RE: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?

[Landry William]

Here is what I've been using for several months now, compiled from the
original Sniffer autosnf.cmd file and suggestions found on this list:
=
rem First, get the updated rules file from the web site.

wget -N http://www.sortmonster.net/Sniffer/Updates/rulebase.snf -O
rulebase.new.gz --header=Accept-Encoding:gzip --http-user=sniffer
--http-passwd=ki11sp8m -o snfupd.txt

rem Uncompress the rulebase file.

gzip -d -f rulebase.new.gz

rem If that worked, then there will be a sniffer.new file.

if exist rulebase.new goto Replace

rem If the above test fails, then we skip to the end of the file
rem and take no further action. Everything stays as it is.

goto Done

rem If the test didn't fail we'll replace our file.

:Replace

rem The check utility gets the ID from the name but it ignores the
rem extension so we'll rename it for the test.

rename rulebase.new rulebase.tst

rem Now we need to test the file and check our error level. If the
rem check fails we'll skip to the end

snf2check.exe rulebase.tst license-id
if errorlevel 1 goto Done

echo New File Tested GOOD!

rem If we didn't fail then we can go ahead and make the switch.

if exist rulebase.old del rulebase.old
rename rulebase.snf rulebase.old
rename rulebase.tst rulebase.snf

rem Handle any additional successful system updates here (before Done).

:Done

rem If things went well we're all ok.
rem If something went wrong then we'll do a bit of cleanup.

if exist rulebase.tst del rulebase.tst
=

Copy everything between the equal signs and paste it into your autosnf.cmd
file.  Rename "rulebase" everywhere in the script with your Sniffer rulebase
name and rename "license-id" to your actual Sniffer License ID.  Then you
can set it to check hourly via Task Scheduler and it will only download if
the file has changed, and if it has, it will send a request to the Sniffer
server to compress the file before downloading.

Also, watch for word-wrapping, the "wget" line should be one long line.  The
snfupd.txt file will allow you to check the status of each download attempt,
as it is created (overwriting the existing file) with each download attempt.

Bill

-Original Message-
From: Darrell ([EMAIL PROTECTED]) [mailto:[EMAIL PROTECTED]

Sent: Wednesday, October 27, 2004 6:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?


Does anyone have a little dissertation on how they have this setup.

Darrell

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] Version 2-3.1 Official Release

[Pete McNeil]

Hello Sniffer Folks,

  This is the official release of version 2-3.1 which has the
  following key features:

  * Improved stability and performance under heavy loads - especially
  on over-stressed servers or during uncharacteristically heavy peaks.

  * Persistent-Server timing enhancements significantly improve Message
  Sniffer's throughput when running under MDaemon's content filter.

  * Persistent-Server now produces a real-time status file for
  performance monitoring. The .stat file serves a dual purpose. First
  it is used by the Persistent-Server to publish performance
  specifications to client-peers. This allows a very tight
  coordination of timing events between client and server instances
  and reduces coordination overhead significantly. Second it provides
  for a ready monitor for current server throughput. Here is an
  example of the current status of our NT test bed as I write this:

  TicToc: 1098926268
Loop: 472
Poll: 356
Jobs: 158102
Secs: 389065
 Msg/Min: 24.3818
Current-Load: 9.80392
Average-Load: 10.0682
  
  * Diagnostics mode now available by modifying the .cfg file. The
  diagnostics log shows the activity of the peer-server swarm to aid
  in debugging if needed.

  * X-Header File option is now available by modifying the .cfg file.
  This produces a .xhdr file for each message processed. The file
  contains the x-headers that Message Sniffer would add to the message
  so that they can be picked up by compatible software and/or
  scripting (such as on *nix systems) and added to the message or
  interpreted for greater detail. The headers stubs are configurable
  and come in two forms that can be used together or separately. One
  header shows the final result of the scan. The other shows all of
  the pattern matches that were identified. These headers can be
  extremely valuable when processing false positives since they travel
  along with the message - (no more hunting for log file snips).

  --- The software calling Message Sniffer is responsible for deleting
  the .xhdr file once it has been used!

  * This version also includes some minor bug fixes and other
  minor enhancements.

  * The distribution file is now available in both .zip and .tar.gz
  formats from our Try-It page.

  

  * This version is a drop-in replacement for all 2.x versions.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[4]: [sniffer] 2-3.0i9 looks good to me... How about you?

[Pete McNeil]

On Wednesday, October 27, 2004, 9:47:15 PM, Darrell wrote:

Dsic> Does anyone have a little dissertation on how they have this setup.

