[sniffer] Re: XYNTService -- Any Problems?
Hello Matt, Friday, May 9, 2008, 5:10:29 PM, you wrote: I'm sure that I don't speak for everyone, but I would tend to avoid third-party service systems, and this would also expose Sniffer to the potential pitfalls of that software. I thought of that -- but given that the requirement is simple, and the source code for the "business end" of XYNTService is close to what I would write it seems like a logical candidate. You could provide directions on how to install SRVANY, and then have a script that completes the process once the executables are on the system. That would be my short-term recommendation. In the long-term, I would do your own service as opposed to use someone else's container. Scripts and instructions are subject to interpretation and tend to be troublesome. Those will still exist for those who want to customize their installation and want to know where everything is and how it got there... but for those who don't we'll set up the installer to do things in a "standard / predictable" way-- that should save everybody some time and trouble. In the long term we will create a number of gadgets that will take care of running SNFServer (or it's core anyway) ... but those are different projects and we want to get V3.0 out there ;-) One of the big inhibitors right now is the complexity. SNF V3.0 does so much more than V2.x that it is unavoidably more complex. Not everyone who can use V3.0 is ready (or willing) to do the technical bits of the install. One of the more complicated bits of the installation has been setting up SNFServer to run as a service. Folks seem to have trouble with this part of it even if the rest of the install goes without a hitch. I'm hoping that a simple third party device that's been out there a while and can be integrated with our installer will solve that problem nicely. I would not recommend distributing XYNTService until you have trialled that for several months with a range of systems. The work of properly testing this is possibly more work than creating your own service. I've heard about XYNTService for quite some time and found plenty of positive references to it. I'm hoping to find some references that are closer to home. The only problems In the mean time I'm researching the few problem reports I can find. BTW: If we were to develop one in-house it would require at least the same level of testing. All IMO of course. And well appreciated! :-) _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: XYNTService -- Any Problems?
Hello Andrew, Friday, May 9, 2008, 5:40:14 PM, you wrote: snip/ Since you, as a the developer, start with XNTService with the source code, http://www.codeproject.com/KB/system/xyntservice.aspx then you can modify it and deploy it any way you want snip/ So it does seem less bad that at first, but if you're going to be supporting XNTService because you built it, and you're going to be supporting your own SNFServer.exe because you built it... you'd aim higher and write SNFServer.exe as a Windows Service anyway. Actually -- the way things look moving forward we will probably keep the SNFServer executable as it is and then keep any service stub separate. There are a lot of advantages to this approach. I understand your point though. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] New version: Engine 24, MDPlugin 6
Hello Sniffer Folks, This release is an upgrade more than a bug fix. Replace your SNFServer.exe or snfmdplugin.dll as appropriate. No changes have been made to the configuration file. This version improves memory management in the SNF Engine for improved performance, improves the header injection mechanism for improved reliability, and improves logging for IP scans done with the MDaemon plugin. As usual you can get the latest distributions here: http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Distributions#NEW_SNF_V2-9_Wide_Beta Here is an excerpt from the change log (this time from the MDaemon plugin change log since it contains all changes from the last version): 20080424 - Version V2-9rc6.24.6 Refactored snfScanData.clear() to reduce heap work and fragments. Added mutex to scanMessageFile() entry point just in case some app attempts to put multiple threads through a single engine handler. scanMessage() is already protected and fully wraped by the new scanMessageFile() mutex. Added non-specific runtime exception handling to XHDR injection code. Added 2 retries w/ 300ms delay to remove original message in XHDR inject code. If remove fails after 3 attempts the injector throws. Added 2 retries w/ 300ms delay to rename temp file to msg in XHDR inject code. If rename fails after 3 attempts the injector throws. Added IPTest logging. -- Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Source distribution corrected re: snf2check utility
Pete, I'm using Mdaemon and my plugin is messing up today. I went ahead and installed the new v2.9rc. I made sure to put my licenseid and auth number in the identity.xml file. Nothing changed because I did a copy and paste. Now when I start MDaemon I receive an error that says: Unable to authenticate rulebase Here's what the plug-ins section tells me: Thu 2008-04-24 14:35:24: Attempting to load 'SNF' plugin Thu 2008-04-24 14:35:24: * ConfigFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * StartupFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * ShutdownFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * PreMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * PostMessageFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * SMTPMessageFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * SMTPMessageFunc2: (NULL) Thu 2008-04-24 14:35:24: * SMTPMessageFunc3: (NULL) Thu 2008-04-24 14:35:24: * DomainPOPMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * MultiPOPMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * Result: success (plugin DLL loaded in slot 0) Thu 2008-04-24 14:35:24: -- Thu 2008-04-24 14:35:24: SNF plugin is starting up Thu 2008-04-24 14:35:26: -- Thu 2008-04-24 14:35:44: SNF IPScan: c:\mdaemon\temp\md506.tmp, Engine Not Ready! Thu 2008-04-24 14:35:46: SNF MessageScan: c:\mdaemon\remoteq\md50001065387.msg, Engine Not Ready! Thu 2008-04-24 14:36:04: SNF IPScan: c:\mdaemon\temp\md508.tmp, Engine Not Ready! Thu 2008-04-24 14:36:05: SNF IPScan: c:\mdaemon\temp\md509.tmp, Engine Not Ready! Not sure what I'm doing wrong. Any ideas? Thanks, David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, April 21, 2008 6:37 PM To: Message Sniffer Community Subject: [sniffer] Source distribution corrected re: snf2check utility Hello Sniffer Folks, The source distribution of the SNF2-9 beta/rc has been corrected. The previous build of the source distribution was missing a compile script. The new build -- just uploaded -- contains a compile script and some minor modifications to the source code so that it can be built in the SNF2Check directory. NO OTHER MODIFICATIONS WERE MADE ;-) Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Source distribution corrected re: snf2check utility
Sorry - meant this version: SNFv2-9rc5.23.6 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Pearson Sent: Thursday, April 24, 2008 2:43 PM To: Message Sniffer Community Subject: [sniffer] Re: Source distribution corrected re: snf2check utility Pete, I'm using Mdaemon and my plugin is messing up today. I went ahead and installed the new v2.9rc. I made sure to put my licenseid and auth number in the identity.xml file. Nothing changed because I did a copy and paste. Now when I start MDaemon I receive an error that says: Unable to authenticate rulebase Here's what the plug-ins section tells me: Thu 2008-04-24 14:35:24: Attempting to load 'SNF' plugin Thu 2008-04-24 14:35:24: * ConfigFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * StartupFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * ShutdownFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * PreMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * PostMessageFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * SMTPMessageFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * SMTPMessageFunc2: (NULL) Thu 2008-04-24 14:35:24: * SMTPMessageFunc3: (NULL) Thu 2008-04-24 14:35:24: * DomainPOPMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * MultiPOPMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * Result: success (plugin DLL loaded in slot 0) Thu 2008-04-24 14:35:24: -- Thu 2008-04-24 14:35:24: SNF plugin is starting up Thu 2008-04-24 14:35:26: -- Thu 2008-04-24 14:35:44: SNF IPScan: c:\mdaemon\temp\md506.tmp, Engine Not Ready! Thu 2008-04-24 14:35:46: SNF MessageScan: c:\mdaemon\remoteq\md50001065387.msg, Engine Not Ready! Thu 2008-04-24 14:36:04: SNF IPScan: c:\mdaemon\temp\md508.tmp, Engine Not Ready! Thu 2008-04-24 14:36:05: SNF IPScan: c:\mdaemon\temp\md509.tmp, Engine Not Ready! Not sure what I'm doing wrong. Any ideas? Thanks, David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, April 21, 2008 6:37 PM To: Message Sniffer Community Subject: [sniffer] Source distribution corrected re: snf2check utility Hello Sniffer Folks, The source distribution of the SNF2-9 beta/rc has been corrected. The previous build of the source distribution was missing a compile script. The new build -- just uploaded -- contains a compile script and some minor modifications to the source code so that it can be built in the SNF2Check directory. NO OTHER MODIFICATIONS WERE MADE ;-) Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Source distribution corrected re: snf2check utility
Check to be certain your .snf rulebase is in the Mdaemon\SNF folder --PTP -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of David Pearson Sent: Thursday, April 24, 2008 2:47 PM To: Message Sniffer Community Subject: [sniffer] Re: Source distribution corrected re: snf2check utility Sorry - meant this version: SNFv2-9rc5.23.6 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Pearson Sent: Thursday, April 24, 2008 2:43 PM To: Message Sniffer Community Subject: [sniffer] Re: Source distribution corrected re: snf2check utility Pete, I'm using Mdaemon and my plugin is messing up today. I went ahead and installed the new v2.9rc. I made sure to put my licenseid and auth number in the identity.xml file. Nothing changed because I did a copy and paste. Now when I start MDaemon I receive an error that says: Unable to authenticate rulebase Here's what the plug-ins section tells me: Thu 2008-04-24 14:35:24: Attempting to load 'SNF' plugin Thu 2008-04-24 14:35:24: * ConfigFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * StartupFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * ShutdownFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * PreMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * PostMessageFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * SMTPMessageFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * SMTPMessageFunc2: (NULL) Thu 2008-04-24 14:35:24: * SMTPMessageFunc3: (NULL) Thu 2008-04-24 14:35:24: * DomainPOPMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * MultiPOPMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * Result: success (plugin DLL loaded in slot 0) Thu 2008-04-24 14:35:24: -- Thu 2008-04-24 14:35:24: SNF plugin is starting up Thu 2008-04-24 14:35:26: -- Thu 2008-04-24 14:35:44: SNF IPScan: c:\mdaemon\temp\md506.tmp, Engine Not Ready! Thu 2008-04-24 14:35:46: SNF MessageScan: c:\mdaemon\remoteq\md50001065387.msg, Engine Not Ready! Thu 2008-04-24 14:36:04: SNF IPScan: c:\mdaemon\temp\md508.tmp, Engine Not Ready! Thu 2008-04-24 14:36:05: SNF IPScan: c:\mdaemon\temp\md509.tmp, Engine Not Ready! Not sure what I'm doing wrong. Any ideas? Thanks, David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, April 21, 2008 6:37 PM To: Message Sniffer Community Subject: [sniffer] Source distribution corrected re: snf2check utility Hello Sniffer Folks, The source distribution of the SNF2-9 beta/rc has been corrected. The previous build of the source distribution was missing a compile script. The new build -- just uploaded -- contains a compile script and some minor modifications to the source code so that it can be built in the SNF2Check directory. NO OTHER MODIFICATIONS WERE MADE ;-) Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Source distribution corrected re: snf2check utility
