[sniffer] [Fwd: Diann Helms]

2006-02-15 Thread Heimir Eidskrem

Anyway to stop this spam.
We are getting hundreds of them.
I have personally gotten 23.


From - Wed Feb 15 07:51:25 2006

X-Account-Key: account3
X-UIDL: 384485764
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
Received: from DM [206.53.51.56] by deepspace.i360.net
 (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600
Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 
-0600
Message-Id: [EMAIL PROTECTED]
From: Shane Redmond [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Diann Helms
X-Mailer: Opera7.20/Win32 M2 build 2981
Date: Wed, 15 Feb 2006 06:37:38 -0600
X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.
X-RBL-Warning: IPNOTINMX: 
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry.

X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.
X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, 
weight 0)
X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56]
X-Declude-Spoolname: D208b017db78a.smd
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, 
COUNTRYFILTER, CATCHALLMAILS [70]
X-Country-Chain: CANADA-destination
X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]).
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 384485764
X-IMail-ThreadID: 208b017db78a


Braxton,

http://uk.geocities.com/proboycott45571

Shane Redmond




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] [Fwd: Diann Helms]

2006-02-15 Thread Pete McNeil
On Wednesday, February 15, 2006, 8:53:27 AM, Heimir wrote:

HE Anyway to stop this spam.
HE We are getting hundreds of them.
HE I have personally gotten 23.

It's a challenging one... there is almost no data, and the geocities
link is constantly different.

I've written another abstract to cover this structure.

I'll continued to do that as new structures arise, provided I can do
so without creating false positives.

If you wish, it is possible to create a local black rule for any
geocities link. On many ISP systems this would cause false positives,
but on more private systems it may be a reasonable solution.

If you want such a black rule added to your rulebase please send a
request off-list to [EMAIL PROTECTED]

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] False Positive - RESEND

2006-02-15 Thread Steve Guluk

Hello,
Could you please tell me what would cause an email to fail rule # 831417
This was a good email flagged this morning and deleted.

Regards,


Steve Guluk
SGDesign
(949) 661-9333
ICQ: 7230769







This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] [Fwd: Diann Helms]

2006-02-15 Thread Markus Gufler
Heimir,

It's not a Sniffer-related answer but I personaly use a combination of a
text filter file (looking for known geocities-links) and the IP-blacklist
SORBS-DUHL (who contains dialup ip-ranges). As all my customers are
connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So
the combination of this two filters can catch most of this stuff, as legit
messages containing geocities-link shouldn't come from dial-up Ip's to my
server.

Markus



 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem
 Sent: Wednesday, February 15, 2006 2:53 PM
 To: sniffer@sortmonster.com
 Subject: [sniffer] [Fwd: Diann Helms]
 
 Anyway to stop this spam.
 We are getting hundreds of them.
 I have personally gotten 23.
 
 From - Wed Feb 15 07:51:25 2006
 X-Account-Key: account3
 X-UIDL: 384485764
 X-Mozilla-Status: 0001
 X-Mozilla-Status2: 
 Received: from DM [206.53.51.56] by deepspace.i360.net
   (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600
 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 
 Feb 2006 06:37:38 -0600
 Message-Id: [EMAIL PROTECTED]
 From: Shane Redmond [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Diann Helms
 X-Mailer: Opera7.20/Win32 M2 build 2981
 Date: Wed, 15 Feb 2006 06:37:38 -0600
 X-RBL-Warning: NOLEGITCONTENT: No content unique to 
 legitimate E-mail detected.
 X-RBL-Warning: IPNOTINMX: 
 X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 
 206.53.51.56 with no reverse DNS entry.
 X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.
 X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER 
 test (line 36, weight 0)
 X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56]
 X-Declude-Spoolname: D208b017db78a.smd
 X-Note: This E-mail was scanned by Declude JunkMail 
 (www.declude.com) for spam.
 X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, 
 CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70]
 X-Country-Chain: CANADA-destination
 X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]).
 X-RCPT-TO: [EMAIL PROTECTED]
 Status: U
 X-UIDL: 384485764
 X-IMail-ThreadID: 208b017db78a
 
 
 Braxton,
 
 http://uk.geocities.com/proboycott45571
 
 Shane Redmond
 
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] [Fwd: Diann Helms]

2006-02-15 Thread Bonno Bloksma
Hi Pete,

[]
 If you wish, it is possible to create a local black rule for any
 geocities link. On many ISP systems this would cause false positives,
 but on more private systems it may be a reasonable solution.


