[sniffer] [Fwd: Diann Helms]
Anyway to stop this spam. We are getting hundreds of them. I have personally gotten 23. From - Wed Feb 15 07:51:25 2006 X-Account-Key: account3 X-UIDL: 384485764 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from DM [206.53.51.56] by deepspace.i360.net (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 -0600 Message-Id: [EMAIL PROTECTED] From: Shane Redmond [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Diann Helms X-Mailer: Opera7.20/Win32 M2 build 2981 Date: Wed, 15 Feb 2006 06:37:38 -0600 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] X-Declude-Spoolname: D208b017db78a.smd X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] X-Country-Chain: CANADA-destination X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 384485764 X-IMail-ThreadID: 208b017db78a Braxton, http://uk.geocities.com/proboycott45571 Shane Redmond This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
On Wednesday, February 15, 2006, 8:53:27 AM, Heimir wrote: HE Anyway to stop this spam. HE We are getting hundreds of them. HE I have personally gotten 23. It's a challenging one... there is almost no data, and the geocities link is constantly different. I've written another abstract to cover this structure. I'll continued to do that as new structures arise, provided I can do so without creating false positives. If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. If you want such a black rule added to your rulebase please send a request off-list to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positive - RESEND
Hello, Could you please tell me what would cause an email to fail rule # 831417 This was a good email flagged this morning and deleted. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Fwd: Diann Helms]
Heimir, It's not a Sniffer-related answer but I personaly use a combination of a text filter file (looking for known geocities-links) and the IP-blacklist SORBS-DUHL (who contains dialup ip-ranges). As all my customers are connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So the combination of this two filters can catch most of this stuff, as legit messages containing geocities-link shouldn't come from dial-up Ip's to my server. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Wednesday, February 15, 2006 2:53 PM To: sniffer@sortmonster.com Subject: [sniffer] [Fwd: Diann Helms] Anyway to stop this spam. We are getting hundreds of them. I have personally gotten 23. From - Wed Feb 15 07:51:25 2006 X-Account-Key: account3 X-UIDL: 384485764 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from DM [206.53.51.56] by deepspace.i360.net (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 -0600 Message-Id: [EMAIL PROTECTED] From: Shane Redmond [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Diann Helms X-Mailer: Opera7.20/Win32 M2 build 2981 Date: Wed, 15 Feb 2006 06:37:38 -0600 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] X-Declude-Spoolname: D208b017db78a.smd X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] X-Country-Chain: CANADA-destination X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 384485764 X-IMail-ThreadID: 208b017db78a Braxton, http://uk.geocities.com/proboycott45571 Shane Redmond This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
Hi Pete, [] If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. I think I could use such a black rulw without getting to may FPs, but in which catagoeries would that rule then go? I score the several Sniffer results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 would put it several points below my hold weight. An extra hit would be needed to get it held. If you want such a black rule added to your rulebase please send a request off-list to [EMAIL PROTECTED] As the above information might be of interest to others I'll ask here first. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
would you share your filters? I assume Declude filters. Cordially, Heimir Eidskrem i360, Inc. 2825 Wilcrest, Suite 675 Houston, TX 77042 Ph: 713-981-4900 Fax: 832-242-6632 [EMAIL PROTECTED] www.i360.net www.i360hosting.com www.realister.com Houston's Leading Internet Consulting Company Markus Gufler wrote: Heimir, It's not a Sniffer-related answer but I personaly use a combination of a text filter file (looking for known geocities-links) and the IP-blacklist SORBS-DUHL (who contains dialup ip-ranges). As all my customers are connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So the combination of this two filters can catch most of this stuff, as legit messages containing geocities-link shouldn't come from dial-up Ip's to my server. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Wednesday, February 15, 2006 2:53 PM To: sniffer@sortmonster.com Subject: [sniffer] [Fwd: Diann Helms] Anyway to stop this spam. We are getting hundreds of them. I have personally gotten 23. From - Wed Feb 15 07:51:25 2006 X-Account-Key: account3 X-UIDL: 384485764 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from DM [206.53.51.56] by deepspace.i360.net (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 -0600 Message-Id: [EMAIL PROTECTED] From: Shane Redmond [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Diann Helms X-Mailer: Opera7.20/Win32 M2 build 2981 Date: Wed, 15 Feb 2006 06:37:38 -0600 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] X-Declude-Spoolname: D208b017db78a.smd X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] X-Country-Chain: CANADA-destination X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 384485764 X-IMail-ThreadID: 208b017db78a Braxton, http://uk.geocities.com/proboycott45571 Shane Redmond This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] [Fwd: Diann Helms]
On Wednesday, February 15, 2006, 11:02:11 AM, Bonno wrote: BB Hi Pete, BB [] If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. BB I think I could use such a black rulw without getting to may FPs, but in BB which catagoeries would that rule then go? I score the several Sniffer BB results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 BB would put it several points below my hold weight. An extra hit would be BB needed to get it held. Normally when we make custom black rules we code them to a special rule group (generally with a group symbol 5 by convention). Since 5 is a lower number than all other rule groups (except for white rules = 0) any message matching a local black rule will be distinct. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Fwd: Diann Helms]
would you share your filters? I assume Declude filters. Yes. Attached is the original message from Scott Fisher regarding the geocities-filter file. (I call it GEOCITIESLINKS) I've replaced each weight (100 and 75 points) with 0. So this test will add no weight to the final result. In addition you have to set up SORBS-DUHL as a standard IP4R-Test. Then you need an additional text filter file (I call it COMBO-DUHL-GEOCITIES) ~~ TESTFAILED END NOTCONTAINS GEOCITIESLINKS TESTFAILED 80 CONTAINS SORBS-DUHL ~~ The first line will stop the combo-filter if there was no geocities-links in the message body The second line will add 80 points if the message cames in from a DUHL-ip. Markus ---BeginMessage--- Title: Message Here's my geocities filter. It's a little more specific so I can weight foreign geocities more than US geocities. STOPATFIRSTHIT BODY100CONTAINSar.geocities.comBODY100CONTAINSgeocities.com.arBODY100CONTAINSar.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.ar BODY100CONTAINSasia.geocities.comBODY100CONTAINSasia.geocities.yahoo.com BODY100CONTAINSau.geocities.comBODY100CONTAINSgeocities.com.auBODY100CONTAINSau.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.au BODY100CONTAINSbr.geocities.comBODY100CONTAINSgeocities.com.brBODY100CONTAINSbr.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.br BODY100CONTAINSca.geocities.comBODY100CONTAINSgeocities.caBODY100CONTAINSca.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.ca BODY100CONTAINScf.geocities.comBODY100CONTAINScf.geocities.yahoo.com BODY100CONTAINScn.geocities.comBODY100CONTAINSgeocities.cnBODY100CONTAINScn.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.cn BODY100CONTAINSde.geocities.comBODY100CONTAINSgeocities.deBODY100CONTAINSde.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.de BODY100CONTAINSes.geocities.comBODY100CONTAINSgeocities.esBODY100CONTAINSes.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.es BODY100CONTAINSespanol.geocities.comBODY100CONTAINSespanol.geocities.yahoo.com BODY100CONTAINShk.geocities.comBODY100CONTAINSgeocities.com.hkBODY100CONTAINSgeocities.hkBODY100CONTAINShk.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.hkBODY100CONTAINSgeocities.yahoo.hk BODY100CONTAINSin.geocities.comBODY100CONTAINSgeocities.co.inBODY100CONTAINSin.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.in BODY100CONTAINSit.geocities.comBODY100CONTAINSgeocities.itBODY100CONTAINSit.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.it BODY100CONTAINSkr.geocities.comBODY100CONTAINSgeocities.co.krBODY100CONTAINSkr.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.kr BODY100CONTAINSmx.geocities.comBODY100CONTAINSgeocities.com.mxBODY100CONTAINSmx.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.mx BODY100CONTAINSsg.geocities.comBODY100CONTAINSgeocities.com.sgBODY100CONTAINSsg.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.sg BODY100CONTAINSuk.geocities.comBODY100CONTAINSgeocities.co.ukBODY100CONTAINSuk.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.uk BODY75CONTAINSgeocities.comBODY75CONTAINSgeocities.yahoo.com - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:09 AM Subject: Re: [Declude.JunkMail] Stock Spam If you're referring to the geocities stuff that's been out the last couple of days, I just use a body filter. BODY3CONTAINSau.geocities.com Sniffer, which I weight at 7,picks it up OK, and the added weight of 3 is enough to get to my hold weight of 10. -Dave Doherty Skywaves, Inc. - Original Message - From: Michael Jaworski To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:32 AM Subject: [Declude.JunkMail] Stock Spam Anyone have a good filter strategy on the increasing amount of stock spam??? Thanks, Mike ---End Message---