Hello David, Thursday, April 24, 2008, 2:46:34 PM, you wrote: Sorry - meant this version: SNFv2-9rc5.23.6 A little off topic for this thread. Check that the snfmdplugin.xml is set up correctly - especially, provide full paths. If you still have trouble then send us a note at support@ and include your configuration log and config files. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Source distribution corrected re: snf2check utility
Hello Sniffer Folks, The source distribution of the SNF2-9 beta/rc has been corrected. The previous build of the source distribution was missing a compile script. The new build -- just uploaded -- contains a compile script and some minor modifications to the source code so that it can be built in the SNF2Check directory. NO OTHER MODIFICATIONS WERE MADE ;-) Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] RePost Overview of Upgrade Process from 2.3x SNF to 2-9 (V3) SNF
Hello Sniffer Folks, It turns out that our link to the Mail Archive has been off-line for a bit and I'm still getting questions about the upgrade process so I'm going to re-post the overview we published on 20080411. Here we go: I'm running win2003 with Imail, Mxguard v3.2 and Sniffer 2-3.2. I set this up a ways back and have yet to upgrade to any of the beta client versions primarily due to lack of documentation about exactly how to accomplish the upgrade. Similar questions are coming up quite a bit so I'm going to provide an overview of the process here. Note that the SNFServer_readme.txt and SNFClient_readme.txt files provide a great deal of information so please do read them carefully. The following is an overview for folks who have been using previous command line versions of SNF (2.3x) and are now upgrading to the new version 2-9rc (soon to be V3). ___ FIRST - SOME THINGS YOU SHOULD KNOW There are to fundamental differences between the old version and the new version that you need to be aware of: 1. The new version uses a Client - Server model and the old version used a Peer - Server model. That means that with the old version you could use one program to act as a server or client while the new version has two programs that only do one thing each: either server or client. Most folks would set up the old version of SNF using a persistent instance to improve performance. In that case the same program would be called in two different ways with the persistent instance acting like a server and the scanning instance (called by Declude, or mxGuard, postfix, or some other program) acting like a client. Persistent instance: licenseid.exe authenticationxx persistent Scanning instance: licenseid.exe authenticationxx messagefile The new version can be used the same way but you must use separate programs such as: Persistent instance: SNFServer.exe configurationfile Scanning instance: SNFClient.exe messagefile Note that it is also ok to do this: Scanning instance: SNFClient.exe authenticationxx messagefile or even this: copy SNFClient.exe to licenseid.exe Scanning instance: licenseid.exe authenticationxx messagefile (( DON'T GO OFF AND DO THAT YET -- THERE IS A BETTER WAY )) So, as long as you have the SNFServer running, you can use the SNFClient in mxGuard, Declude, postfix, or other programs the same way that you used the old version. If the new version gets an authentication string on it's command line, it ignores it -- that way it is backward compatible with the old version. The trick is: You must have the SNFServer running with the new version. The old version would load the rulebase itself and scan the message if it did not find a server instance. The new SNFClient can't do that-- instead, it will wait while it tries to connect to SNFServer, and if it can't it will return 0 (fail safe). 2. The new version includes an IP reputation system that learns as it goes so you must tell it about your network if you have any gateways or other systems that you don't want it to learn about. SO HOW DO I UPGRADE WITH THE LEAST AMOUNT OF [EMAIL PROTECTED])#! 1. Download the latest version (StdTestPackage) from here: http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Distributions#NEW_SNF_V2-9_Wide_Beta 2. Create a SNF folder in the appropriate place on your system. This should be at the same level as your current sniffer installation. That said, it really doesn't matter where you put it - so whatever works for you is fine. 3. Copy all of the files in the distribution to your SNF folder. 4. Read through the SNFServer_readme.txt file and follow it's instructions to set up your snf_engine.xml, identity.xml, and GBUdbIgnoreList.txt files. Most folks will only have to put their licenseid and authentiction string into their identity.xml file, and update the paths at the top of the snf_engine.xml file. If you have gateways and other systems that you need to ignore as infrastructure then you will need to modify the GBUdbIgnoreList.txt file and possibly the drilldown/ section of your snf_engine.xml file. 5. ** We recommend that you also set up the new automated update system which consists of the update-script/ section of the snf_engine.xml file and the getRulebase.cmd script. 5.1. Be sure that the full path to the getRulebase.cmd script is correct in the update-script/ section of your snf_engine.xml file. 5.2. Be sure that you have edited your getRulebase.cmd file with the correct path, your license id, and your authentication string. 5.3 You can test the getRulebase.cmd script by creating an UpdateReady.txt file in your SNF directory and then running the getRulebase.cmd script. It should download a fresh copy of your rulebase file and you should be able to see it do this on your screen. 6. Test your SNFServer installation by running it from your command line. If you've installed your
[sniffer] Australian Bank Junk Emails
We consistently get Australian banks phising junk emails that sortmonster doesn't seem to pickup can you add the following banks to your rules as banks very rarely send out emails. ANZ Bank WestPac St George National Australia Bank Bank of Queensland Full list here http://www.afsd.com.au/banks1.html Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. -
[sniffer] MXScan for MailEnable
Hello Sniffer Folks, For those of you considering MailEnable, MX Uptime (www.mxuptime.com) has an anti-spam plugin that includes a fully integrated SNFEngine (the new version!). Just put in your login code and authentication string and you're good to go. Here's a screen shot link: http://www.mxuptime.com/screenshots/3b.jpg If you try this out please post a note to let us all know how it works for you. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Version 2-9rc1.8.2 Release Candidate (Std Test Package), and other plans/announcements!...
Hello Sniffer Folks, Today I'm releasing the first release candidate for what will become version 3 this quarter! You can find the latest here as it arrives: http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Distributions#NEW_SNF_V2-9_Wide_Beta Over the next few days we will be updating the MDaemon DLL with the new engine and a new feature or two. Then we will update the source distribution for *nix OEM systems. Then we will be launching two SDKs -- one is a .SO for *nix systems and the other is a DLL for Win* systems. Along the way we will be launching a new web site with documentation for the new version. Then later this year (Q2 - Q3 perhaps) we'll be launching DNS based IP reputation services. For now -- back to this moment in time and the new SNFServer and SNFClient release. There are extensive updates to both the client and server programs. Be sure to go through the readme files if you are upgrading. Also - if you are upgrading you will want to update your snf_engine.xml file to cover the new features. (GHASP! What if I forget to do that?!!) -- If you don't get to it right away then your existing snf_engine.xml file will work fine... but do get the update process on your to-do list so you can take advantage of the new features and improved default settings. Here is a chunk of the change log to show you what is new since verion 2-9b1.5.1: 20080306 - SNF2-9rc1.8.exe (FIRST RELEASE CANDIDATE for VERSION 3!) Added Drilldown Header Directive Functions - When the candidate source IP comes from a header matching a drilldown directive the IP is marked Ignore in GBUdb and the candidate is no longer eligible to be the source for that message. This allows SNF to follow the trusted chain of devices (by IP) down to the actual source of the message. It is handy for ignoring net blocks because it can match partial IPs but it is designed to allow SNF to learn it's way through the servers at large ISPs so that the original source for each message can be evaluated directly. Added Source Header Directive Functions - This feature allows SNF to acquire the source IP for a message from a specific header rather than searching through the Received headers in the message. This is useful when the original source for a message is not represented in Received headers. For example: Hotmail places the originating source IP in a special header and does not provide a Received header for that IP. This feature is protected from abuse by a Context feature which only activates the source header directive when specific content is found in a specific received header. Using the above example, this feature can be configured so that a Hotmail source header would only be read if the top Received header contained hotmail.com [ indicating that the ptr lookup for the header matched the hotmail domain. Note: When a source is pulled from a header directive that source is put into a synthetic Received header and injected into the scanning stream (not the message) as the first Received header. Added forced source IP to XCI - It is now possible to inject or force the source IP for any message by providing that IP in the XCI request or directly in a scan...() function call. This allows the calling application to provide the source IP for a message ahead of any Received headers that might be in the message. This is useful when the calling application knows the original source IP for the message but that IP is not represented in the Received headers and it is not desireable to use the Source Header Directive mechanism. Added forced source IP mode to SNFClient - It is now possible to call the SNFClient utility with an IP4Address using the syntax: SNFClient -source=12.34.56.78 The -source mode of SNFClient exercises the forced source IP feature in the XCI (see above) Added Status Report features to SNFClient and XCI - It is now possible to request the latest status.second, status.minute, or status.hour data via the XCI and SNFClient. The syntax for requesting a status report using the SNFClient is: SNFClient -status.second SNFClient -status.minute SNFClient -status.hour In addition to providing status reports the SNFClient in this mode will return a nonzero value (usually 99) if it is unable to get a status report from SNFServer. This feature can be used to verify that SNFServer is up and responding. If SNFServer is OK then the result code returned is 0. Added result codes to SNFClient -test and XCI IP test functions - The XCI engine has been upgraded to provide the range value for the IP under test as well as the symbolic result code associated with that range. This allows the -test function to provide results that are consistent with the GBUdb configuration without additional processing: For example, if the IP falls in the Caution range then the Caution result code will be returned just as if a message had been scanned with the same IP and no pattern match occurred. The same is true for Truncate and Black
[sniffer] Re: Version 2-9rc1.8.2 Release Candidate (Std Test Package), and other plans/announcements!...
Pete, Great new features. I can't wait to get this installed. Thanks for the hard work. Shawn On Fri, Mar 7, 2008 at 12:24 PM, Pete McNeil [EMAIL PROTECTED] wrote: Today I'm releasing the first release candidate for what will become version 3 this quarter!