I think I could use such a black rulw without getting to may FPs, but in
which catagoeries would that rule then go? I score the several Sniffer
results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63
would put it several points below my hold weight. An extra hit would be
needed to get it held.

 If you want such a black rule added to your rulebase please send a
 request off-list to [EMAIL PROTECTED]

As the above information might be of interest to others I'll ask here first.

Groetjes,

Bonno Bloksma


---
[E-mail scanned at tio.nl for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] [Fwd: Diann Helms]

2006-02-15 Thread Heimir Eidskrem

would you share your filters?
I assume Declude filters.


Cordially,

Heimir Eidskrem

i360, Inc.
2825 Wilcrest, Suite 675
Houston, TX 77042
Ph:  713-981-4900
Fax: 832-242-6632
[EMAIL PROTECTED]
www.i360.net
www.i360hosting.com
www.realister.com

Houston's Leading Internet Consulting Company 




Markus Gufler wrote:

Heimir,

It's not a Sniffer-related answer but I personaly use a combination of a
text filter file (looking for known geocities-links) and the IP-blacklist
SORBS-DUHL (who contains dialup ip-ranges). As all my customers are
connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So
the combination of this two filters can catch most of this stuff, as legit
messages containing geocities-link shouldn't come from dial-up Ip's to my
server.

Markus



  

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem

Sent: Wednesday, February 15, 2006 2:53 PM
To: sniffer@sortmonster.com
Subject: [sniffer] [Fwd: Diann Helms]

Anyway to stop this spam.
We are getting hundreds of them.
I have personally gotten 23.

From - Wed Feb 15 07:51:25 2006
X-Account-Key: account3
X-UIDL: 384485764
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
Received: from DM [206.53.51.56] by deepspace.i360.net
  (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600
Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 
Feb 2006 06:37:38 -0600

Message-Id: [EMAIL PROTECTED]
From: Shane Redmond [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Diann Helms
X-Mailer: Opera7.20/Win32 M2 build 2981
Date: Wed, 15 Feb 2006 06:37:38 -0600
X-RBL-Warning: NOLEGITCONTENT: No content unique to 
legitimate E-mail detected.
X-RBL-Warning: IPNOTINMX: 
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 
206.53.51.56 with no reverse DNS entry.

X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.
X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER 
test (line 36, weight 0)

X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56]
X-Declude-Spoolname: D208b017db78a.smd
X-Note: This E-mail was scanned by Declude JunkMail 
(www.declude.com) for spam.
X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, 
CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70]

X-Country-Chain: CANADA-destination
X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]).
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 384485764
X-IMail-ThreadID: 208b017db78a


Braxton,

http://uk.geocities.com/proboycott45571

Shane Redmond




This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html







This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


  



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re[2]: [sniffer] [Fwd: Diann Helms]

2006-02-15 Thread Pete McNeil
On Wednesday, February 15, 2006, 11:02:11 AM, Bonno wrote:

BB Hi Pete,

BB []
 If you wish, it is possible to create a local black rule for any
 geocities link. On many ISP systems this would cause false positives,
 but on more private systems it may be a reasonable solution.


BB I think I could use such a black rulw without getting to may FPs, but in
BB which catagoeries would that rule then go? I score the several Sniffer
BB results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63
BB would put it several points below my hold weight. An extra hit would be
BB needed to get it held.

