Pete,
My understanding was that Declude treats different arguments to an
executable as just being other forms of that executable so it only
processes it once. I'm not positive one way or another. It's worth
testing though.
Matt
Pete McNeil wrote:
Hello Matt,
Wednesday, June 7, 2006,
Hello Pete,
Thursday, June 8, 2006, 9:42:42 AM, you wrote:
> Hello Pete,
> Thursday, June 8, 2006, 9:41:55 AM, you wrote:
>>> It does look a little weird. Sometimes it's normal though. I'll see if
>>> I can identify anything odd in the settings.
>>> _M
>> I've changed the settings. I hope th
Hello Pete,
Thursday, June 8, 2006, 9:41:55 AM, you wrote:
>> It does look a little weird. Sometimes it's normal though. I'll see if
>> I can identify anything odd in the settings.
>> _M
> I've changed the settings. I hope this response works ok.
> _M
Testing. Sorry for the extra trafic - on
> It does look a little weird. Sometimes it's normal though. I'll see if
> I can identify anything odd in the settings.
> _M
I've changed the settings. I hope this response works ok.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
###
Hello Matt,
Wednesday, June 7, 2006, 11:52:56 PM, you wrote:
> Pete,
> Just two more cents for the masses...
> If people use this for two different external tests in Declude, they
> need to create two differently named executables because Declude will
> assume the calling executable to be par
Von: Message Sniffer Community
[mailto:[EMAIL PROTECTED] Im Auftrag von
MattGesendet: Donnerstag, 8. Juni 2006 00:58An:
Message Sniffer CommunityBetreff: Re: [sniffer]Re[2]:
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions
Pete,I think that you just broke Scott's record w
>It is unclear - we receive FPs that have traveled through all sorts of
>clients, quarantine systems, changed hands various numbers of times,
>or not (to all of those)... Right now I don't want to make that
>research project a high priority.
Understood.
>That's true it wouldn't change, but submit
Hello Darin,
Wednesday, June 7, 2006, 7:26:48 PM, you wrote:
>>Unfortunately, by the time the message gets to us it is sometimes just
>>different enough that the original pattern cannot be found. There are
>>some folks who consistently have success, and some who occasionally
>>have problems, and
>Unfortunately, by the time the message gets to us it is sometimes just
>different enough that the original pattern cannot be found. There are
>some folks who consistently have success, and some who occasionally
>have problems, and a few who always have a problem.
Different in what way? Is the ma
Hello Andrew,
Wednesday, June 7, 2006, 6:59:52 PM, you wrote:
>
>
> (sniff) Aw, cut it out, Matt.
>
>
>
> You're making me all weepy.
>
>
>
> p.s. Pete, that's pretty darned amazing!
Well,... I was interrupted by kids, crazy house contractors, nosey
neighbors, phones, IM, and, w
Hello Darin,
Wednesday, June 7, 2006, 5:14:02 PM, you wrote:
>
>
> Oh, I assumed the rule had been removed. Are you saying there was
> a rule in place, but the FP processing somehow failed to find it?
> If so, I'd say that is a major failing on the part of the FP processing.
>
>
>
Awesome. Great job, Pete.
Darin.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Wednesday, June 07, 2006 6:49 PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP
suggestions
Hello Matt
PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design
question - how many DNS based tests?
Hello Darin,
Wednesday, June 7, 2006, 5:09:27 PM, you wrote:
>>That would be a bad idea, sorry. After 30 days (heck, after 2) spam is
>>usually long-since filtered, o
iffer]Re[2]: [sniffer]Re[2]:
[sniffer]Re[2]: [sniffer]FP suggestions
Pete,I think that you just broke Scott's record with his
two hour feature request with your own a two hour program :)Anyone
remember those days???Thanks,MattPete McNeil
wrote:
Hello Matt,
Wednesday, June 7, 2
Hello Darin,
Wednesday, June 7, 2006, 5:09:27 PM, you wrote:
>>That would be a bad idea, sorry. After 30 days (heck, after 2) spam is
>>usually long-since filtered, or dead. As a result, looking at 30 day
>>old spam would have a cost, but little benefit.