[sniffer] Gateway solution
We currently have Sniffer running as a SpamAssassin plugin on a BSD box. This server is acting as a gateway for inbound email and we have been very pleased with the results. We are re-evaluating our setup in light of a lack of BSD/Linux/Unix experience in our staff and are looking for suggestions. We would like a windows based solution for a gateway. The following features are greatly desired: .Message Sniffer (of course) .Recipient verification (may be based on a text file of valid addresses or query of the backend server) .Greylisting .Integration with SpamAssassin would be ideal .Virus scanning is also required. ClamAV or the like is fine for our needs. We have a relatively low message volume, and cost is a consideration. Thanks, David
[sniffer] Re: Gateway solution
We use XWall (www.dataenter.com http://www.dataenter.com/ ) on some of our gateway servers - it's very efficient, but not sure about running Sniffer on there - however, it's no-doubt possible. It's described as a product for feeding into Exchange, but in reality it works with any SMTP server. Nick Marshall Giacom World Networks Ltd Tel +44 (0) 870 740 Mobile +44 (0) 7799 060 555 Fax +44 (0) 870 740 7177 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] IMPORTANT: Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email. _ From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Fletcher Sent: 06 March 2008 14:57 To: Message Sniffer Community Subject: [sniffer] Gateway solution We currently have Sniffer running as a SpamAssassin plugin on a BSD box. This server is acting as a gateway for inbound email and we have been very pleased with the results. We are re-evaluating our setup in light of a lack of BSD/Linux/Unix experience in our staff and are looking for suggestions. We would like a windows based solution for a gateway. The following features are greatly desired: .Message Sniffer (of course) .Recipient verification (may be based on a text file of valid addresses or query of the backend server) .Greylisting .Integration with SpamAssassin would be ideal .Virus scanning is also required. ClamAV or the like is fine for our needs. We have a relatively low message volume, and cost is a consideration. Thanks, David _ Giacom mail management by MessageStream
[sniffer] Re: Gateway solution
Hello Nick, Thursday, March 6, 2008, 10:25:18 AM, you wrote: We use XWall (www.dataenter.com) on some of our gateway servers its very efficient, but not sure about running Sniffer on there however, its no-doubt possible Its described as a product for feeding into Exchange, but in reality it works with any SMTP server. Would you be willing to do some experimenting with this using the new version of SNF? Since you already have experience with XWall that would probably go quickly for you. If you could develop a quick installation guide with some screen shots then we can post XWall as an additional integration option. Thanks for the tip! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] AW: [sniffer] Re: Gateway solution
We use NoSpamToday (http://www.nospamtoday.com/download/server/), it's cheap (compared to the other commercial gateways), runs on Windows, has SA integrated, Greylisting and so on. But - no Sniffer. This runs on the IMail one step later :) Alex Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Nick Marshall Gesendet: Donnerstag, 6. März 2008 16:25 An: Message Sniffer Community Betreff: [sniffer] Re: Gateway solution We use XWall (www.dataenter.comhttp://www.dataenter.com/) on some of our gateway servers - it's very efficient, but not sure about running Sniffer on there - however, it's no-doubt possible... It's described as a product for feeding into Exchange, but in reality it works with any SMTP server. Nick Marshall Giacom World Networks Ltd Tel +44 (0) 870 740 Mobile +44 (0) 7799 060 555 Fax +44 (0) 870 740 7177 [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] IMPORTANT: Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Fletcher Sent: 06 March 2008 14:57 To: Message Sniffer Community Subject: [sniffer] Gateway solution We currently have Sniffer running as a SpamAssassin plugin on a BSD box. This server is acting as a gateway for inbound email and we have been very pleased with the results. We are re-evaluating our setup in light of a lack of BSD/Linux/Unix experience in our staff and are looking for suggestions. We would like a windows based solution for a gateway. The following features are greatly desired: .Message Sniffer (of course) .Recipient verification (may be based on a text file of valid addresses or query of the backend server) .Greylisting .Integration with SpamAssassin would be ideal .Virus scanning is also required. ClamAV or the like is fine for our needs. We have a relatively low message volume, and cost is a consideration. Thanks, David Giacom mail management by MessageStream Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
[sniffer] Re: Gateway solution
Leave it with me. Nick Marshall Giacom World Networks Ltd Tel +44 (0) 870 740 Mobile +44 (0) 7799 060 555 Fax +44 (0) 870 740 7177 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] IMPORTANT: Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email. _ From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: 06 March 2008 15:42 To: Message Sniffer Community Subject: [sniffer] Re: Gateway solution Hello Nick, Thursday, March 6, 2008, 10:25:18 AM, you wrote: We use XWall ( http://www.dataenter.com/ www.dataenter.com) on some of our gateway servers - it's very efficient, but not sure about running Sniffer on there - however, it's no-doubt possible. It's described as a product for feeding into Exchange, but in reality it works with any SMTP server. Would you be willing to do some experimenting with this using the new version of SNF? Since you already have experience with XWall that would probably go quickly for you. If you could develop a quick installation guide with some screen shots then we can post XWall as an additional integration option. Thanks for the tip! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. _ Giacom mail management by MessageStream # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Status screen of SNFServer - What does it mean?
Hello, I am using the latest beta of Message Sniffer. Can you please tell me what all of the #''s are on the status screen when SNFServer is running? Obviously M/min is messages per minute, but what do the following mean? SP: LR: [0/13 / 0 ] (the slash spins clockwise here) W: C: B: T: S: Thanks, Shawn
[sniffer] Away from office
I'm out of the office until Monday March 3rd. In the meantime, you can contact Richard Hirst at [EMAIL PROTECTED] or call 0870 740 . Thank you # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Away from office
I'm out of the office until Monday March 3rd. In the meantime, you can contact Richard Hirst at [EMAIL PROTECTED] or call 0870 740 . Thank you # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Proper way to setup a SNFServer on it's own box
Hello, I searched the Wiki but could not find a proper answer to this question. If I have my mail server on it's own server, and I want to have Message Sniffer on it's own server, how would I go about setting this up? I will have the SNFServer instance running on it's own server. Does SNFClient.exe still get called on the server that is running the mail server? If so, how do I setup SNFClient so it knows where to find the SNFServer? For the trial I had everything running on 1 server and it was easy to get working. But now I have purchased a copy I want to put SNFServer on it's own box. Thanks, Shawn
[sniffer] Re: Proper way to setup a SNFServer on it's own box
Hello Shawn, Wednesday, February 27, 2008, 2:57:29 PM, you wrote: Hello, I searched the Wiki but could not find a proper answer to this question. If I have my mail server on it's own server, and I want to have Message Sniffer on it's own server, how would I go about setting this up? I will have the SNFServer instance running on it's own server. Does SNFClient.exe still get called on the server that is running the mail server? If so, how do I setup SNFClient so it knows where to find the SNFServer? For the trial I had everything running on 1 server and it was easy to get working. But now I have purchased a copy I want to put SNFServer on it's own box. At the moment SNFServer and SNFClient need to run on the same box. SNFClient calls the SNFServer via localhost TCP. SNFServer processes the message as a file on the local file system. If you want to run SNF on a gateway then that gateway must run some software to process the email going through that gateway - either an SMTP proxy like eWall, or an actual SMTP server connected to SNF such as a postfix on a *nix box. There are many options for gateway solutions - the choice depends upon your needs. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Bad Rule Alert - 1771029
Hello Sniffer Folks, Rule ID 1771029 was coded incorrectly for a URL fragment and matched some common dtd reference code. The rule has already been removed but it was posted to some rulebase files before the error was discovered. The rule was created earlier today (2008-02-26 06:00:18) and destroyed moments ago (2008-02-06 16:10:00). Our sincere apologies, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Away from office
I'm out of the office until Monday March 3rd. In the meantime, you can contact Richard Hirst at [EMAIL PROTECTED] or call 0870 740 . Thank you # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Away from office
I'm out of the office until Monday March 3rd. In the meantime, you can contact Richard Hirst at [EMAIL PROTECTED] or call 0870 740 . Thank you # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Ideal config for scaleable solution?
Paul, since you're working in a Windows world, check out Alligate from alligate.com as a Windows platform based email gateway. I've put Alligate in front of my Declude setup and it drastically reduced the number of emails I had scan for content and sender in Declude, and gained back a lot of disk time and cpu time. The product can share your existing server, but is recommended for a dedicated gateway. It can scale to many gateways while sharing a central database. It'll do everything you want, actually. That's as much as I'm going to say here, because this list is all about Message Sniffer. If you were a *nix shop, you would still lean towards having a dedicated gateway server (or many) and your CPU hog would be spamassassin, which you would run in a client/server model to shift the CPU usage to other boxes. Meanwhile, you might check the Declude support list for scalability tips with your existing setup. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Paul Rogers Sent: Thursday, February 21, 2008 4:53 PM To: Message Sniffer Community Subject: [sniffer] Ideal config for scaleable solution? Ie, ideal for processing/serving 10+ million emails per day in an imail/declude/snf configuration. SNF seems to generally be the big processor hog (though the new beta has definitely made huge performance improvements over the prior version). OK...this is a bit off-topic, but I'm looking for some feedback in how to plan for handling this type of load (current load is between 1.3m and 1.8m/day). Should I just throw more high performance hardware at it? Scale out perhaps by dedicating a server to just the junk mail scanning. Then have a relatively wimpy server taking care of normal Imail stuff (recipient of the declude/snf clean and/or tagged emails). Along that line of thought, can SNF be configured to work directly with the MS/IIS SMTP server? This combo could work great as a spam-killing gateway. Has anyone assembled this sort of configuration in a load balanced/redundant environment? Paul --- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Ideal config for scaleable solution?
Hello Paul, Thursday, February 21, 2008, 7:52:55 PM, you wrote: Ie, ideal for processing/serving 10+ million emails per day in an imail/declude/snf configuration. SNF seems to generally be the big processor hog (though the new beta has definitely made huge performance improvements over the prior version). One of our test platforms uses a single 2.6G processor, IMail, and SNF and consistently handles 4.6 million messages per day. (Typ 2800 - 4500 msg/minute) Of course, that's a special appliation (pre-screening inbound traps) but it does give a rough idea what is possible in your chosen environment. OK...this is a bit off-topic, but I'm looking for some feedback in how to plan for handling this type of load (current load is between 1.3m and 1.8m/day). Should I just throw more high performance hardware at it? Probably not. Scale out perhaps by dedicating a server to just the junk mail scanning. Then have a relatively wimpy server taking care of normal Imail stuff (recipient of the declude/snf clean and/or tagged emails). Two key problems with the IMail platform is that it never stops taking messages and it doesn't support any kind of dynamic connection blocking. Fixing these problems allows IMail to scale to numbers like that. One way to go there would be to set up proxy gateways using eWall in front of your IMail servers. Put SNF on eWall and use it to reject dictionary harvest attacks and possibly even some traffic based on SNF. Definitely use SNF truncate events to add sources to the eWall blacklist. Generally this approach alone will kill off a LOT of traffic that would otherwise bog down IMail/Declude without introducing false positives. You would have many additional options with eWall in this configuration - but you wouldn't need them necessarily and since eWall is amazingly inexpensive you would be getting a big bang for your buck. Your IMail servers w/ Declude could sit behind a pair of eWall gateways (for redundancy) and provide all of the flexibility and additional testing you're used to -- so you wouldn't need to re-tool your infrastructure very much. You probably don't want to scale up using heavy hardware. Instead, use cheaper - more generic hardware and increase your redundancy. One good reason for this philosophy is that if you have a pair of very high - end boxes handling *anything* and one of them dies then it is unlikely the remaining box will be able to absorb twice as much *anything* as it normally handles. In contrast, when one of three moderate boxes handling *anything* the remaining two boxes are very likely to be able to absorb 50% more traffic each. Along that line of thought, can SNF be configured to work directly with the MS/IIS SMTP server? This combo could work great as a spam-killing gateway. Yes and no. IIRC, ORF uses IIS SMTP and will tie in SNF nicely. Also - if you have some skills you could tie SNF into IIS SMTP using our DLL (not published yet, but available and in use on a number of proprietary systems). Out of the box we don't have an SNF + IIS SMTP solution (yet). Has anyone assembled this sort of configuration in a load balanced/redundant environment? It has been done. Most that I know of who have done this eventually moved away from IMail/Declude as they grew beyond the numbers you're talking about and developed their own proprietary filtering platform (using SNF as it's core) on top of a more robust EMail platform (Communigate for example). Others who are comfortable with mixed environments have deployed SNF in their gateways. The general model for scalability is to isolate inbound gateways, user-centered email servers (pop, imap) and outbound gateways into separate layers with their own redundancies. It is also common for each layer to use it's own hardware and software platforms - each best suited to the specific task. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Ideal config for scaleable solution?
