

Re: [sniffer]Numeric spam

t: Tuesday, June 06, 2006 3:46 PM To: Message Sniffer Community Subject: Re: [sniffer]Numeric spam     On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain).   What are these things? I thought exp

Re: [sniffer]Numeric spam

es >that the bad guys care about list scrubbing. The greatest supposition >is that they would do this without commercial gain; after all, they >could have done this without a special spam run. > >I think they just screwed up again. > >Andrew 8) > > > >

Re: [sniffer]Numeric spam

crewed up again.   Andrew 8)       From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We

Re: [sniffer]Numeric spam

On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus wo

Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam

uration as well now. > > > - Original Message - > > From: "Nick Hayer" <[EMAIL PROTECTED]> > > To: "Message Sniffer Community" > > Sent: Tuesday, June 06, 2006 10:05 AM > > Subject: Re: [sniffer]Numeric spam topic change to png stock

Re: [sniffer]A design question - how many DNS based tests?

I have 46 RBL's configured, though 16 are configured to score differently on last hop and prior hops. I would say that more than 35 of these are things that I would not like to lose. I weight most RBL's at around half of my Hold weight in Declude. False positives on my system typically hit a

Re: [sniffer]A design question - how many DNS based tests?

I use just shy of 60 DNS based tests against the sender, both IP4R and RHSBL. Perhaps 10-12 matter. Due to false positives, I rate most of them relatively low and have built up their weights as a balancing act. That act is greatly assisted by using a weighting system and not "reject on first hit

Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through

etley bypass Declude (but that's only a small fraction of the total). Regards David > -Original Message- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of David Waller > Sent: Tuesday, June 06, 2006 5:46 AM > To: Message Sniffer Community > S

Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through

iguration? > (please not publish your sniffer-id!) > > Markus > > > > > > -Ursprüngliche Nachricht- > > Von: Message Sniffer Community > > [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller > > Gesendet: Dienstag, 6. Juni 2006 11:51 > &

Re: [sniffer]Numeric spam

We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are reall

Re: [sniffer]A design question - how many DNS based tests?

I use about 100 dnsbl/rbl/rhsbl list of varying weights and reliabilities. How many matter... I'd have to say the shining star is CBL. Hits 45% of the spam with a very low false positive rate. The relay RBLs days are way behind them, The proxy RBLs most useful days are behind them The DUL RBLs

Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam

Pete McNeil wrote: Hello Nick, What is your false positive rate with that pattern? Hmm lets go to the MDLP for yesterday  :)                                            SS   HH  HS  SH   SA            SQ REGEX.STOCK.BODY    331    0    0    66    0.667506   0.445565 COMBO.STOCK_PNG   16

Re: [sniffer]Numeric spam topic change to png stock spam

Nick, very good method. I have added that to my configuration as well now. - Original Message - From: "Nick Hayer" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Tuesday, June 06, 2006 10:05 AM Subject: Re: [sniffer]Numeric spam topic change to pn

Re: [sniffer]Numeric spam topic change to png stock spam

Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGE

Re: [sniffer]Concerned about amount of spam going through

Hello Michiel, Tuesday, June 6, 2006, 3:10:52 AM, you wrote: > > Crew, > >   > > I'm a bit concerned about the amount of spam that Sniffer's not > getting. It used to be a near 99% catch rate, but now it looks like it's > down to 70%...? > >   > > I opened my own mailbox this morni

Re: [sniffer]A design question - how many DNS based tests?

Hi Pete, Pete McNeil wrote: How many DNS based tests do you use in your filter system? approx 100 How many of them really matter? depends :) I generally weight them all very low; its the combination of several that make each 'matter'. As I review held mail I remove ones that are b

  1   2   3   4   5   6   7   8   9   10   >