> You misinterpreted what I was saying.
Hello Darin,
Wednesday, June 7, 2006, 5:05:28 PM, you wrote:
> Uh, but the D file contains mime segments corresponding to attachments.
That's ok. SNF looks inside those, and w/ the FP scanning software
inside the rfc822 atachment also.
It's not perfect, but the majority of the time it does pi
Pete,
I think that you just broke Scott's record with his two hour feature
request with your own a two hour program :)
Anyone remember those days???
Thanks,
Matt
Pete McNeil wrote:
Hello Matt,
Wednesday, June 7, 2006, 4:22:05 PM, you wrote:
Pete,
Since the %WEIGHT%
Hello Matt,
Wednesday, June 7, 2006, 4:22:05 PM, you wrote:
>
> Pete,
>
> Since the %WEIGHT% variable is added by Declude, it might make
> sense to have a qualifier instead of making the values space
> delimited.
I don't want to mix delimiters... everything so far is using spaces,
so it
ay of
tests and scriptable filters we've come to rely on.
Darin.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Wednesday, June 07, 2006 4:09 PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP sugges
>> This also got me thinking of the flip side, spam reporting. There's a
>> significant untapped load of spam that sniffer doesn't fail that we
filter.
>> I was thinking about creating a filter to copy your spam@ address with
>> messages that get moved to our archive (we archive held spam for 30 d
>> Can I interpret this as email address and matching source IP are
sufficient
>> if the correct email address is used to submit?
>Yes.
Ok, so the answer to my original suggestion is yes. Great.
> If not, do you have any suggestions on how you would like to see us
> inserting the license ID in
7;m glad I stuck with it.
Andrew.
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of MattSent:
Wednesday, June 07, 2006 1:22 PMTo: Message Sniffer
CommunitySubject: Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP
suggestions
Pete,Since the %WEIGHT% v
Pete,
Since the %WEIGHT% variable is added by Declude, it might make sense to
have a qualifier instead of making the values space delimited. Errors
in Declude could cause values to not be inserted, and not everyone will
want to skip at a low weight. I haven't seen any bugs with %WEIGHT%
sinc
Hello Matt,
Wednesday, June 7, 2006, 3:37:36 PM, you wrote:
>
> Pete,
>
> An X-Header would be very, very nice to have. I understand the
> issues related to waiting to see if something comes through, and
> because of that, I would maybe suggest moving on your own.
I've got it on the lis
Pete,
An X-Header would be very, very nice to have. I understand the issues
related to waiting to see if something comes through, and because of
that, I would maybe suggest moving on your own.
Sniffer doesn't need to be run on every single message in a Declude
system. Through weight based s
Hello Scott,
Wednesday, June 7, 2006, 10:08:58 AM, you wrote:
>
>
> For me the pain of false positives submissions is the research
> that happens when I get a "no rule found" return.
>
>
>
> I then need to find the queue-id of the original message and then
> find the appropriate Snif
Hello Darin,
Tuesday, June 6, 2006, 7:49:37 PM, you wrote:
> This also got me thinking of the flip side, spam reporting. There's a
> significant untapped load of spam that sniffer doesn't fail that we filter.
> I was thinking about creating a filter to copy your spam@ address with
> messages t
Hello Darin,
Wednesday, June 7, 2006, 8:44:26 AM, you wrote:
> Hi Pete,
> Can I interpret this as email address and matching source IP are sufficient
> if the correct email address is used to submit?
Yes.
> If not, do you have any suggestions on how you would like to see us
> inserting the lic
;Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Wednesday, June 07, 2006 8:25 AM
Subject: [sniffer]Re[2]: [sniffer]FP suggestions
Hello Darin,
Wednesday, June 7, 2006, 7:31:29 AM, you wrote:
>
>
> The one issue with this I have is
>
>
Hello Darin,
Wednesday, June 7, 2006, 7:31:29 AM, you wrote:
>
>
> The one issue with this I have is
>
>
>
> 1) Forward full original source to Sniffer with license code.