Hello Andrew, Friday, February 22, 2008, 4:37:18 AM, you wrote: snip/ If you were a *nix shop, you would still lean towards having a dedicated gateway server (or many) and your CPU hog would be spamassassin, which you would run in a client/server model to shift the CPU usage to other boxes. Of course, SNF also can plug into SA. However SNF tends to be much leaner than SA with comparable (or even slightly better) capture rates. You may want to run SNF in front of SA to get rid of most of the junk and rapidly inform local blocking lists and gray-listing mechanisms. The combination of SA SNF is superior to either on it's own if you have the technical resources. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Ideal config for scaleable solution?
Ie, ideal for processing/serving 10+ million emails per day in an imail/declude/snf configuration. SNF seems to generally be the big processor hog (though the new beta has definitely made huge performance improvements over the prior version). OK...this is a bit off-topic, but I'm looking for some feedback in how to plan for handling this type of load (current load is between 1.3m and 1.8m/day). Should I just throw more high performance hardware at it? Scale out perhaps by dedicating a server to just the junk mail scanning. Then have a relatively wimpy server taking care of normal Imail stuff (recipient of the declude/snf clean and/or tagged emails). Along that line of thought, can SNF be configured to work directly with the MS/IIS SMTP server? This combo could work great as a spam-killing gateway. Has anyone assembled this sort of configuration in a load balanced/redundant environment? Paul --- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Message Sniffer Purchase requirment
Hello, We have been evaluating Message Sniffer for the past month and are ready to make a purchase, but we have one question. One the order page, it states: Please note that the email address you provide must be on the server that will be using Message Sniffer. What exactly does this mean? We have been using the trial without any type of e-mail address requirement other than an E-Mail address that was used to send us update notices. Thanks, Shawn
[sniffer] Re: Message Sniffer Purchase requirment
Pete. This makes much better sense to me now. Thanks for the quick reply. Shawn On Wed, Feb 20, 2008 at 3:00 PM, Pete McNeil [EMAIL PROTECTED] wrote: Hello Shawn, Wednesday, February 20, 2008, 5:35:03 PM, you wrote: Hello, We have been evaluating Message Sniffer for the past month and are ready to make a purchase, but we have one question. One the order page, it states: Please note that the email address you provide must be on the server that will be using Message Sniffer. What exactly does this mean? We have been using the trial without any type of e-mail address requirement other than an E-Mail address that was used to send us update notices. What that means (in context) is that you cannot sign up for an SNF account using an email address that we cannot verify. For example, you can't sign up to use SNF form a gmail account unless we can verify that you are Google and you want to start using SNF to filter your spam :-) Same thing for hotmail, yahoo, other free email services or an email service that doesn't belong to you (or perhaps one of your customers if you are a reseller). Normally you would have an email account on the server you were going to support with SNF. If we've validated your trial and you are ready to purchase then you should use the same information (in most cases) to sign up. If there is a reason you need to change your contact information then use your new contact information but be sure to put your trial license ID in your order form so we can connect to and verify the new information. I've copied this to billing@ so they will be looking for you in case there are any questions or any confusion. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Updated - did I forgot anything?
Hello, I updated our sniffer on IMail/Declude to 2.9b. I created I new directory, installed sniffer as a service, modified the global.cfg to call the SNFClient, modified the xml files (license, directories). Anything else? It's running and the ID.date.log.xml is growing :) Is this list useful or do I only need one call with the new beta? SNIFFER-NOTFOUNDexternal 000 C:\IMail\Declude\Sniffer3\SNFClient.exe (removed the weight) SNIFFER-TRAVEL external 047 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-INSURANCE external 048 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-AV-PUSH external 049 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-WAREZ external 050 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-SPAMWAREexternal 051 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-SNAKEOILexternal 052 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-SCAMS external 053 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-PORNexternal 054 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-MALWARE external 055 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-ADVERTISING external 056 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-SCHEMES external 057 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-CREDIT external 058 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-GAMBLINGexternal 059 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-GREYMAILexternal 060 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-OBFUSCATION external 061 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-EXPERIMENTALexternal 062 C:\IMail\Declude\Sniffer3\SNFClient.exe SNIFFER-GENERAL external 063 C:\IMail\Declude\Sniffer3\SNFClient.exe Alex Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955
[sniffer] Re: Updated - did I forgot anything?
Hello Alexander, Monday, February 4, 2008, 8:40:44 AM, you wrote: Hello, I updated our sniffer on IMail/Declude to 2.9b. I created I new directory, installed sniffer as a service, modified the global.cfg to call the SNFClient, modified the xml files (license, directories). Anything else? Its running and the ID.date.log.xml is growing :) I have good telemetry from your installation (most of the time). Is this list useful or do I only need one call with the new beta? SNIFFER-NOTFOUNDexternal 000 "C:\IMail\Declude\Sniffer3\SNFClient.exe" (removed the weight) SNIFFER-TRAVEL external 047 "C:\IMail\Declude\Sniffer3\SNFClient.exe" snip/ Two additional result codes are used with the new version. Result code 20 is sufficient to delete messages on most systems. Result code 40 should be treated similarly to a reasonably accurate RBL score. I have updated the wiki: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.ResultCodes#Core_Rule_Group_.26_GBUdb_Result_Codes _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Anyone on the list using postfix?
Please let me know, we might be able to help each other... -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Anyone on the list using postfix?
We are using postfix with amavisd-new/spamassasin on FreeBSD. Haven't touched it in a long time, and I'm up to my eyeballs in other projects right now, so I'm not sure I can be of much help. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pi-Web - Frank Jensen Sent: Monday, February 04, 2008 4:03 PM To: Message Sniffer Community Subject: [sniffer] Anyone on the list using postfix? Please let me know, we might be able to help each other... -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: snfilter - linux - postfix
Hi Pete, Just for information, we renamed the msg folder again today, and again SNFClient.exe.err only state: Could Not Connect! /etc/init.d/snfilter stop + /etc/init.d/snfilter start helped. Hello Pi-Web, Sunday, January 27, 2008, 1:16:08 PM, you wrote: Sorry, I might not have been clear. It is on Linux with postfix. I should have picked that out of the path. ;-) Yes stop/start of the service did solve the problem. Before start/stop pstree showed 14*SNFserver.exe SNFClient.exe.err only state: Could Not Connect! Last x.200801??.log.xml ends with: i u='20080125234317' context='--INITIALIZING--' code='0' text='Success'/ Rest seems normal. That also seems normal for a start-up. So I have no clue why it stoped. This is unusual. I've repeatedly had SNFServer run for weeks and months on various platforms -- almost without exception it only stops when I tell it to stop (including earlier test versions). If you come across any new info please let me know. If there is a bug I want it gone ;-) Thanks! _M -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: snfilter - linux - postfix
Hello Pi-Web, Saturday, February 2, 2008, 6:07:19 PM, you wrote: Hi Pete, Just for information, we renamed the msg folder again today, and again SNFClient.exe.err only state: Could Not Connect! /etc/init.d/snfilter stop + /etc/init.d/snfilter start helped. When SNFClient cannot connect the SNFServer is either not accepting new connections, or it is down. If it is down then restarting it helps by starting it again. If it is not down then restarting helps by abandoning all of the existing connections -- many of them will re-try and succeed when the SNFServer is active again. This stalling effect is seen only when you rename the folder that contains the message files -- I wonder if there is a quirk of the environment that causes the SNFServer engine to be hung attempting to open and/or read the files in the changed directory such that additional scan requests queue up and are not serviced. Since SNFServer is not giving any errors (or at least you're not reporting any so it is likely that it is not) then I can only assume the program has not seen any errors that it can report. It is probably not a good idea to rename the folder while there is any possibility of active scans in progress. Instead I would suggest that you create a new folder with the correct name for new scans (perhaps by date) and then abandon the older folder in place. New scans would be done in the new folder and old or existing scans would continue in the old folder until they were complete. By the time you do anything with the old folder it will be several generations behind and safe. I do not completely understand your methodology -- but if I'm correct about it then the above approach should work. I might also recommend a different approach -- Use a single directory for scans and have them always performed there. Then - depending upon the scan result move them into the appropriate directory. This way you could always be assured that the scanner is finished with a file before it is ever moved. This is an efficient process on ext3 and most other modern *nix file systems since it only requires the adjustment of a node and that operation will itself be journalized first. Thanks for keeping us posted. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] What happens if SNFServer is not running or crashes?