Normally when we make custom black rules we code them to a special
rule group (generally with a group symbol 5 by convention). Since 5 is
a lower number than all other rule groups (except for white rules = 0)
any message matching a local black rule will be distinct.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] [Fwd: Diann Helms]

2006-02-15 Thread Markus Gufler
 

 would you share your filters?
 I assume Declude filters.

Yes.
Attached is the original message from Scott Fisher regarding the
geocities-filter file. (I call it GEOCITIESLINKS)
I've replaced each weight (100 and 75 points) with 0. So this test will add
no weight to the final result. 

In addition you have to set up SORBS-DUHL as a standard IP4R-Test.

Then you need an additional text filter file (I call it
COMBO-DUHL-GEOCITIES)

~~
TESTFAILED END NOTCONTAINS GEOCITIESLINKS
TESTFAILED 80  CONTAINS SORBS-DUHL
~~

The first line will stop the combo-filter if there was no geocities-links in
the message body
The second line will add 80 points if the message cames in from a DUHL-ip.

Markus

---BeginMessage---
Title: Message



Here's my geocities filter. It's a little more 
specific so I can weight foreign geocities more than US geocities.

STOPATFIRSTHIT

BODY100CONTAINSar.geocities.comBODY100CONTAINSgeocities.com.arBODY100CONTAINSar.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.ar

BODY100CONTAINSasia.geocities.comBODY100CONTAINSasia.geocities.yahoo.com

BODY100CONTAINSau.geocities.comBODY100CONTAINSgeocities.com.auBODY100CONTAINSau.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.au

BODY100CONTAINSbr.geocities.comBODY100CONTAINSgeocities.com.brBODY100CONTAINSbr.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.br

BODY100CONTAINSca.geocities.comBODY100CONTAINSgeocities.caBODY100CONTAINSca.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.ca

BODY100CONTAINScf.geocities.comBODY100CONTAINScf.geocities.yahoo.com

BODY100CONTAINScn.geocities.comBODY100CONTAINSgeocities.cnBODY100CONTAINScn.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.cn

BODY100CONTAINSde.geocities.comBODY100CONTAINSgeocities.deBODY100CONTAINSde.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.de

BODY100CONTAINSes.geocities.comBODY100CONTAINSgeocities.esBODY100CONTAINSes.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.es

BODY100CONTAINSespanol.geocities.comBODY100CONTAINSespanol.geocities.yahoo.com

BODY100CONTAINShk.geocities.comBODY100CONTAINSgeocities.com.hkBODY100CONTAINSgeocities.hkBODY100CONTAINShk.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.hkBODY100CONTAINSgeocities.yahoo.hk

BODY100CONTAINSin.geocities.comBODY100CONTAINSgeocities.co.inBODY100CONTAINSin.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.in

BODY100CONTAINSit.geocities.comBODY100CONTAINSgeocities.itBODY100CONTAINSit.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.it

BODY100CONTAINSkr.geocities.comBODY100CONTAINSgeocities.co.krBODY100CONTAINSkr.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.kr

BODY100CONTAINSmx.geocities.comBODY100CONTAINSgeocities.com.mxBODY100CONTAINSmx.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.mx

BODY100CONTAINSsg.geocities.comBODY100CONTAINSgeocities.com.sgBODY100CONTAINSsg.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.sg

BODY100CONTAINSuk.geocities.comBODY100CONTAINSgeocities.co.ukBODY100CONTAINSuk.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.uk

BODY75CONTAINSgeocities.comBODY75CONTAINSgeocities.yahoo.com



  - Original Message - 
  From: 
  Dave Doherty 
  
  To: Declude.JunkMail@declude.com 
  
  Sent: Thursday, February 02, 2006 9:09 
  AM
  Subject: Re: [Declude.JunkMail] Stock 
  Spam
  
  If you're referring to the geocities 
  stuff that's been out the last couple of days, I just use a body 
  filter.
  