[sniffer] 404 on rulebase file downloads: new cleanup code
Hello Sniffer folks, A surprising number of folks have asked about receiving 404 errors when downloading their rulebase files. In all of these cases their license has expired. I recently added some new code to the server that delivers rulebase files. The code removes any rulebase file where the license is disabled. This is a task I used to do manually, and not very often. As it turns out, there are a few folks out there who not only did not get (or did not see) our expiration notices, but also believed they were continuing to get updates... that is, until they began getting 404 messages from their update script ;-) If you get a 404 when you attempt to download your rulebase file then it is very likely you need to renew. If you want to check first, feel free to send us a note at [EMAIL PROTECTED] The renewal form is here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positive
Answered off-list _M On Tuesday, February 14, 2006, 2:07:48 PM, Steve wrote: SG Hello, SG Could you please tell me what would cause an email to fail rule # 831417 SG This was a good email flagged this morning and deleted. SG Regards, SG Steve Guluk SG SGDesign SG (949) 661-9333 SG ICQ: 7230769 SG This E-Mail came from the Message Sniffer mailing list. For SG information and (un)subscription instructions go to SG http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positives
My users have been getting a lot of FPs by Sniffer lately. They send me the email with the FULL HEADERS displayed and I forward this email on to SortMonster. The program they use to analyze incoming submissions check MY email headers, determine that SNIFFER was not at fault and sends me back an email saying it didn't find any flags. How the heck am I supposed to submit FPs from my users to SNIFFER?!! I also save my user's email and attach it to my submissions to sortmonster, but these too are not flagged. Very frustrating, esp since SNIFFER FPs are particularly dangerous since I give it so much weight. --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Search your sniffer logs and include the log lines for that particular message. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Wednesday, February 15, 2006 3:55 PM To: sniffer@SortMonster.com Subject: [sniffer] False Positives My users have been getting a lot of FPs by Sniffer lately. They send me the email with the FULL HEADERS displayed and I forward this email on to SortMonster. The program they use to analyze incoming submissions check MY email headers, determine that SNIFFER was not at fault and sends me back an email saying it didn't find any flags. How the heck am I supposed to submit FPs from my users to SNIFFER?!! I also save my user's email and attach it to my submissions to sortmonster, but these too are not flagged. Very frustrating, esp since SNIFFER FPs are particularly dangerous since I give it so much weight. --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
The X-SNF header. Sounds like a good idea. Is there a cheat sheet someplace for making that happen, if possible, in a Declude / Imail environment? Thanks ahead of time, Rob --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
I second the motion. We have been submitting spam for over a year and I don't know if a single one was received. Thank you Jim, for the suggestion. Michael Stein Computer House www.computerhouse.com - Original Message - From: Jim Matuska Jr. [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Wednesday, February 15, 2006 4:40 PM Subject: RE: [sniffer] False Positives Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, February 15, 2006, 4:32:14 PM, Robert wrote: RG The X-SNF header. Sounds like a good idea. Is there a cheat sheet someplace RG for making that happen, if possible, in a Declude / Imail environment? RG Thanks ahead of time, In the distribution the option is described in the .cfg file. However, in the Declude environment I don't know of any easy way to make use of it. What would be best is if Declude could be persuaded to pick up the .xhdr file SNF produces and add it to the headers it is already adding to the the message. This way, the message would only need to be altered once (less I/O) for all of the headers. MDaemon systems using the plugin have the SNF headers by default. Most *nix systems also use the .xhdr option and then allow the programs that follow to respond to the headers planted by SNF. A number of custom-built systems are also using it. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