Hello. I am using the latest beta version of Message Sniffer. On your Wiki, it states under: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.Peer-Server Topic: Can you briefly explain Peer-Server technology? Next, the client instance will load the rulebase itself and scan it's own message. After that - it _SHOULD_ remove it's job file. HOWEVER -- if something kills off the instance before it has a chance to finish then the .ABT file will be left behind (if it's gotten to this stage). What I assume from reading the above that if SNFServer is not running, then the SNFClient.exe will load the rulebase and scan it's own message/file. This does not seem to happen. If SNFServer is not running (forgot to start it or it crashes), and SNFClient tries to connect to it and fails, it never loads the rulebase itself and does a scan with a result code. It just sits there until it times out. Am I interpreting the Wiki correctly? Thanks, Shawn
[sniffer] Re: snfilter - linux
Hello Pi-Web, Sunday, January 27, 2008, 6:31:15 AM, you wrote: Hi Not sure what we have done - but snfilter has stoped working. The x.200801??.log.xml is not more created. SNFClient.exe.err says: /var/spool/snfilter/msg/20080127122626_4614.msg: Could Not Connect! Messages are put in /var/spool/snfilter/msg/ but not checked. I cant see what I have done wrong, but guess we did something around here: Jan 26 00:43 x37l67rv.20080125.log.xml as this is the last log. These are beeing created: -rw-r--r-- 1 root root 743591 Jan 27 12:29 x37l67rv.status.minute.20080127.log.xml -rw-r--r-- 1 root root 1079 Jan 27 12:30 x37l67rv.status.second.log.xml SNFServer has stopped --- if you had it set up as a service you should be able to restart it and solve the problem. If you were running it in a dos window -- start up a new dos window with it. Please look for any errors in your logs that might indicate why the SNFServer stopped. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: snfilter - linux - postfix
Sorry, I might not have been clear. It is on Linux with postfix. Yes stop/start of the service did solve the problem. Before start/stop pstree showed 14*SNFserver.exe SNFClient.exe.err only state: Could Not Connect! Last x.200801??.log.xml ends with: i u='20080125234317' context='--INITIALIZING--' code='0' text='Success'/ Rest seems normal. So I have no clue why it stoped. Hello Pi-Web, Sunday, January 27, 2008, 6:31:15 AM, you wrote: Hi Not sure what we have done - but snfilter has stoped working. The x.200801??.log.xml is not more created. SNFClient.exe.err says: /var/spool/snfilter/msg/20080127122626_4614.msg: Could Not Connect! Messages are put in /var/spool/snfilter/msg/ but not checked. I cant see what I have done wrong, but guess we did something around here: Jan 26 00:43 x37l67rv.20080125.log.xml as this is the last log. These are beeing created: -rw-r--r-- 1 root root 743591 Jan 27 12:29 x37l67rv.status.minute.20080127.log.xml -rw-r--r-- 1 root root 1079 Jan 27 12:30 x37l67rv.status.second.log.xml SNFServer has stopped --- if you had it set up as a service you should be able to restart it and solve the problem. If you were running it in a dos window -- start up a new dos window with it. Please look for any errors in your logs that might indicate why the SNFServer stopped. _M -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: snfilter - linux - postfix
Hello Pi-Web, Sunday, January 27, 2008, 1:16:08 PM, you wrote: Sorry, I might not have been clear. It is on Linux with postfix. I should have picked that out of the path. ;-) Yes stop/start of the service did solve the problem. Before start/stop pstree showed 14*SNFserver.exe SNFClient.exe.err only state: Could Not Connect! Last x.200801??.log.xml ends with: i u='20080125234317' context='--INITIALIZING--' code='0' text='Success'/ Rest seems normal. That also seems normal for a start-up. So I have no clue why it stoped. This is unusual. I've repeatedly had SNFServer run for weeks and months on various platforms -- almost without exception it only stops when I tell it to stop (including earlier test versions). If you come across any new info please let me know. If there is a bug I want it gone ;-) Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] New reference settings for GBUdb ranges.
Hello Sniffer Folks, We have been researching/refining the default ranges for GBUdb. Here are our latest reference settings. These are conservative for large systems (500/min) and should be even more conservative for smaller systems. Smaller systems that experience lower message rates will tend to have lower confidence numbers in their GBUdb due to fewer message interactions. If you run a system that sees fewer than 500 messages per minute then you may achieve higher capture rates before FPs with lower confidence values in some of your ranges. Another way smaller systems may adjust their GBUdb sensitivity is to adjust the time between condensation from one day to two days (or more) or to eliminate the time based trigger and rely on the memory usage trigger instead (by triggering condensation events only when a specific memory threshold has been reached). The latter method is typically recommended for systems with fewer than 10 messages per minute. All of the above tuning recommendations are somewhat experimental since GBUdb is relatively new and at present sparsely populated (about 300 participating nodes at present). As time goes on we will all learn more about how to optimize GBUdb - please experiment cautiously and scientifically (one change at a time and understand what has happened) and please share your results. Here is the current reference: regions white on-off='on' symbol='0' edge probability='-1.0' confidence='0.4'/ edge probability='-0.8' confidence='1.0'/ panic on-off='on' rule-range='1000'/ /white caution on-off='on' symbol='40' edge probability='0.1' confidence='0.0'/ edge probability='0.8' confidence='0.3'/ /caution black on-off='on' symbol='63' edge probability='0.8' confidence='0.2'/ edge probability='0.8' confidence='1.0'/ truncate on-off='on' probability='0.9' peek-one-in='5' symbol='20'/ sample on-off='on' probability='0.8' grab-one-in='5' passthrough='no' passthrough-symbol='0'/ /black /regions If you are running the new SNF and you haven't checked your GBUdb range settings in a while this might be a good time to make some adjustments ;-) Some of the settings in previous releases were less conservative and some were less aggressive -- all were backed by less experience (of course). The settings shown above are likely to become the default settings for the production release, however we will continue to refine these settings through our research prior to (and following) the production release (planned in Q1). Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: GBUdb question
Hi Rob, You can add the IPs to GBUdbIgnoreList.txt if you want sniffer to ignore the IPs. Pete, I have some questions about GBUdb FIRST QUESTION: I have several clients who forward over e-mails from ISP accounts. I have a system whereby I can pick out the original sending server IP. I then add that IP to the message in a special header. (this can vary by ISP and situation, but I've programmed my system to appropriately determine which IP is the original sending server IP. Next, I add a special custom header which points out that IP. Would it be possible for MessageSniffer to grab the IP from a particular header (perhaps this header could be added as a node in the XML config file?). That way, if/when that header is available in the message, Sniffer would then treat *that* IP as the sender's IP? SECOND QUESTION: Is it possible to tell Sniffer to NOT allow the possibility of truncating on a message-by-message basis, where this would be determined if a special command line switch were present. In fact, can Sniffer be further instructed to ONLY run pattern matching scanning and ignore the GBUdb for that particular message? THIRD QUESTION: Much of the spam I block doesn't run through Sniffer. Additionally, many of the messages that Sniffer blocks are spams sent via established ISPs whereas I already have those IPs in an extensive whitelist that I've built up over the years. A 4% sampling of this whitelist can be found here: http://invaluement.com/fourpercentofwhitelist.txt (multiple the size of that by 25 to get an idea of the massive size of my IP whitelist) Here is what I'd like to do which I believe would make my contribution to sniffer most effective: (A) Have sniffer NOT automatically input data into GBUdb with each sniffer scan. (Is that possible?) (B) Alternatively, whenever my spam filter marks a message as spam, it will issue the following command (but ONLY if that IP is NOT on my IP whitelist, and regardless of whether or not the message was run through sniffer): SNFClient.exe -bad IP4Address (If on my IP whitelist, it just won't do anything here.) (C) If my spam filter marks a message as ham, then it will issue the following command (again, regardless of whether or not the message was run through sniffer) SNFClient.exe -good IP4Address ** ** I know that this puts more trust on me and my system, but I have also know that the quality of stats you'd receive from my system would vastly improved due to my abilities in this area and this would be a huge contribution to other Sniffer users over the norm. (I run one of the best RBLs and URI blacklists in the world... I know what I'm doing here!) Can these things be done? Rob McEwen # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: GBUdb question
Hello Rob, Tuesday, January 22, 2008, 11:09:10 AM, you wrote: Pete, I have some questions about GBUdb This may help: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.GBUdb FIRST QUESTION: I have several clients who forward over e-mails from ISP accounts. I have a system whereby I can pick out the original sending server IP. I then add that IP to the message in a special header. (this can vary by ISP and situation, but I've programmed my system to appropriately determine which IP is the original sending server IP. Next, I add a special custom header which points out that IP. We are developing an auto-drill-down feature for GBUdb to assist in automatically training GBUdb in this way. The auto drill feature will add IPs of intermediate systems to the local ignore list based on header directives. The theory is that GBUdb will be able to automatically learn to ignore the intermediate nodes of mixed-source ISPs in order to identify the original source of the message. There is still some development work to do on this experimental feature but we hope to include it in the upcoming release. Any insights you can provide on reliably identifying these intermediate servers would be very useful. The current plan is to locate a specific tell tale string in the Received header that is likely to be the source (based on current knowledge). If the string is found then that header is disqualified (and it's IP added to the ignore list) so that the next header becomes the source candidate. The tell tale string is presumed to be the domain portion (or similar fragment) of the reverse DNS data in the Received header. So, for example, if the top Received header contains .troublesome.isp.com [ then that header would be disqualified as the source of the message (for GBUdb purposes), it's IP would be added to the ignore (infrastructure) list, and the next Received header would be considered. Once all of the .troublesome.isp.com [ or similar headers are exhausted then the next header is likely to be the actual source (so the theory goes). Would it be possible for MessageSniffer to grab the IP from a particular header (perhaps this header could be added as a node in the XML config file?). That way, if/when that header is available in the message, Sniffer would then treat *that* IP as the sender's IP? I will consider adding this to the feature request list. It probably won't be added to the first version though -- we have a request freeze in effect to ensure we get the production version out in Q1. This is also a highly specialized request -- there aren't a lot of systems out there that can accurately drill through delivery chains to identify the original source of the message with any great accuracy -- so the number of folks who could use this feature would be pretty small (if not one). Your use of the command line utility (described below) seems more appropriate since in effect you want to eliminate GBUdb's source detection features. That said - I am anxious to support your work - Please share an example of the header you would inject. If it is possible to implement the feature quickly and reliably then I will see what I can do to add it to the header directives engine. SECOND QUESTION: Is it possible to tell Sniffer to NOT allow the possibility of truncating on a message-by-message basis, where this would be determined if a special command line switch were present. In fact, can Sniffer be further instructed to ONLY run pattern matching scanning and ignore the GBUdb for that particular message? It is not possible to turn off truncate on a message by message basis. It is possible to turn off truncate for all messages but not on a message by message basis. You can also create a header directive to cause GBUdb training to ignore a message with a specific header (or specifically, if it finds a specific string in a specific header). THIRD QUESTION: Much of the spam I block doesn't run through Sniffer. Additionally, many of the messages that Sniffer blocks are spams sent via established ISPs whereas I already have those IPs in an extensive whitelist that I've built up over the years. A 4% sampling of this whitelist can be found here: http://invaluement.com/fourpercentofwhitelist.txt (multiple the size of that by 25 to get an idea of the massive size of my IP whitelist) Here is what I'd like to do which I believe would make my contribution to sniffer most effective: (A) Have sniffer NOT automatically input data into GBUdb with each sniffer scan. (Is that possible?) You could create header directives to selectively disable GBUdb training. You can also disable GBUdb training for all messages. training on-off='off' (B) Alternatively, whenever my spam filter marks a message as spam, it will issue the following command (but ONLY if that IP is NOT on my IP whitelist, and regardless of whether or not the message was run through sniffer):
[sniffer] Re: New reference settings for GBUdb ranges.
