Re: [sniffer] Sniffer seems to be causing false positives.

[Pete McNeil]

On Wednesday, January 19, 2005, 8:00:41 PM, Chuck wrote:

CS It appears that emails from statefarm.com are all being failed by
CS SNIFFER-OBFUSCATION code 61.  It appears from multiple senders and to
CS multiple recipient domains.  Any thoughts??

Update.
I've just removed a rule that matches broken headers found in malware
received at our spamtrap. The FP submission was originally from a
statefarm server.

The rule matched headers of the form:

Received: Received:
  from server...

_M




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Sniffer seems to be causing false positives.

[Chuck Schick]

Pete:

Thanks for looking.  It was very strange because it was such varied messages
from general correspondence, quotes. and personal correspondence.  I put a
little negative weight in for statefarm.com which should keep it from
getting caught.

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Wednesday, January 19, 2005 7:05 PM
To: Pete McNeil
Subject: Re[2]: [sniffer] Sniffer seems to be causing false positives.


On Wednesday, January 19, 2005, 9:02:02 PM, Pete wrote:

PM On Wednesday, January 19, 2005, 8:00:41 PM, Chuck wrote:

CS It appears that emails from statefarm.com are all being failed by 
CS SNIFFER-OBFUSCATION code 61.  It appears from multiple senders and 
CS to multiple recipient domains.  Any thoughts??

PM I will check though I doubt seriously that we would create this kind 
PM of rule - - a show of hands says we all recognize statefarm. Most 
PM likely this is an IP rule that got picked up by a robot, or perhaps 
PM something incidental.

PM Please be sure to post a false positive report and if you can 
PM identify the rule in your log files then you can add the ID as a 
PM rule panic in your .cfg to alleviate the problem immediately while 
PM we take the time to understand things further.

Just to follow up --- there are no rules that contain statefarm - so we
must be looking for something incidental.

_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[4]: [sniffer] Sniffer seems to be causing false positives.

[Pete McNeil]

On Thursday, January 20, 2005, 10:15:23 AM, Chuck wrote:

CS Pete:

CS Thanks for looking.  It was very strange because it was such varied messages
CS from general correspondence, quotes. and personal correspondence.  I put a
CS little negative weight in for statefarm.com which should keep it from
CS getting caught.

As far as I can tell you shouldn't have a problem any more.
I don't recall seeing any false positive reports from you. Be sure if
the problem reappears that you do send some false positive examples to
us so that we can solve the problem.

http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html

Thanks,
_M




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html