>
> If we could do it without the license code, it would be much
> easier to automate on our end. I already ha
ssed for FPs.
Thoughts?
Darin.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Tuesday, June 06, 2006 7:29 PM
Subject: [sniffer]Re[2]: [sniffer]A design question - how many DNS based
tests?
Hello Matt,
Tu
Hello John,
Tuesday, June 6, 2006, 7:25:33 PM, you wrote:
>
>
>
> My thought is they are either building a db of valid names or testing
> delivery techniques.
I've got a few theories on this... but the most likely is that this is
just another one that got away from them. There are se
Hello Matt,
Tuesday, June 6, 2006, 12:37:56 PM, you wrote:
> appropriately and tend to hit less often, but the FP issues with
> Sniffer have grown due to cross checking automated rules with other
> lists that I use, causing two hits on a single piece of data. For
> instance, if SURBL has an FP
Because a small amount of weight is added, it is still sufficient for
tilting the scales on more occurrences than other image types.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Tuesday, June 06, 2006 10:44
Hello Andrew,
Tuesday, June 6, 2006, 11:44:46 AM, you wrote:
> David,
> Are you using the free version of sniffer? Or did you deliberately
> change your .exe name in your posting to sniffer.exe to hide your licence
> number?
> I certainly expect that the rulebase lag with the free version will
Hello Nick,
Thanks.
That's all good then :-)
_M
Tuesday, June 6, 2006, 10:46:55 AM, you wrote:
>
> Pete McNeil wrote:
>
> Hello Nick,
> What is your false positive rate with that pattern?
>
> Hmm lets go to the MDLP for yesterday :)
>
>
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS HH HS SH SA
SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
COMBO.STOCK_PNG 16
Hello Jonathan,
I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar
attempts in the past.
Is there more to this than the two elements I just described -
something
Hello Nick,
What is your false positive rate with that pattern?
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
> Hi Markus -
> Markus Gufler wrote:
>>There is also another type of spam (stock spam now with attached png image)
>>this morning passing our filters.
>>
> I am catching these fai
Hello Peer-to-Peer,
That's a good point.
Any kind, perhaps by category.
I was originally thinking of just RBLs of various types.
Thanks,
_M
Tuesday, June 6, 2006, 9:46:01 AM, you wrote:
> Hi _M,
> Do you mean like reverse PTR records, or HELO lookups, etc..?
> --Paul R.
> -Original M
Hello Bonno,
Friday, May 26, 2006, 10:41:11 AM, you wrote:
> Hi Pete,
>> Watch out for today's spam storm -- it's a lot bigger than we've seen
>> in a long while. 48 hour image attached.
> This has low priority but. I've tried to find a live version of that
> graph you've sent but I cannot
Hello andyb,
Friday, May 26, 2006, 8:16:02 AM, you wrote:
> Hi Pete,
> Could you be so kind as to include the legend with the graph?
> Otherwise, there are 3 lines that don't mean anything because they are
> undefined.
Sorry for the confusion...
The three lines are all for the same data, but a
Hello Andrew,
Wednesday, May 17, 2006, 5:35:36 PM, you wrote:
>> Certainly, submitting samples to spam@ (or preferably your
>> local spam submission point polled by our bots) will put
>> these messages in front of us if we have not already created
>> rules for them.
> I've just manually submi
Hello Daniel,
Wednesday, May 17, 2006, 3:07:38 PM, you wrote:
> I've gotten one myself.
> The pharmacy ones, are still coming through too for that matter.
Here is what the latest wave has looked like from here (attached
image).
You can see, starting about 24 hours ago a jagged, but fairly regu
It is not slowing down out here.
Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Friday, May 05, 2006 9:32 AM
To: Darin Cox
Subject: Re[2]: [sniffer] Lot of Drugs Spam getting
OTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Friday, May 05, 2006 9:09 AM
> To: John T (Lists)
> Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer
>
> We've had that rule before and had to pull it for false positives.
>
> _
We've had that rule before and had to pull it for false positives.
_M
On Friday, May 5, 2006, 11:41:50 AM, John wrote:
JTL> FYI, I created a Declude Filter:
JTL> Subject END NOTCONTAINS news
JTL> BODY25 CONTAINShttp://geocities.com/
JTL> Been catching every on
I thought it had been a bit quiet of late .
Appreciate the efforts, Pete.
Darin.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox"
Sent: Friday, May 05, 2006 11:32 AM
Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through snif
On Friday, May 5, 2006, 11:02:00 AM, Darin wrote:
DC> Not just drugs, but some others too have been slipping through the past
DC> couple of days. We've reported a little under 40 in the past couple of
DC> days.
We saw a bit of a lull, then a rash of new campaigns bunched together
with some new o
On Friday, May 5, 2006, 10:49:06 AM, Kevin wrote:
KS> I have been getting them here also and have forwarded some to
KS> [EMAIL PROTECTED]
KS> I guess to get past the filters the spammers misspell key words throughout
KS> the email with new web links. It is misspelled so badly that I cannot reall
There are several, new, fast moving campaigns.
We're working on new abstracts for this.
Thanks,
_M
On Friday, May 5, 2006, 10:37:37 AM, Daniel wrote:
DB> Here too.
DB> --
DB> Daniel Bayerdorffer [EMAIL PROTECTED]
DB> Numberall Stamp & Tool Co., Inc.
DB> PO Box 187 Sangerville, ME 04479 USA
D
Yes, I'm sorry. I'm still working on that with the back-end server
guys over there. I am getting your messages though. Please ignore the
jsmith bounces for now. I will keep on them.
Thanks!
_M
On Thursday, April 20, 2006, 12:11:25 PM, Scott wrote:
SF> Still happening when I reply to false posit
;
To: "Darin Cox"
Sent: Tuesday, March 21, 2006 11:52 AM
Subject: Re[2]: [sniffer] False positive processing
On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote:
DC> Nope. None of them.
DC> I haven't heard back from the replies to a couple of false positives on
the
DC>
On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote:
DC> Nope. None of them.
DC> I haven't heard back from the replies to a couple of false positives on the
DC> 10th, and we haven't heard anything from our submissions on the 16th (6) and
DC> 17th (2). I don't remember if we've heard anything f
; To: John T (Lists)
> Subject: Re[2]: [sniffer] New Web Site!
>
> On Friday, March 17, 2006, 11:53:58 AM, John wrote:
>
> JTL> What is the purpose of using a WIKI site?
>
> A few things really -
>
> * It's fast and easy to create, update, and correct the co
On Friday, March 17, 2006, 11:53:58 AM, John wrote:
JTL> What is the purpose of using a WIKI site?
A few things really -
* It's fast and easy to create, update, and correct the content.
Things happen quickly here and in the messaging security business in
general. It makes sense to use tools that
"Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox"
Sent: Monday, March 13, 2006 10:23 AM
Subject: Re[2]: [sniffer] New RuleBot F002 Online
On Friday, March 10, 2006, 3:41:00 PM, Darin wrote:
DC> Totally agree. I'd like to see some separation between rules create
On Friday, March 10, 2006, 3:41:00 PM, Darin wrote:
DC> Totally agree. I'd like to see some separation between rules created by
DC> newer rulebots and preexisting rules. That way if there becomes an issue
DC> with a bot, we can turn off one group quickly and easily.
There is no way to do this w
hursday, March 09, 2006 9:54 AM
Subject: Re[2]: [sniffer] F001 Rule Bot Change
On Thursday, March 9, 2006, 10:04:17 AM, Nick wrote:
NH> Hi Pete,
It's a bit too early to know about the reliability of F001.