  BODY3CONTAINSau.geocities.com
  
  Sniffer, which I weight at 
  7,picks it up OK, and the added weight of 3 is enough to get to my hold 
  weight of 10.
  
  -Dave Doherty
  Skywaves, Inc.
  
  
- Original Message - 
From: 
Michael 
Jaworski 
To: Declude.JunkMail@declude.com 

Sent: Thursday, February 02, 2006 9:32 
AM
Subject: [Declude.JunkMail] Stock 
Spam

Anyone have a good filter strategy on the increasing amount of stock 
spam??? 

Thanks,

Mike

---End Message---


[sniffer] 404 on rulebase file downloads: new cleanup code

2006-02-15 Thread Pete McNeil
Hello Sniffer folks,

  A surprising number of folks have asked about receiving 404 errors
  when downloading their rulebase files. In all of these cases their
  license has expired.

  I recently added some new code to the server that delivers rulebase
  files. The code removes any rulebase file where the license is
  disabled.

  This is a task I used to do manually, and not very often. As it
  turns out, there are a few folks out there who not only did not get
  (or did not see) our expiration notices, but also believed they were
  continuing to get updates... that is, until they began getting 404
  messages from their update script ;-)

  If you get a 404 when you attempt to download your rulebase file
  then it is very likely you need to renew.

  If you want to check first, feel free to send us a note at [EMAIL PROTECTED]

  The renewal form is here:

  https://www.armresearch.com/message-sniffer/forms/form-renewal.asp

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positive

2006-02-15 Thread Pete McNeil
Answered off-list

_M

On Tuesday, February 14, 2006, 2:07:48 PM, Steve wrote:

SG Hello,
SG Could you please tell me what would cause an email to fail rule # 831417
SG This was a good email flagged this morning and deleted.

SG Regards,


SG Steve Guluk
SG SGDesign
SG (949) 661-9333
SG ICQ: 7230769







SG This E-Mail came from the Message Sniffer mailing list. For
SG information and (un)subscription instructions go to
SG http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] False Positives

2006-02-15 Thread Kevin Rogers
My users have been getting a lot of FPs by Sniffer lately.  They send me 
the email with the FULL HEADERS displayed and I forward this email on to 
SortMonster.  The program they use to analyze incoming submissions check 
MY email headers, determine that SNIFFER was not at fault and sends me 
back an email saying it didn't find any flags.  How the heck am I 
supposed to submit FPs from my users to SNIFFER?!!  I also save my 
user's email and attach it to my submissions to sortmonster, but these 
too are not flagged.


Very frustrating, esp since SNIFFER FPs are particularly dangerous since 
I give it so much weight.


---
[This E-mail was scanned for viruses.]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] False Positives

2006-02-15 Thread Jay Sudowski - Handy Networks LLC
Search your sniffer logs and include the log lines for that particular
message.

-Jay

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Wednesday, February 15, 2006 3:55 PM
To: sniffer@SortMonster.com
Subject: [sniffer] False Positives

My users have been getting a lot of FPs by Sniffer lately.  They send me

the email with the FULL HEADERS displayed and I forward this email on to

SortMonster.  The program they use to analyze incoming submissions check

MY email headers, determine that SNIFFER was not at fault and sends me 
back an email saying it didn't find any flags.  How the heck am I 
supposed to submit FPs from my users to SNIFFER?!!  I also save my 
user's email and attach it to my submissions to sortmonster, but these 
too are not flagged.

Very frustrating, esp since SNIFFER FPs are particularly dangerous since

I give it so much weight.

---
[This E-mail was scanned for viruses.]



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives

2006-02-15 Thread Pete McNeil
On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote:

KR My users have been getting a lot of FPs by Sniffer lately.  They send me
KR the email with the FULL HEADERS displayed and I forward this email on to
KR SortMonster.  The program they use to analyze incoming submissions check
KR MY email headers, determine that SNIFFER was not at fault and sends me
KR back an email saying it didn't find any flags.