Jim, Not at this time. The two processes are entirely different. The False Positives process is highly interactive. The standardized responses were implemented to allow for some automation on both sides. Spam submissions are always treated as anonymous for security reasons and also because of the volume. At one point today we were processing 5000 spam per hour. At those rates it is not practical to respond to each submission. Advanced features near V4 (some time in the future) will allow us to handle some spam submissions specifically for a particular license ID --- so there are some plans for this later on. However, for the short and medium term all spam submissions will remain anonymous. If you have a chronic spam for which you would like a local black rule added then you should send a zip'd copy to support@ along with your requests. We will help you adjust your rulebase accordingly. For example, some relatively closed systems are able to use broad rules for certain character sets, file attachment types, or other features to eliminate messages they simply will never see in practice. _M On Wednesday, February 15, 2006, 4:40:50 PM, Jim wrote: JMJ Pete, JMJ Is there anyway to get an automatic response similar to the one listed below JMJ for the FP address, but for submissions to your spam@ address? It would be JMJ nice to get some feedback when submitting spam. JMJ Jim Matuska Jr. JMJ Computer Tech2, CCNA JMJ Nez Perce Tribe JMJ Information Systems JMJ [EMAIL PROTECTED] JMJ JMJ -Original Message- JMJ From: [EMAIL PROTECTED] JMJ [mailto:[EMAIL PROTECTED] JMJ On Behalf Of Pete McNeil JMJ Sent: Wednesday, February 15, 2006 1:28 PM JMJ To: Kevin Rogers JMJ Subject: Re: [sniffer] False Positives JMJ On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. JMJ Just to clarify a bit, here is the standard response you're probably JMJ talking about: JMJ [FPR:0] JMJ The message did not match any active black rules as submitted. The rules JMJ may have been modified or removed. If you provide matching log entries JMJ from your system then we can research this further. JMJ Note that sometimes our false processing system may not identify the JMJ rules that matched this message on your system due to changes in the JMJ submitted content that might occur during the forwarding process. JMJ Please also be sure you are running the latest version, that your JMJ rulebase file is up to date, and that you do not have any unresolved JMJ errors in your Sniffer log file. Bug fixes in newer versions may resolve JMJ false positive issues or reduce the risk of false positives through JMJ enhanced features and new technologies. Certain errors in your log file JMJ may indicate a corrupted rulebase. JMJ --- JMJ The software we use to scan false positive submissions is a version of JMJ SNF that includes every rule we have in our system. If the messages JMJ does not match any of these rules, MOST of the time it means that the JMJ rule has been removed already. JMJ If that is not the case, then the next step is to provide matching log JMJ entries. On some systems this is not necessary because the headers may JMJ already contain SNF x-header data that shows the rules involved. JMJ This process is not intended to make things difficult, but to save JMJ time. The majority of the time, our local scanner will identify the JMJ rule or rules in question and we will respond accordingly. JMJ When that is not the case we simply need more data to move forward JMJ with the investigation. JMJ Usually, when a rule is still in the system and it does not match a JMJ false positive submission it is because the original message was JMJ altered during the forwarding process or that some condition of being JMJ attached has prevented the scanner on this end from reproducing the JMJ result you had on your system. JMJ Hope this helps, JMJ _M JMJ This E-Mail came from the Message Sniffer mailing list. For information and JMJ (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html JMJ This E-Mail came from the Message Sniffer mailing list. For JMJ information and (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, February 15, 2006, 4:48:43 PM, Computer wrote: CHS I second the motion. We have been submitting spam for over a year and I CHS don't know if a single one was received. In general, if you've not received an error during delivery, we most certainly got your message... it may have even made it to the queue (if it wasn't already filtered by new rules). One way to be sure we receive your spam is to create a pop3 box on your system for your spam submissions and provide us with the login data (email address (as login), password, FQDN of the pop3 server). This way, if the mail in that box gets deleted you know one of our bots has pulled it in and added it to our queues. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