NH> Understood - sorry I was not clear on this :)
NH> I was referring to
On Thursday, March 9, 2006, 10:04:17 AM, Nick wrote:
NH> Hi Pete,
>>It's a bit too early to know about the reliability of F001.
>>
NH> Understood - sorry I was not clear on this :)
NH> I was referring to all your tests eg: printers, snake oil, what
NH> have you. which one do you have the most c
On Thursday, March 9, 2006, 8:48:43 AM, Nick wrote:
NH> Hi Pete -
NH> Pete McNeil wrote:
>>Hello Sniffer Folks,
>>
>> The F001 Rule Bot has been adjusted.
>>
NH> Is it possible for you to recommend a percentage of accuracy or maybe
NH> better stated a percentage of delete weight for each rule
281965
Could this please stop, sniffer was pretty reliable for us, but not at the
moment.
Regards,
Marcel Sangers
Traction IT
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: dinsdag 7 maart 2006 0:18
To: Darin Cox
Sub
CTED] On Behalf Of Pete McNeil
> Sent: Tuesday, March 07, 2006 6:28 PM
> To: Harry Vanderzand
> Subject: Re[2]: [sniffer] declude tests
>
> On Tuesday, March 7, 2006, 6:20:04 PM, Harry wrote:
>
> HV> I guess I am not understanding something here after all this time
>
&g
On Tuesday, March 7, 2006, 6:20:04 PM, Harry wrote:
HV> I guess I am not understanding something here after all this time
HV> So as I understand I leave the persistent word out of the declude config and
HV> just run the service?
YES. :-)
The instances launched by Declude will recognize that the
On Tuesday, March 7, 2006, 5:35:05 PM, Harry wrote:
HV> I put in the detailed tests as below.
HV>
HV> When the nonsero single test runs I get items trapped with a
HV> score of 7 by sniffer however when I turn it off and activate4 the
HV> detailed once I do not get a hit at all on the detailed te
On Monday, March 6, 2006, 6:09:43 PM, Matt wrote:
M> Pete,
M> Does this mean that you are somehow supporting incremental rule base
M> updates, or is it that the compiler is just much faster so we will get
M> the same number of updates, but generally get them 40-120 minutes
M> earlier in relatio
Thanks, Pete.
Darin.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox"
Sent: Monday, March 06, 2006 6:17 PM
Subject: Re[2]: [sniffer] New Rulebot F001
On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:
DC> We just reviewed
day, March 06, 2006 3:18 PM
> To: Darin Cox
> Subject: Re[2]: [sniffer] New Rulebot F001
>
> On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:
>
> DC> We just reviewed this morning's logs and had a few false
> positives.
> DC> Not sure if these are due to the n
On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:
DC> We just reviewed this morning's logs and had a few false positives. Not
DC> sure if these are due to the new rulebot, but it's more than we've had for
DC> the entire day for the past month.
DC> Rules
DC> --
DC> 873261
DC> 866398
DC>
On Monday, March 6, 2006, 3:13:53 PM, Jay wrote:
JSHNL> There's been at least one FP ;)
JSHNL> --
JSHNL> Rule - 861038
JSHNL> NameF001 for Message 2888327: [216.239.56.131]
JSHNL> Created 2006-03-02
JSHNL> Source 216.239.56.131
JSHNL> Hidden false
JSHNL> Blocked fal
On Saturday, February 25, 2006, 1:38:53 PM, Joe wrote:
JW>
JW>
JW> I would actually prefer that MDLP autotune the weight for
JW> invURIBL, but since the weights are managed by invURIBL and not
JW> Declude I don't know how this will work.
I'm not familiar enough with invURIBL to know how it
On Friday, February 24, 2006, 7:13:47 AM, Jeff wrote:
JP> Do I need to modify anything in my Declude configuration file where it calls
JP> the SNIFFER test in order for this to function ??