Just to clarify a bit, here is the standard response you're probably
talking about:

[FPR:0]

The message did not match any active black rules as submitted. The rules
may have been modified or removed. If you provide matching log entries
from your system then we can research this further.

Note that sometimes our false processing system may not identify the
rules that matched this message on your system due to changes in the
submitted content that might occur during the forwarding process.

Please also be sure you are running the latest version, that your
rulebase file is up to date, and that you do not have any unresolved
errors in your Sniffer log file. Bug fixes in newer versions may resolve
false positive issues or reduce the risk of false positives through
enhanced features and new technologies. Certain errors in your log file
may indicate a corrupted rulebase.

---

The software we use to scan false positive submissions is a version of
SNF that includes every rule we have in our system. If the messages
does not match any of these rules, MOST of the time it means that the
rule has been removed already.

If that is not the case, then the next step is to provide matching log
entries. On some systems this is not necessary because the headers may
already contain SNF x-header data that shows the rules involved.

This process is not intended to make things difficult, but to save
time. The majority of the time, our local scanner will identify the
rule or rules in question and we will respond accordingly.

When that is not the case we simply need more data to move forward
with the investigation.

Usually, when a rule is still in the system and it does not match a
false positive submission it is because the original message was
altered during the forwarding process or that some condition of being
attached has prevented the scanner on this end from reproducing the
result you had on your system.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] False Positives

2006-02-15 Thread Robert Grosshandler
The X-SNF header. Sounds like a good idea.  Is there a cheat sheet someplace
for making that happen, if possible, in a Declude / Imail environment?

Thanks ahead of time,

Rob 

---
[This E-mail scanned for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] False Positives

2006-02-15 Thread Jim Matuska Jr.
Pete,
Is there anyway to get an automatic response similar to the one listed below
for the FP address, but for submissions to your spam@ address?  It would be
nice to get some feedback when submitting spam.  

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]

 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Wednesday, February 15, 2006 1:28 PM
To: Kevin Rogers
Subject: Re: [sniffer] False Positives

On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote:

KR My users have been getting a lot of FPs by Sniffer lately.  They send me
KR the email with the FULL HEADERS displayed and I forward this email on to
KR SortMonster.  The program they use to analyze incoming submissions check
KR MY email headers, determine that SNIFFER was not at fault and sends me
KR back an email saying it didn't find any flags.

Just to clarify a bit, here is the standard response you're probably
talking about:

[FPR:0]

The message did not match any active black rules as submitted. The rules
may have been modified or removed. If you provide matching log entries
from your system then we can research this further.

Note that sometimes our false processing system may not identify the
rules that matched this message on your system due to changes in the
submitted content that might occur during the forwarding process.

Please also be sure you are running the latest version, that your
rulebase file is up to date, and that you do not have any unresolved
errors in your Sniffer log file. Bug fixes in newer versions may resolve
false positive issues or reduce the risk of false positives through
enhanced features and new technologies. Certain errors in your log file
may indicate a corrupted rulebase.

---

The software we use to scan false positive submissions is a version of
SNF that includes every rule we have in our system. If the messages
does not match any of these rules, MOST of the time it means that the
rule has been removed already.

If that is not the case, then the next step is to provide matching log
entries. On some systems this is not necessary because the headers may
already contain SNF x-header data that shows the rules involved.

This process is not intended to make things difficult, but to save
time. The majority of the time, our local scanner will identify the
rule or rules in question and we will respond accordingly.

When that is not the case we simply need more data to move forward
with the investigation.

Usually, when a rule is still in the system and it does not match a
false positive submission it is because the original message was
altered during the forwarding process or that some condition of being
attached has prevented the scanner on this end from reproducing the
result you had on your system.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html






This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives

2006-02-15 Thread Computer House Support
I second the motion.  We have been submitting spam for over a year and I 
don't know if a single one was received.

Thank you Jim, for the suggestion.