Here is a good starting point in the archives.



Hope this helps,
_M




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?

[Darrell ([EMAIL PROTECTED])]

Does anyone have a little dissertation on how they have this setup.

Darrell

---
Check out http://www.invariantsystems.com for utilities for Declude And
Imail.  IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log
Parsers.


- Original Message - 
From: "Landry William" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 26, 2004 7:29 PM
Subject: RE: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?


>
> Aren't you using the compression option to gzip your files before
> downloading them?  This compresses a 14mb file down to about 4mb, which
> greatly helps in the download times and reduces the bandwidth requirements
> on the SortMonster end.  Also, are you downloading on some fixed schedule
or
> when update notifications are sent out?  If downloading by schedule, then
> use the wget "-N" flag so that you only actually download the file if it
has
> changed:
>
> -N,  --timestampingdon't re-retrieve files unless newer than local.
>
> Bill
>
> -Original Message-
> From: Nick Justice [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 26, 2004 4:03 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?
>
>
> Do we have a timetable for this new release Sorry cant afford
> time to beta test!
> I do get alarmed at the huge .snf file at around 14 meg for my
> personal rule base.. Is this optimised in any way or will
> continue to grow?
>
> _Nick
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
> Sent: Tuesday, October 26, 2004 3:29 PM
> To: Glenn Brooks
> Subject: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about
> you?
>
>
> On Tuesday, October 26, 2004, 11:03:45 AM, Glenn wrote:
>
> GB> can you send the link to this again
>
>  3.0i9-Distribution.zip>
>
> There you go,
> _M
>
>
>
>
> This E-Mail came from the Message Sniffer mailing list. For
> information and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> [This E-mail scanned for viruses by Declude Version 1.81  using
> the F-Prot Antivirus engine]
>
>
> [This E-mail scanned for viruses by Declude Version 1.81  using the F-Prot
> Antivirus engine]
>
>
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
> --
-
> This message and any included attachments are from Siemens Medical
Solutions
> USA, Inc. and are intended only for the addressee(s).
> The information contained herein may include trade secrets or privileged
or
> otherwise confidential information.  Unauthorized review, forwarding,
printing,
> copying, distributing, or using such information is strictly prohibited
and may
> be unlawful.  If you received this message in error, or have reason to
believe
> you are not authorized to receive it, please promptly delete this message
and
> notify the sender by e-mail with a copy to
[EMAIL PROTECTED]
>
> Thank you
>
> This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
>


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Matt]

Andrew,
You would also need to lock the file so that the queue didn't steal it.  
You might be able to just simply rename the Q* file to get the same effect.

Pete's being a good friend of Declude by not suggesting a modification, 
but also a good friend of the user to recommend a much better solution 
that also brings with it the benefit of weighting, RBL's and other 
scoreable hits.  If you already own Declude and are sticking with IMail, 
there is absolutely no reason to abandon it.

IMO, Ipswitch is about to change their tune on the matter of bundling 
after signs that they recognize the miscalculation in the response.  A 
miscalculation of this magnitude however points to a more systematic 
problem, and their claim that service agreements are money losers for 
them is preposterous, and then to place the burden on the customer when 
your product is already premium priced is an indication of an 
organization in total disarray.

Matt
Colbeck, Andrew wrote:
Well, to play devil's advocate ...
A poor man's way to run IMail and Message Sniffer without Declude could
certainly be done without a massive re-write.  I'm not going to claim that
it would be *reliable* or *flexible* but you could certainly mimic what
Declude does and change one registry key to have IMail call a batch file.
Then have your batch file call Message Sniffer, run through multiple "if
errorlevel" statements, and take whatever action you deem appropriate, like
moving the two message files to a quarantine or just deleting them.  If a
message passes, you call IMail's original executable (from the original
registry entry) to deliver the message.
Sure, saying it is easier than doing it, but it is do-able.
As for me, I prefer to use Declude & Sniffer.  A weighted system rocks.
Andrew 8)
p.s. Now, if SpamAssassin has a way to shell out to call Sniffer ... hm
...
-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 27, 2004 8:52 AM
To: Jim Matuska
Subject: Re: [sniffer] Integrating Sniffer with new Imail Collaboration
Suite

On Wednesday, October 27, 2004, 11:30:27 AM, Jim wrote:
JM> Is there a way to integrate message sniffer directly with the new 
JM> Imail Collaboration Suite.  We are currently using it with Imail via 
JM> declude, but that may change soon due to this latest Imail fiasco.  
JM> If we decide to migrate to the new Collaboration suite I need to 
JM> know if we can use message sniffer directly or if we would need to 
JM> use a 3rd party add in still such as declude (if a version is 
JM> released that will work with the collaboration suite).  Any 
JM> thoughts?