No. You set up a persistent instance outside of Declude and the other
SNF instances adapt automatically.
_M
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Rick Robeson
> Sent: Thursday, February 23, 2006 12:23 PM
> To: sniffer@SortMonster.com
> Subject: RE: Re[2]: [sniffer] When to go persistent
>
> I thought you had to run this as a service?
>
> Rick Robe
er.com
Subject: RE: Re[2]: [sniffer] When to go persistent
Pete,
> To run in persistent mode, simply launch an instance of SNF from the
> command line with the word "persistent" in place of the file to scan.
>
> .exe persistent
>
I am calling Sniffer from Declude. Could
Pete,
> To run in persistent mode, simply launch an instance of SNF from the
> command line with the word "persistent" in place of the file to scan.
>
> .exe persistent
>
I am calling Sniffer from Declude. Could I just later my statement in my
config file to include persistent? That way the fi
On Thursday, February 23, 2006, 11:53:51 AM, LLC wrote:
JISL> I'm investigating the persistant mode and read the info on the web site.
JISL> Can't make heads or tails of it.
JISL> How do enable persistant mode on a Windows 2003 Server? The web site
speaks
JISL> hypothetically, but the informati
.
Darin.
- Original Message -
From: "Andy Schmidt" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, February 21, 2006 11:16 AM
Subject: RE: Re[2]: [sniffer] False Positive - no reaction?
Hi Pete,
I agree that the email notification is tricky - because you might respond to
spa
I like this idea more than the email notification. I really don't need more
emails.
- Original Message -
From: "Andy Schmidt" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, February 21, 2006 10:16 AM
Subject: RE: Re[2]: [sniffer] False Positive - no reaction?
Hi Pe
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Tuesday, February 21, 2006 11:04 AM
To: Andy Schmidt
Subject: Re[2]: [sniffer] False Positive - no reaction?
On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote:
AS> Sorry - didn't mean t
On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote:
AS> Sorry - didn't mean to be "pushy". I just thought that false positives are
AS> worse than missed spam, so I had assumed that they would always be at the
AS> top of the queue.
It is a very tough balancing act. Don't feel bad at all - you'
On Wednesday, February 15, 2006, 4:48:43 PM, Computer wrote:
CHS> I second the motion. We have been submitting spam for over a year and I
CHS> don't know if a single one was received.
In general, if you've not received an error during delivery, we most
certainly got your message... it may have e
Jim,
Not at this time. The two processes are entirely different. The False
Positives process is highly interactive. The standardized responses
were implemented to allow for some automation on both sides.
Spam submissions are always treated as anonymous for security reasons
and also because of the
On Wednesday, February 15, 2006, 4:32:14 PM, Robert wrote:
RG> The X-SNF header. Sounds like a good idea. Is there a cheat sheet someplace
RG> for making that happen, if possible, in a Declude / Imail environment?
RG> Thanks ahead of time,
In the distribution the option is described in the .cfg
On Wednesday, February 15, 2006, 11:02:11 AM, Bonno wrote:
BB> Hi Pete,
BB> []
>> If you wish, it is possible to create a local black rule for any
>> geocities link. On many ISP systems this would cause false positives,
>> but on more private systems it may be a reasonable solution.
>>
BB> I
Hello Pete,
PM> It is theoretically possible for too many evaluators to be spawned,
PM> but highly unlikely. Most of the time, fewer than 100 are generated.
PM> It's ok for this to happen, but it is noteworthy.
PM> I will look for any rules that make this more likely than usual.
I have a monit
On Wednesday, February 8, 2006, 1:32:05 PM, David wrote:
>> The .xhdr files are created by SNF and can be turned off in SNF's .cfg
>> file. They contain text that could be added to the headers of the
>> message to help debug false positives and/or to trigger other
>> filtering systems.
>>
DP> Wel
On Wednesday, February 8, 2006, 11:06:07 AM, Markus wrote:
MG> If a experimental rule showed to be reliable they move them in
MG> the appropriate category (rich, fraud,...)