Michael Stein
Computer House
www.computerhouse.com


- Original Message - 
From: Jim Matuska Jr. [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Wednesday, February 15, 2006 4:40 PM
Subject: RE: [sniffer] False Positives


Pete,
Is there anyway to get an automatic response similar to the one listed below
for the FP address, but for submissions to your spam@ address?  It would be
nice to get some feedback when submitting spam.

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Wednesday, February 15, 2006 1:28 PM
To: Kevin Rogers
Subject: Re: [sniffer] False Positives

On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote:

KR My users have been getting a lot of FPs by Sniffer lately.  They send me
KR the email with the FULL HEADERS displayed and I forward this email on to
KR SortMonster.  The program they use to analyze incoming submissions check
KR MY email headers, determine that SNIFFER was not at fault and sends me
KR back an email saying it didn't find any flags.

Just to clarify a bit, here is the standard response you're probably
talking about:

[FPR:0]

The message did not match any active black rules as submitted. The rules
may have been modified or removed. If you provide matching log entries
from your system then we can research this further.

Note that sometimes our false processing system may not identify the
rules that matched this message on your system due to changes in the
submitted content that might occur during the forwarding process.

Please also be sure you are running the latest version, that your
rulebase file is up to date, and that you do not have any unresolved
errors in your Sniffer log file. Bug fixes in newer versions may resolve
false positive issues or reduce the risk of false positives through
enhanced features and new technologies. Certain errors in your log file
may indicate a corrupted rulebase.

---

The software we use to scan false positive submissions is a version of
SNF that includes every rule we have in our system. If the messages
does not match any of these rules, MOST of the time it means that the
rule has been removed already.

If that is not the case, then the next step is to provide matching log
entries. On some systems this is not necessary because the headers may
already contain SNF x-header data that shows the rules involved.

This process is not intended to make things difficult, but to save
time. The majority of the time, our local scanner will identify the
rule or rules in question and we will respond accordingly.

When that is not the case we simply need more data to move forward
with the investigation.

Usually, when a rule is still in the system and it does not match a
false positive submission it is because the original message was
altered during the forwarding process or that some condition of being
attached has prevented the scanner on this end from reproducing the
result you had on your system.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html






This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re[2]: [sniffer] False Positives

2006-02-15 Thread Pete McNeil
On Wednesday, February 15, 2006, 4:32:14 PM, Robert wrote:

RG The X-SNF header. Sounds like a good idea.  Is there a cheat sheet someplace
RG for making that happen, if possible, in a Declude / Imail environment?

RG Thanks ahead of time,

In the distribution the option is described in the .cfg file. However,
in the Declude environment I don't know of any easy way to make use of
it. What would be best is if Declude could be persuaded to pick up the
.xhdr file SNF produces and add it to the headers it is already adding
to the the message. This way, the message would only need to be
altered once (less I/O) for all of the headers.

MDaemon systems using the plugin have the SNF headers by default.

Most *nix systems also use the .xhdr option and then allow the
programs that follow to respond to the headers planted by SNF.

A number of custom-built systems are also using it.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re[2]: [sniffer] False Positives

2006-02-15 Thread Pete McNeil
Jim,

Not at this time. The two processes are entirely different. The False
Positives process is highly interactive. The standardized responses
were implemented to allow for some automation on both sides.

Spam submissions are always treated as anonymous for security reasons
and also because of the volume. At one point today we were processing
5000 spam per hour. At those rates it is not practical to respond to
each submission.

Advanced features near V4 (some time in the future) will allow us to
handle some spam submissions specifically for a particular license ID
--- so there are some plans for this later on. However, for the short
and medium term all spam submissions will remain anonymous.

If you have a chronic spam for which you would like a local black rule
added then you should send a zip'd copy to support@ along with your
requests. We will help you adjust your rulebase accordingly. For
example, some relatively closed systems are able to use broad rules
for certain character sets, file attachment types, or other features
to eliminate messages they simply will never see in practice.