Sniffer won't be making a direct connection to IMail because it won't be
necessary. It is my understanding the Declude and mxGuard will continue to
function with ICS just as they have. There is no good reason for us to
duplicate that effort when such a fine job has already been done.
_M

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Pete McNeil]

On Wednesday, October 27, 2004, 12:08:07 PM, Andrew wrote:



CA> As for me, I prefer to use Declude & Sniffer.  A weighted system rocks.

CA> Andrew 8)

CA> p.s. Now, if SpamAssassin has a way to shell out to call Sniffer ... hm

SA 2.x had a patch to call Sniffer.

We haven't seen one for SA 3.x yet and it looks like a real performance
buster so I'm not pressing for it.

However, you can use a modified version of the current postfix script
to pipe sniffer in front of spamc ala "sniffer | spamc ..." and soon
(2-3.1i1) sniffer will be upgraded to run directly in a pipe (no
script).

This has the advantage that the full analysis from sniffer can be used
in SA to establish weighted tests - and it will add less than 100ms to
SA's potential ~10sec processing time...

Another thought - though not fleshed out - is to have sniffer act as a
gateway to the program after it... That might be SA, or sendmail
(postfix)... This opens up the option to have sniffer "hold" spam, or
skip SA, or call some other application depending upon what it sees...

All of this is in the works for the next round of development along
with more that I can't tell you about ;-).

_M




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Colbeck, Andrew]

Well, to play devil's advocate ...

A poor man's way to run IMail and Message Sniffer without Declude could
certainly be done without a massive re-write.  I'm not going to claim that
it would be *reliable* or *flexible* but you could certainly mimic what
Declude does and change one registry key to have IMail call a batch file.

Then have your batch file call Message Sniffer, run through multiple "if
errorlevel" statements, and take whatever action you deem appropriate, like
moving the two message files to a quarantine or just deleting them.  If a
message passes, you call IMail's original executable (from the original
registry entry) to deliver the message.

Sure, saying it is easier than doing it, but it is do-able.

As for me, I prefer to use Declude & Sniffer.  A weighted system rocks.

Andrew 8)

p.s. Now, if SpamAssassin has a way to shell out to call Sniffer ... hm
...

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 27, 2004 8:52 AM
To: Jim Matuska
Subject: Re: [sniffer] Integrating Sniffer with new Imail Collaboration
Suite


On Wednesday, October 27, 2004, 11:30:27 AM, Jim wrote:

JM> Is there a way to integrate message sniffer directly with the new 
JM> Imail Collaboration Suite.  We are currently using it with Imail via 
JM> declude, but that may change soon due to this latest Imail fiasco.  
JM> If we decide to migrate to the new Collaboration suite I need to 
JM> know if we can use message sniffer directly or if we would need to 
JM> use a 3rd party add in still such as declude (if a version is 
JM> released that will work with the collaboration suite).  Any 
JM> thoughts?

Sniffer won't be making a direct connection to IMail because it won't be
necessary. It is my understanding the Declude and mxGuard will continue to
function with ICS just as they have. There is no good reason for us to
duplicate that effort when such a fine job has already been done.

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Pete McNeil]

On Wednesday, October 27, 2004, 11:30:27 AM, Jim wrote:

JM> Is there a way to integrate message sniffer directly with the new Imail
JM> Collaboration Suite.  We are currently using it with Imail via declude, but
JM> that may change soon due to this latest Imail fiasco.  If we decide to
JM> migrate to the new Collaboration suite I need to know if we can use message
JM> sniffer directly or if we would need to use a 3rd party add in still such as
JM> declude (if a version is released that will work with the collaboration
JM> suite).  Any thoughts?

Sniffer won't be making a direct connection to IMail because it won't
be necessary. It is my understanding the Declude and mxGuard will
continue to function with ICS just as they have. There is no good
reason for us to duplicate that effort when such a fine job has
already been done.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Paul Navarre]

> Is there a way to integrate message sniffer directly with the new Imail
> Collaboration Suite.  We are currently using it with Imail via declude,
> but
> that may change soon due to this latest Imail fiasco

Jim,

Declude will work with the Collaboration Suite. They aren't changing the
architecture of the basic email server, they are just changing how they
package and license it.