MG>
MG>
MG>
MG> I'm not sure about this but I think it's so and so it shouldn't
MG> be necessary to do something like
What is the correct Sniffer string in Declude Global.cfg
file.
SNIFFER external nonzero "d:\imail\declude\sniffer\sniffer.exe
code"12
0
of
SNIFFER external nonzero "d:\imail\declude\sniffer\sniffer.exe
code"10
0
Thanks
Filippo
On Wednesday, February 8, 2006, 11:00:05 AM, Ali wrote:
AR> I for one would like to see it incorporated. What Peter's take?
The SNF v2 engine is open source for precisely that purpose, and in
general so that the SNF engine can be incorporated into any similar
projects.
I can't spare the cycles r
ust before that, and unfreeze once it was clear
that no glut of false positives would result.
Darin.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox"
Sent: Wednesday, February 08, 2006 11:13 AM
Subject: Re[2]: [sniffer] problems!!!
Thank you Pete
Harry Vanderzand
inTown Internet & Computer Services
519-741-1222
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
> Sent: Wednesday, February 08, 2006 11:09 AM
> To: Markus Gufler
> Su
On Wednesday, February 8, 2006, 10:59:09 AM, Darin wrote:
DC> I have an idea. These problems seem to stem mostly from changes
DC> in the methods of handling rulebase updates.
DC> Would it be feasible to announce in advance when such changes
DC> are to be implemented? With advance notice of
On Wednesday, February 8, 2006, 10:48:10 AM, Markus wrote:
MG>
MG>
MG> Harry,
MG>
MG>
MG>
MG> (please don't post your entire license code to a public list.)
Yes, Harry, please don't. I'll be resetting your Authorization code
and sending it to you off list.
Other than changing your au
On Tuesday, February 7, 2006, 7:54:10 PM, John wrote:
JC> So, in my terms (simple), this rule only catches msg if the two drug names
JC> are in that order and in all capitals, but not necessarily one immediately
JC> following the other?
That was close to the original intent. The rule would also
Hello Pete,
Tuesday, February 7, 2006, 7:43:52 PM, you wrote:
PM> The rule would match the intended spam (and there was a lot of it, so
PM> 22,055 most likely includes mostly spam.
On spot check I'm seeing about 30-40% of the messages are valid.
PM> Unfortunately it would also match messages co
I've had an internal note that our colo provider is working on a
networking problem. That's probably what you're seeing. Apparently it
doesn't effect all paths to the 'net equally and/or it may be solved
by now.
_M
On Tuesday, February 7, 2006, 5:53:35 PM, John wrote:
JC> Agreed, my last report
Final\t828931 and Final.*828931 both found 850 entries in my current log
using Baregrep.
John C
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of David Sullivan
Sent: Tuesday, February 07, 2006 6:12 PM
To: sniffer@SortMonster.com
Subject: Re[2]: [sniffer
CTED]
On Behalf Of David Sullivan
Sent: Tuesday, February 07, 2006 4:12 PM
To: sniffer@SortMonster.com
Subject: Re[2]: [sniffer] Bad Rule - 828931
Hello Matt,
Tuesday, February 7, 2006, 6:27:25 PM, you wrote:
M> rule number, and I don't have the tools set up or the knowledge of
M> grep
Hello Matt,
Tuesday, February 7, 2006, 6:27:25 PM, you wrote:
M> rule number, and I don't have the tools set up or the knowledge of grep
M> yet to do a piped query of Sniffer's logs to extract the spool file names.
http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I
always use
Somebody please tell me I'm doing something wrong here. I use this
expression in Baregrep "Final\t828931" and it yields 22,055 matching
lines across 3 of my 4 license's log files.
Since this is set to my hold weight, I'm assuming that means I've had
22,055 holds on this rule?
--
Best regards,
D
1 - 100 of 452 matches
Mail list logo