Hi, I think I must have missing something or been asleep. I've had a look at the Sniffer site and to be honest I don't fully understand what GBUdb is. I've read the technical details page but I don't see how it fits into the whole scheme of things, if it's useful to me, and if it is, how to implement it. I understand what it's trying to acheive but I can't see beyond that. David # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: GBUdb question
Pete McNeil wrote: This may help: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.GBUdb I did read that first. It was helpful. I'll keep referring back. We are developing an auto-drill-down feature for GBUdb to assist in automatically training GBUdb in this way. The auto drill feature will add IPs of intermediate systems to the local ignore list based on header directives. The theory is that GBUdb will be able to automatically learn to ignore the intermediate nodes of mixed-source ISPs in order to identify the original source of the message. There is still some development work to do on this experimental feature but we hope to include it in the upcoming release. Any insights you can provide on reliably identifying these intermediate servers would be very useful. I'm not confident that this will handle the forwarded messages scenarios that I described, which I have ready custom programmed for the specific narrow range of ways that this currently happens with my server. Please share an example of the header you would inject. Currently, I'm using the following: X-RegEx-Original-IP: 127.0.0.1 (But X-RegEx-Original-IP was arbitrary. This was inherited by an antiquated anti-spam utility I used years ago. The X-RegEx-Original-IP part can change at any time. This would even be a header custom designated by Sniffer.) Even better, another option would be for the IP to be passed to sniffer via the command line where sniffer would know to use that one and not bother trying to grab this from the header. Please consider that as a feature request. It is not possible to turn off truncate on a message by message basis. It is possible to turn off truncate for all messages but not on a message by message basis. that will suffice Here is what I'd like to do which I believe would make my contribution to sniffer most effective: (A) Have sniffer NOT automatically input data into GBUdb with each sniffer scan. (Is that possible?) You could create header directives to selectively disable GBUdb training. You can also disable GBUdb training for all messages. training on-off='off' That will work. But will this disable the SNFClient.exe -bad and SNFClient.exe -good tools?? and will this disable sharing of the data? Can data accumulated via these manual reportings be shared even if training is off? That sounds very much like what these tools were designed for. However the effect may not be what you intend. If the IPs you track are not detected as the source IP by GBUdb then it is likely to ignore the data during it's scans. It will evaluate the statistics of the IP it believes to be the source. When it gets that right it will find your data. When it gets that wrong it will find no data (most likely) so GBUdb will be effectively inert in those cases. If your intent is simply to input this data into the GBUdb system so that it is available as a resource then that will work - somewhat. One other thought that I have is that you could use the command line (or the ignore list) to mark the IPs on your internal white-list as Infrastructure (ignore flag). This might effectively train GBUdb to skip those IPs when finding the source of the message - and in any case would render GBUdb inert for those IPs. There are too many IPs on that whitelist (it might have been possible were it not that many of these entries are massive blocks of IPs). Follow-up question... If, therefore, I cannot stop GBUdb-processing for a particular message, but I turn off truncate for all messages, the way I see it, couldn't I simply ignore the GBUdb reporting for some particular messages? (might not be as efficient, but I'd get the same result I seek!) But in a case where truncate is turned off, if GBUdb reports a message as spam, AND content rules ALSO mark that message as spam, will the return code tell me that both GBUdb *and *rules caught the spam? Or do I get one code instead of the other (if so, which one?) Thanks! Rob McEwen # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New reference settings for GBUdb ranges.
Hello David, Tuesday, January 22, 2008, 12:43:09 PM, you wrote: Hi, I think I must have missing something or been asleep. I've had a look at the Sniffer site and to be honest I don't fully understand what GBUdb is. I've read the technical details page but I don't see how it fits into the whole scheme of things, if it's useful to me, and if it is, how to implement it. I understand what it's trying to acheive but I can't see beyond that. Think of GBUdb as an enhancement to the SNF scanning engine. GBUdb keeps track of where messages come from and whether those messages are spam or not. If they fail an SNF pattern rule then they are considered to be spam. If they do not fail an SNF pattern rule then the are not considered to be spam. When a new message comes from a source that GBUdb knows about then it SNF work better and faster. Reducing Leakage: If GBUdb knows that messages from a particular source are almost always spam then SNF will detect the message as spam even if there is no pattern rule yet. This helps reduce leakage. That is-- new spam from old bots will generally get killed by GBUdb. Reducing False Positives: On the other side of things; if an SNF pattern rule tags a message that comes from a trusted source then GBUdb will make sure that the message gets through. This reduces false positives. _ GBUdb has Friends: One other thing that is important about GBUdb is that it doesn't work alone -- it has friends. All of the GBUdb systems on the 'net share what they know about message sources. This way when a spam bot starts to send messages to a new system that's never seen it before the other GBUdb systems can tell the new system that the message source (IP) is bad so it doesn't have to start learning that information all on it's own. _ Faster and More Efficient: In addition to reducing leakage and false positives, GBUdb also makes message scanning go faster and take fewer resources. If GBUdb knows that a message source is very, very bad then it will cause SNF to stop scanning the message as soon as it sees the IP address that sent it. This is the truncate feature. The result is that between 15% and 50% of messages going through the SNF scanner will be handled almost instantaneously - without bothering to look at most of the message. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: New reference settings for GBUdb ranges.
Hello David, Ooops, I missed a question... Tuesday, January 22, 2008, 12:43:09 PM, you wrote: snip/ ..., how to implement it. GBUdb is built in to the new version of Message Sniffer. It is turned on by default and the default settings work for just about everybody. If you have any email gateways or an email address where you legitimately receive spam (such as an abuse reporting address) then you will want to tell GBUdb about those so that it doesn't get the wrong idea about them. If you have more questions then please let us know. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: GBUdb question
Hello Rob, Tuesday, January 22, 2008, 1:11:00 PM, you wrote: snip... about auto-drill-down/ I'm not confident that this will handle the forwarded messages scenarios that I described, which I have ready custom programmed for the specific narrow range of ways that this currently happens with my server. We're hopeful it will work for many cases. If you can identify cases where it won't work please let us know. Please share an example of the header you would inject. Currently, I'm using the following: X-RegEx-Original-IP: 127.0.0.1 (But X-RegEx-Original-IP was arbitrary. This was inherited by an antiquated anti-spam utility I used years ago. The X-RegEx-Original-IP part can change at any time. This would even be a header custom designated by Sniffer.) That seems straight forward enough. Thanks. Even better, another option would be for the IP to be passed to sniffer via the command line where sniffer would know to use that one and not bother trying to grab this from the header. Please consider that as a feature request. I will add that to the list. snip about GBUdb training options (disabled training)/ That will work. But will this disable the SNFClient.exe -bad and SNFClient.exe -good tools?? and will this disable sharing of the data? Can data accumulated via these manual reportings be shared even if training is off? The command line tools always work. When you report a good or bad hit it has the same effect as GBUdb learning from a message scan. The information will be stored and shared in exactly the same way. When you turn off training you are only disabling the system's ability to learn automatically from scanned messages. Inputs from the command line utility are still retained. snip/ One other thought that I have is that you could use the command line (or the ignore list) to mark the IPs on your internal white-list as Infrastructure (ignore flag). This might effectively train GBUdb to skip those IPs when finding the source of the message - and in any case would render GBUdb inert for those IPs. There are too many IPs on that whitelist (it might have been possible were it not that many of these entries are massive blocks of IPs). Perhaps - that's up to you. However, the GBUdb system is designed to handle large numbers of IPs without slowing down. It is not uncommon to have significantly more than half a million IPs in GBUdb on systems that handle 500 msg/min or more. The ignore list file is intended to handle local infrastructure so that if you lose your GBUdb data you can be assured that your local resources are not tagged as bad sources accidentally. Other IP records (ignore, good, bad, or ugly) can be entered via the command line utility with the only real limit being the amount of RAM you want to commit to the GBUdb. To give you an idea of scalability, one of our spamtrap processors is currently (typ) handling about 3000 msg/minute and has the following GBUdb statistics: gbudb size bytes='109051904'/ records count='479671'/ utilization percent='96.7379'/ /gbudb Follow-up question... If, therefore, I cannot stop GBUdb-processing for a particular message, but I turn off truncate for all messages, the way I see it, couldn't I simply ignore the GBUdb reporting for some particular messages? (might not be as efficient, but I'd get the same result I seek!) But in a case where truncate is turned off, if GBUdb reports a message as spam, AND content rules ALSO mark that message as spam, will the return code tell me that both GBUdb *and *rules caught the spam? Or do I get one code instead of the other (if so, which one?) If you turn off truncate then you will see the following results by default in a conventional command-line implementation: * For messages that match pattern rules you will see the pattern rule result. * If a message fails to match a pattern rule but would have been truncated then it will be treated as black and you will get result code 40. * If a message fails to match a pattern rule but the IP falls in the black range then you will get the black result code 40. * If the message fails to match a pattern rule and the IP falls in the caution range then you will get an bad IP result code 63. This is the same result code you get from SNF when an IP pattern rule has matched. IP pattern rules are deprecated and will be phased out over time - GBUdb replaces them. If you call SNF directly via XCI, or use the command line utility with the -xhdr and capture the output then you also have the ability to configure SNF to provide detailed information about the scan including the GBUdb data and all available pattern matches. You could also mine this data from the log files if you wish. Note that you can set the x-header option to api and it will be available to the XCI and command line interfaces without being injected into the message. --- One other thing --- You can
[sniffer] Postfix
Hi We trying to setup snf with postfix. It seems to work - except it does not reject ant messages. The x.20080116.log.xml says: s u='20080116110805' m='20080116120805_22626.msg' code='69' error='ERROR_MSG_FILE'/ This I belive is because the msg file that is send to sniffer has a wrong format. - If true - how do we setup the right format for sniffer? # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Postfix
Hello Pi-Web, ERROR_MSG_FILE means that SNF could not open the file to be scanned. Be sure the you pass the full path of the message file and that permissions are correct so that SNF can open the file. Hope this helps, _M Wednesday, January 16, 2008, 12:31:58 PM, you wrote: No its not the message format. A message the get ERROR_MSG_FILE work fine on our windows SNF installation. Hi We trying to setup snf with postfix. It seems to work - except it does not reject ant messages. The x.20080116.log.xml says: s u='20080116110805' m='20080116120805_22626.msg' code='69' error='ERROR_MSG_FILE'/ This I belive is because the msg file that is send to sniffer has a wrong format. - If true - how do we setup the right format for sniffer? -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Postfix
It seems right - but no go: In /var/spool/snfilter/msg/ -rw--- 1 snfilter snfilter 2965 Jan 16 18:35 20080116183528_10882.msg (deleted after process finished) Result: s u='20080116173528' m='20080116183528_10882.msg' code='69' error='ERROR_MSG_FILE'/ sniffer setup: SNIFFER_EXE=/var/spool/snfilter/SNFClient.exe AUTHENTICATION= INSPECT_DIR=/var/spool/snfilter/msg/ SENDMAIL=/usr/sbin/sendmail -i MSGFILE=`date +%Y%m%d%H%M%S`_$_$RANDOM.msg Hello Pi-Web, ERROR_MSG_FILE means that SNF could not open the file to be scanned. Be sure the you pass the full path of the message file and that permissions are correct so that SNF can open the file. Hope this helps, _M Wednesday, January 16, 2008, 12:31:58 PM, you wrote: No its not the message format. A message the get ERROR_MSG_FILE work fine on our windows SNF installation. Hi We trying to setup snf with postfix. It seems to work - except it does not reject ant messages. The x.20080116.log.xml says: s u='20080116110805' m='20080116120805_22626.msg' code='69' error='ERROR_MSG_FILE'/ This I belive is because the msg file that is send to sniffer has a wrong format. - If true - how do we setup the right format for sniffer? -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Postfix
Adding $INSPECT_DIR to the $SNIFFER_EXE $AUTHENTICATION $INSPECT_DIR$MSGFILE ||
{ command
Now it seems to work.