_M

On Wednesday, February 15, 2006, 4:40:50 PM, Jim wrote:

JMJ Pete,
JMJ Is there anyway to get an automatic response similar to the one listed 
below
JMJ for the FP address, but for submissions to your spam@ address?  It would be
JMJ nice to get some feedback when submitting spam.  

JMJ Jim Matuska Jr.
JMJ Computer Tech2, CCNA
JMJ Nez Perce Tribe
JMJ Information Systems
JMJ [EMAIL PROTECTED]

JMJ  


JMJ -Original Message-
JMJ From: [EMAIL PROTECTED]
JMJ [mailto:[EMAIL PROTECTED]
JMJ On Behalf Of Pete McNeil
JMJ Sent: Wednesday, February 15, 2006 1:28 PM
JMJ To: Kevin Rogers
JMJ Subject: Re: [sniffer] False Positives

JMJ On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote:

KR My users have been getting a lot of FPs by Sniffer lately.  They send me
KR the email with the FULL HEADERS displayed and I forward this email on to
KR SortMonster.  The program they use to analyze incoming submissions check
KR MY email headers, determine that SNIFFER was not at fault and sends me
KR back an email saying it didn't find any flags.

JMJ Just to clarify a bit, here is the standard response you're probably
JMJ talking about:

JMJ [FPR:0]

JMJ The message did not match any active black rules as submitted. The rules
JMJ may have been modified or removed. If you provide matching log entries
JMJ from your system then we can research this further.

JMJ Note that sometimes our false processing system may not identify the
JMJ rules that matched this message on your system due to changes in the
JMJ submitted content that might occur during the forwarding process.

JMJ Please also be sure you are running the latest version, that your
JMJ rulebase file is up to date, and that you do not have any unresolved
JMJ errors in your Sniffer log file. Bug fixes in newer versions may resolve
JMJ false positive issues or reduce the risk of false positives through
JMJ enhanced features and new technologies. Certain errors in your log file
JMJ may indicate a corrupted rulebase.

JMJ ---

JMJ The software we use to scan false positive submissions is a version of
JMJ SNF that includes every rule we have in our system. If the messages
JMJ does not match any of these rules, MOST of the time it means that the
JMJ rule has been removed already.

JMJ If that is not the case, then the next step is to provide matching log
JMJ entries. On some systems this is not necessary because the headers may
JMJ already contain SNF x-header data that shows the rules involved.

JMJ This process is not intended to make things difficult, but to save
JMJ time. The majority of the time, our local scanner will identify the
JMJ rule or rules in question and we will respond accordingly.

JMJ When that is not the case we simply need more data to move forward
JMJ with the investigation.

JMJ Usually, when a rule is still in the system and it does not match a
JMJ false positive submission it is because the original message was
JMJ altered during the forwarding process or that some condition of being
JMJ attached has prevented the scanner on this end from reproducing the
JMJ result you had on your system.

JMJ Hope this helps,

JMJ _M



JMJ This E-Mail came from the Message Sniffer mailing list. For information and
JMJ (un)subscription instructions go to
JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html






JMJ This E-Mail came from the Message Sniffer mailing list. For
JMJ information and (un)subscription instructions go to
JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re[2]: [sniffer] False Positives

2006-02-15 Thread Pete McNeil
On Wednesday, February 15, 2006, 4:48:43 PM, Computer wrote:

CHS I second the motion.  We have been submitting spam for over a year and I
CHS don't know if a single one was received.

In general, if you've not received an error during delivery, we most
certainly got your message... it may have even made it to the queue
(if it wasn't already filtered by new rules).

One way to be sure we receive your spam is to create a pop3 box on
your system for your spam submissions and provide us with the login
data (email address (as login), password, FQDN of the pop3 server).

This way, if the mail in that box gets deleted you know one of our
bots has pulled it in and added it to our queues.

_M





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html