[sniffer] Re: RulePanic on 2654821
Dito here - already reported it as a False Positive: s u='20090908183815' m='D:\IMail\spool\proc\work\Dd948c4c42c68.smd' s='54' r='2654821' m s='54' r='2654821' i='1905' e='1952' f='m'/ p s='0' t='15' l='4270' d='38'/ g o='0' i='64.78.17.17' t='u' c='0.071429' p='0' r='Normal'/ /s From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, September 08, 2009 4:49 PM To: Message Sniffer Community Subject: [sniffer] Re: RulePanic on 2654821 Neglected to mention it is a Sniffer-Porn rule. Darin. - Original Message - From: Darin Cox mailto:dc...@4cweb.com To: Message mailto:sniffer@sortmonster.com Sniffer Community Sent: Tuesday, September 08, 2009 4:47 PM Subject: [sniffer] RulePanic on 2654821 We had to put a RulePanic on 2654821. We were getting a ton of FPs on it. Pete, let us know what's going on with this rule, please. Darin.
[sniffer] Re: RulePanic on 2654821
The scores over here for the messages that trigger on rule 2654821 today: spam that hit the rule: 4 ... and were porn: 0 ham that was held by my weight system: 5 ham that was allowed by my weight system: 3 subsequent panic log lines: 139 Thanks for the heads up, Darin. I was able to re-queue those 5 good messages without the users ever having to call the Helpdesk. Andrew 8) From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, September 08, 2009 1:49 PM To: Message Sniffer Community Subject: [sniffer] Re: RulePanic on 2654821 Neglected to mention it is a Sniffer-Porn rule. Darin. - Original Message - From: Darin Cox mailto:dc...@4cweb.com To: Message Sniffer Community mailto:sniffer@sortmonster.com Sent: Tuesday, September 08, 2009 4:47 PM Subject: [sniffer] RulePanic on 2654821 We had to put a RulePanic on 2654821. We were getting a ton of FPs on it. Pete, let us know what's going on with this rule, please. Darin.
[sniffer] Re: RulePanic on 2654821
We had a lot... 534 hits between 3:26 and 4:41pm ET, which is when we added the rule panic. It appears the rule was added in a rulebase that was automatically updated at 3:26pm ET. Pete? Status? Darin. - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, September 08, 2009 5:19 PM Subject: [sniffer] Re: RulePanic on 2654821 The scores over here for the messages that trigger on rule 2654821 today: spam that hit the rule: 4 ... and were porn: 0 ham that was held by my weight system: 5 ham that was allowed by my weight system: 3 subsequent panic log lines: 139 Thanks for the heads up, Darin. I was able to re-queue those 5 good messages without the users ever having to call the Helpdesk. Andrew 8) From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, September 08, 2009 1:49 PM To: Message Sniffer Community Subject: [sniffer] Re: RulePanic on 2654821 Neglected to mention it is a Sniffer-Porn rule. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, September 08, 2009 4:47 PM Subject: [sniffer] RulePanic on 2654821 We had to put a RulePanic on 2654821. We were getting a ton of FPs on it. Pete, let us know what's going on with this rule, please. Darin.
[sniffer] Re: RulePanic on 2654821
Darin Cox wrote: We had a lot... 534 hits between 3:26 and 4:41pm ET, which is when we added the rule panic. It appears the rule was added in a rulebase that was automatically updated at 3:26pm ET. Pete? Status? Here is a preliminary report on the bad rule: The rule was coded in error -- the highlighted section flipped just as the content was copied into the rule generator. As a result unintended content was coded. The intended content was a link of similar size and structure so it was not immediately obvious that an error had occurred. Storm conditions were high so the error was not noticed immediately by Adam -- recently coded rules quickly scrolled off screen and out of sight. A rulebase update when out and the error was caught. The rule was removed immediately upon detection (actually -- no rules are ever removed. The bad rule remains in place to prevent it ever being coded again). The rule appears to have been in place for one or two updates depending upon variable update rates and timing. I note that several of the FP reports actually came in after the rule had already been removed. There is also evidence that the rule was autopanic'd on many systems rendering it inert. --- We are reviewing procedures to minimize this possibility and to improve upon detection times. Circumstances were unusual for this event as we were two people down during a (approximate) 45 minute window at the moment this error occurred and we were also under heavy storm conditions. This combination is very rare, but was unavoidable today. Under normal circumstances It is very likely we would have caught the error before it went out if the error had occurred at all. Normally rules are under nearly continuous review be at least one additional pair of eyes. (Minimum two brains). We are very sorry about the trouble. Best, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