Paul Navarre


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Jorge Asch]

Matt Day wrote:
Take a look at Mdaemon from altn.com instead of Imail? Great product, great
support, great attitude. Oh and works very well with le sniffer :)
 

I agree. But to answer the original question, I had the notion that ICS 
is the same IMail with other bundled software/services and just a 
change in name. So perhaps the infrastructure is the same, and 
everything should work the same...

--
Jorge Asch Revilla
CONEXION DCR
www.conexion.co.cr
800-CONEXION

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Matt Day]

Take a look at Mdaemon from altn.com instead of Imail? Great product, great
support, great attitude. Oh and works very well with le sniffer :)

Matt D

MaxNett Ltd
t.08701 624 898
f.08701 624 889
www.maxnett.co.uk  


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jim Matuska
Sent: 27 October 2004 16:30
To: [EMAIL PROTECTED]
Subject: [sniffer] Integrating Sniffer with new Imail Collaboration Suite
Importance: High

Is there a way to integrate message sniffer directly with the new Imail
Collaboration Suite.  We are currently using it with Imail via declude, but
that may change soon due to this latest Imail fiasco.  If we decide to
migrate to the new Collaboration suite I need to know if we can use message
sniffer directly or if we would need to use a 3rd party add in still such as
declude (if a version is released that will work with the collaboration
suite).  Any thoughts?

Jim Matuska Jr.
Computer Tech II
CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED] 


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Scanned for Spam and Viruses by GetNoSpam.net
  http://www.getnospam.net



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Jim Matuska]

Is there a way to integrate message sniffer directly with the new Imail 
Collaboration Suite.  We are currently using it with Imail via declude, but 
that may change soon due to this latest Imail fiasco.  If we decide to 
migrate to the new Collaboration suite I need to know if we can use message 
sniffer directly or if we would need to use a 3rd party add in still such as 
declude (if a version is released that will work with the collaboration 
suite).  Any thoughts?

Jim Matuska Jr.
Computer Tech II
CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED] 

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?

[Pete McNeil]

On Wednesday, October 27, 2004, 10:07:59 AM, Jorge wrote:

>>This will continue to grow I'm afraid --- though later versions will
>>deal with the file directly at some point. All of the rules that are
>>included in the rulebase file are live patterns that have seen recent
>>activity. The system automatically removes anything below your rule
>>strength threshold so that there are no inert rules in the system.
>>This mechanism is one of the critical things we do with reported log
>>files.
>>  
>>
JA> Just an idea. How about doing what AV do? I mean, you only get new
JA> rulebases downloaded... Instad of downloading the whole 14mb, download
JA> just the updates, which probably are a couple of hundred K. And once a
JA> week or every two weebs, a whole rulebase can be downloaded that unifies
JA> everything.

We will be moving toward this model eventually. Peers will also send
updates to each other in response to collaborative detection
mechanisms.

One of the challenges here is that a significant amount of computing
power is required to compile the folded token matrix that makes the
engine fast. If only new rules are sent then the MTA would have to
refold the matrix to compile the changes into the rulebase. Since MTAs
are already heavily loaded in most cases this is not a trivial problem
- it will require that the Message Sniffer daemon balance the work
load of recompiling the rulebase without compromising the performance
of the MTA.

This can be done, but several things must happen first:

* Message Sniffer must operate in a native daemon/service mode. This is
slated for version 3.x stages of development.

* Security mechanisms associated with peering and modularized updates
must be tested and deployed.

* The rulebase management system software must be re-written to impose
versioning data on the rule base derivation engine.

* A modular rulebase compiler engine and load tuning system must be
created and tested to accept, compile, and test the incremental
updates.

--- All of these things are on the to-do list. It's all about
resources. The faster we grow the faster we will be able to deploy the
new features.

Best,
_M





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] 2-3.0i9 looks good to me... How about you?

[Jorge Asch]

This will continue to grow I'm afraid --- though later versions will
deal with the file directly at some point. All of the rules that are
included in the rulebase file are live patterns that have seen recent
activity. The system automatically removes anything below your rule
strength threshold so that there are no inert rules in the system.
This mechanism is one of the critical things we do with reported log
files.
 

Just an idea. How about doing what AV do? I mean, you only get new 
rulebases downloaded... Instad of downloading the whole 14mb, download 
just the updates, which probably are a couple of hundred K. And once a 
week or every two weebs, a whole rulebase can be downloaded that unifies 
everything.

--
Jorge Asch Revilla
CONEXION DCR
www.conexion.co.cr
800-CONEXION

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html