It seems right - but no go:
In /var/spool/snfilter/msg/
-rw--- 1 snfilter snfilter 2965 Jan 16 18:35 20080116183528_10882.msg
(deleted after process finished)
Result:
s u='20080116173528' m='20080116183528_10882.msg' code='69'
error='ERROR_MSG_FILE'/
sniffer setup:
SNIFFER_EXE=/var/spool/snfilter/SNFClient.exe
AUTHENTICATION=
INSPECT_DIR=/var/spool/snfilter/msg/
SENDMAIL=/usr/sbin/sendmail -i
MSGFILE=`date +%Y%m%d%H%M%S`_$_$RANDOM.msg
Hello Pi-Web,
ERROR_MSG_FILE means that SNF could not open the file to be scanned.
Be sure the you pass the full path of the message file and that
permissions are correct so that SNF can open the file.
Hope this helps,
_M
Wednesday, January 16, 2008, 12:31:58 PM, you wrote:
No its not the message format. A message the get ERROR_MSG_FILE work
fine on our windows SNF
installation.
Hi
We trying to setup snf with postfix.
It seems to work - except it does not reject ant messages.
The x.20080116.log.xml says:
s u='20080116110805' m='20080116120805_22626.msg' code='69'
error='ERROR_MSG_FILE'/
This I belive is because the msg file that is send to sniffer has a
wrong format.
- If true - how do we setup the right format for sniffer?
--
Mvh. Frank Jensen
[EMAIL PROTECTED]
www.pi.dk
Imponerende, fascinerende og kæmpe
Plakater f.eks. 149 x 149 = 629 kr
Vi kan også lave plakat fra dit digitale foto
www.plakatkunst.dk
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Postfix
Hello Pi-Web,
Yep.
The clue was in the log:
m='20080116183528_10882.msg'
Note that the path was missing - only the file name was present.
Now your logs should look more like:
m='/var/spool/snfilter/msg/20080116183528_10882.msg'
Best,
_M
Wednesday, January 16, 2008, 1:23:14 PM, you wrote:
Adding $INSPECT_DIR to the $SNIFFER_EXE $AUTHENTICATION
$INSPECT_DIR$MSGFILE || { command
Now it seems to work.
It seems right - but no go:
In /var/spool/snfilter/msg/
-rw--- 1 snfilter snfilter 2965 Jan 16 18:35 20080116183528_10882.msg
(deleted after process finished)
Result:
s u='20080116173528' m='20080116183528_10882.msg' code='69'
error='ERROR_MSG_FILE'/
sniffer setup:
SNIFFER_EXE=/var/spool/snfilter/SNFClient.exe
AUTHENTICATION=
INSPECT_DIR=/var/spool/snfilter/msg/
SENDMAIL=/usr/sbin/sendmail -i
MSGFILE=`date +%Y%m%d%H%M%S`_$_$RANDOM.msg
Hello Pi-Web,
ERROR_MSG_FILE means that SNF could not open the file to be scanned.
Be sure the you pass the full path of the message file and that
permissions are correct so that SNF can open the file.
Hope this helps,
_M
Wednesday, January 16, 2008, 12:31:58 PM, you wrote:
No its not the message format. A message the get ERROR_MSG_FILE work
fine on our windows SNF
installation.
Hi
We trying to setup snf with postfix.
It seems to work - except it does not reject ant messages.
The x.20080116.log.xml says:
s u='20080116110805' m='20080116120805_22626.msg' code='69'
error='ERROR_MSG_FILE'/
This I belive is because the msg file that is send to sniffer has a
wrong format.
- If true - how do we setup the right format for sniffer?
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
[sniffer] Rule Database copy question
Hello, I am using the latest beta version of Message Sniffer. I am asking this question because I thought I read this somewhere but I can not find where I read it. If I copy my rule database file to the c:\snf directory while SNFServer.exeis running, does SNFServer automatically load the new updated rule database? If so, how long does it usually take before SNFServer realizes that there is a new rule database that was copied to that directory? Is there anyway to verify that SNFServer has loaded the latest rule database that was copied? I know I can run a SNF2check.exe on the rule database to check the file before I copy it, but it would be great to know if SNFServer.exe has loaded the latest copy that I have copied to the c:\snf directory. Thanks, Shawn
[sniffer] Re: Rule Database copy question
Hello Shawn, Wednesday, January 16, 2008, 2:26:14 PM, you wrote: Hello, I am using the latest beta version of Message Sniffer. I am asking this question because I thought I read this somewhere but I can not find where I read it. If I copy my rule database file to the c:\snf directory while SNFServer.exe is running, does SNFServer automatically load the new updated rule database? Yes. If so, how long does it usually take before SNFServer realizes that there is a new rule database that was copied to that directory? Within about a second of seeing the new file it will load and check the new rulebase. If there is something wrong with the rulebase file it will keep the current rulebase active until a better one shows up. Is there anyway to verify that SNFServer has loaded the latest rule database that was copied? I know I can run a SNF2check.exe on the rule database to check the file before I copy it, but it would be great to know if SNFServer.exe has loaded the latest copy that I have copied to the c:\snf directory. SNFServer will indicate that the new rulebase was loaded in it's log file. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Rule Database copy question
It appears that both the reload and the rotate options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, January 16, 2008 11:41 AM To: Message Sniffer Community Subject: [sniffer] Re: Rule Database copy question Hello Shawn, Wednesday, January 16, 2008, 2:26:14 PM, you wrote: Hello, I am using the latest beta version of Message Sniffer. I am asking this question because I thought I read this somewhere but I can not find where I read it. If I copy my rule database file to the c:\snf directory while SNFServer.exe is running, does SNFServer automatically load the new updated rule database? Yes. If so, how long does it usually take before SNFServer realizes that there is a new rule database that was copied to that directory? Within about a second of seeing the new file it will load and check the new rulebase. If there is something wrong with the rulebase file it will keep the current rulebase active until a better one shows up. Is there anyway to verify that SNFServer has loaded the latest rule database that was copied? I know I can run a SNF2check.exe on the rule database to check the file before I copy it, but it would be great to know if SNFServer.exe has loaded the latest copy that I have copied to the c:\snf directory. SNFServer will indicate that the new rulebase was loaded in it's log file. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] ERROR_SYNC_FAILED
Hello, I am using the latest beta of Message Sniffer. Occasionally in my log file I will see the following entry: e u='20080116022507' context='SNF_NETWORK' code='99' text='ERROR_SYNC_FAILED'/ What causes this and how do I correct it? Thanks, Shawn
[sniffer] Re: Rule Database copy question
Thanks for the response, Pete! I was using both parameters in my scheduled pattern download script, which would tell Sniffer that there was a new pattern, and would rotate the logs before uploading them back to you. With the new (beta) version, both extras have become redundant, so I've removed them from my script. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, January 16, 2008 12:43 PM To: Message Sniffer Community Subject: [sniffer] Re: Rule Database copy question Hello Andrew, Wednesday, January 16, 2008, 3:02:16 PM, you wrote: It appears that both the reload and the rotate options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. True -- if you called the SNFClient with rotate or reload then it would interpret those as the names of files to scan; would most likely not find them; and would produce a harmless error in the log file. SNFServer automatically reloads configuration files and rulebase files when they are altered or replaced. SNFServer can rotate log files on a per-day basis by including a date stamp in their name. If you move a log file manually or by a script then a new one will be created as needed. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: ERROR_SYNC_FAILED
Hello Shawn, Wednesday, January 16, 2008, 4:53:29 PM, you wrote: Thanks for the quick reply Pete. When SNF connects to your SYNC servers, what information/data is it exchanging? The telemetry we receive is roughly equivalent to what you see in your .status.minute. file. In addition your SNF node sends: * GBUdb alerts - These contain periodic updates on IP information in your GBUdb database so that the information can be shared with the cloud. An example might be: gbu time="20080116220039" ip="190.28.248.159" t="Ugly" b="1" g="0"/ gbu time="20080116220041" ip="74.50.113.233" t="Ugly" b="1" g="0"/ gbu time="20080116220045" ip="201.92.79.22" t="Ugly" b="1" g="0"/ gbu time="20080116220047" ip="74.50.113.233" t="Ugly" b="2" g="0"/ * Spam samples - Messages that would normally be truncated but do not fail pattern rules are randomly sampled by default and sent to our virtual spamtrap system. This feature can be disabled if you wish. Your node then recieves: * Rulebase status - Our system sends back information on the latest rulebase file. * GBUdb reflections - Our system sends back GBUdb reflections (same format as above) corresponding to any alerts that your system sends us. This allows your system to learn from the cloud. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: One line nonsense mail
Is it possible to add own texts to SNF to include in the contents scan? Eg.: Subject: are unregulated and AND would be. by either the FSA or number of organisations. This way we could react at the first message recived. Hi All, I had like 37 different One line nonsense mail in my account today. (and so did our many of our users). Of cause they are not taken by SNF as almost all are different and from different IP sources. Is it a virus that generates such mails? Or what is the idea? Anyone having luck stopping these annoying mails? Basically the look like this: Subject: are unregulated and Body: would be. by either the FSA or number of organisations. Subject: Kitchen Body: God Rifle Leg Navy Subject: Post-office Body: Monster Spice Microscope Torch Subject: Room Body: Treadmill Shop Hammer Mouth # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade
I do not recall upgrading How can I tell the version that I am running? thanks Harry Vanderzand Intown Internet 11 Belmont Ave. W. Kitchener, ON, N2M 1L2 519-741-1222 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, January 12, 2008 12:09 PM To: Message Sniffer Community Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade Hello David, When using snfupd with the new version you can skip the line that tells SNF to reload. REM %LicenseID%.exe reload Most likely the error you received is because there is no executable named for your license ID. This is ok with the new version. The snfupd.cmd script was originally written to work with version 2 which does require branding the SNF executable. The new version of SNF does not require branding. Also, the new version will very quickly recognize that there is a new rulebase file and will load it automatically so there is no reason (nor facility) to notify it about the update. Hope this helps, _M Saturday, January 12, 2008, 11:21:37 AM, you wrote: Ok I have most off this working with Imail 8.22 So far this is what I have done Copied, unpacked RImailSnifferUpdateTools.zip, edited snfupd.cmd and setup task schedule. Which generates an from the snfupd.cmd C:\SNFsnfupd.cmd 'mylicencekeynotshownhere.exe' is not recognized as an internal or external command, operable program or batch file. REM Load new rulebase file. %LicenseID%.exe reload So how do I get the SNFserver to update with the latest .snf file. Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, 18 October 2007 9:58 AM To: Message Sniffer Community Subject: [sniffer] SNF V2-9b1.5 Released - Please Upgrade Hello Sniffer folks, Please find the latest SNF V2-9 distribution files here: http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Dis tributions#NEW_SNF_V2-9_Wide_Beta If you are running a previous version of SNF V2-9, please upgrade as soon as possible. The newest version includes some bug fixes. From the change log: 20071017 - SNF2-9b1.5.exe Added a missing #include directive to the networking.hpp file. The missing #include was not a factor on Linux and Windows systems but caused compiler errors on BSD systems. Corrected a bug in the GBUdb White Range code where any message with a white range source IP was being forced to the white result code. The engine now (correctly) only forces the result and records the event when a black pattern rule was matched and the White Range IP causes that scan result to be overturned. If the scan result was not a black pattern match then the original scan result is allowed to pass through. Corrected a bug in the Header Analysis filter chain module that would cause the first header in the message to be ignored in some cases. Corrected an XML log format problem so that s/ elements are correctly open ended s or closed (empty) s/ according to whether they have subordinate elements. Adjusted the GBUdb header info format. The order of the Confidence figure and Probabilty figure is now the same as in the XML log files (C then P). The confidence and probability figures are now preceeded with c= and p= respectively so that it's easy to tell which is which. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This
[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade
I have a question about GBUdbIgnoreList.txt do I put 192.168.100.1 (which is my server ip) as well as 127.0.0.1 and do I also put my public IP address in this file. Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Sunday, 13 January 2008 4:25 AM To: Message Sniffer Community Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade Hello Harry, You can run the SNF program from the command line with no parameters. It will complain and then tell you about itself. _M Saturday, January 12, 2008, 12:10:35 PM, you wrote: I do not recall upgrading How can I tell the version that I am running? thanks Harry Vanderzand Intown Internet 11 Belmont Ave. W. Kitchener, ON, N2M 1L2 519-741-1222 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, January 12, 2008 12:09 PM To: Message Sniffer Community Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade Hello David, When using snfupd with the new version you can skip the line that tells SNF to reload. REM %LicenseID%.exe reload Most likely the error you received is because there is no executable named for your license ID. This is ok with the new version. The snfupd.cmd script was originally written to work with version 2 which does require branding the SNF executable. The new version of SNF does not require branding. Also, the new version will very quickly recognize that there is a new rulebase file and will load it automatically so there is no reason (nor facility) to notify it about the update. Hope this helps, _M Saturday, January 12, 2008, 11:21:37 AM, you wrote: Ok I have most off this working with Imail 8.22 So far this is what I have done Copied, unpacked RImailSnifferUpdateTools.zip, edited snfupd.cmd and setup task schedule. Which generates an from the snfupd.cmd C:\SNFsnfupd.cmd 'mylicencekeynotshownhere.exe' is not recognized as an internal or external command, operable program or batch file. REM Load new rulebase file. %LicenseID%.exe reload So how do I get the SNFserver to update with the latest .snf file. Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, 18 October 2007 9:58 AM To: Message Sniffer Community Subject: [sniffer] SNF V2-9b1.5 Released - Please Upgrade Hello Sniffer folks, Please find the latest SNF V2-9 distribution files here: http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Dis tributions#NEW_SNF_V2-9_Wide_Beta If you are running a previous version of SNF V2-9, please upgrade as soon as possible. The newest version includes some bug fixes. From the change log: 20071017 - SNF2-9b1.5.exe Added a missing #include directive
[sniffer] Questions about usage
Greetings all, We run a small email server for the company. Basically, for the longest its been install and run, and have all messages that are above a certain weight marked with **SPAM** in the subject line, and sorted to a junk folder by the user's client. The users could then skim this folder at their convenience and deal with the email. However, the amount of spam has kept increasing, and we are coming to the point where we will need to start deleting some email above a certain (very high) weight. It looks like the beta of Sniffer is dramatically different than the FAQ I've found out at the Wiki, so I have a couple of questions 1) There doesn't seem to be a .state file - how can I see how well Sniffer is working? 2) How do I tie a specific message to the corresponding log file entries? Thanks! Richard [This E-mail scanned for viruses by Declude] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Sniffer Win32 command line output
Hello, I am evaluating Message Sniffer beta version but I am totally confused. :-) If I am in a MSDOS Window and I type: SNFClient.exe junkmsg.txt there is a very fast pause and I am returned to the command prompt. I can go into the log and see this: s u='20080110191039' m='junkmsg.txt' s='54' r='9649' m s='54' r='9649' i='383' e='391' f='m'/ p s='0' t='0' l='1577' d='39'/ /s So I know everything is working like it should be. But how do I get the result code for the spam message to output back to the command prompt? If I try to call SNFClient.exe from my C# code, I still cannot get a result code returned to me. I can get a result code if I do this: SNFClient.exe -test xx.xx.xx.xx but SNFClient.exe does not return the result code when I am passing a filename to be tested. Can someone point me in the right direction on how to see this result code via my C# software code or command prompt box? Thanks, Shawn
[sniffer] Re: Sniffer Win32 command line output
Make a bat fil like this: -- @echo off echo syntax batfilenavn.bat messagefil to test SNFclient.exe %1 echo %errorlevel% pause -- If it display zero the message is clean. Hello, I am evaluating Message Sniffer beta version but I am totally confused. :-) If I am in a MSDOS Window and I type: SNFClient.exe junkmsg.txt there is a very fast pause and I am returned to the command prompt. I can go into the log and see this: s u='20080110191039' m='junkmsg.txt' s='54' r='9649' m s='54' r='9649' i='383' e='391' f='m'/ p s='0' t='0' l='1577' d='39'/ /s So I know everything is working like it should be. But how do I get the result code for the spam message to output back to the command prompt? If I try to call SNFClient.exe from my C# code, I still cannot get a result code returned to me. I can get a result code if I do this: SNFClient.exe -test xx.xx.xx.xx but SNFClient.exe does not return the result code when I am passing a filename to be tested. Can someone point me in the right direction on how to see this result code via my C# software code or command prompt box? Thanks, Shawn -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Win32 command line output
Hello Shawn, Thursday, January 10, 2008, 2:16:24 PM, you wrote: Hello, I am evaluating Message Sniffer beta version but I am totally confused. :-) snip/ But how do I get the result code for the spam message to output back to the command prompt? If I try to call SNFClient.exe from my C# code, I still cannot get a result code returned to me. I can get a result code if I do this: SNFClient.exe -test xx.xx.xx.xx but SNFClient.exe does not return the result code when I am passing a filename to be tested. Can someone point me in the right direction on how to see this result code via my C# software code or command prompt box? I'm not sure how C# behaves when it calls an external program and how it handles that progam's result code -- I'll do some looking. However, most programs that call SNFClient do so explicitly to get the result code so I know it works ;-) One thing that you might try that will improve your performance since you're rolling your own C# code: Check out the XCI interface. The SNFClient uses it to talk to the SNFServer instance. You should be able to write a quick bit of code to use XCI to talk to SNFServer also. The basics are (per scan request): 1. Connect to 9001 on localhost via TCP 2. Transmit your request string (XML using the XCI examples as a guide) 3. Read the response string (XML again) 4. Close the connection Making your own XCI request saves the step of launching yet another program to do it for you. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Win32 command line output
Hello Shawn, Following up a bit... Most likely you're using a Process object to call the SNFClient. If I've read the MS docs correctly you will want to get the "exit code" once SNFClient finishes. http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.exitcode(VS.71).aspx Hope this helps, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] One line nonsense mail
Hi All, I had like 37 different One line nonsense mail in my account today. (and so did our many of our users). Of cause they are not taken by SNF as almost all are different and from different IP sources. Is it a virus that generates such mails? Or what is the idea? Anyone having luck stopping these annoying mails? Basically the look like this: Subject: are unregulated and Body: would be. by either the FSA or number of organisations. Subject: Kitchen Body: God Rifle Leg Navy Subject: Post-office Body: Monster Spice Microscope Torch Subject: Room Body: Treadmill Shop Hammer Mouth # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer Win32 command line output
Pete, That is exactly what I needed. You rock. Thanks so much. Shawn On Jan 10, 2008 11:56 AM, Pete McNeil [EMAIL PROTECTED] wrote: Hello Shawn, Following up a bit... Most likely you're using a Process object to call the SNFClient. If I've read the MS docs correctly you will want to get the exit code once SNFClient finishes. http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.exitcode(VS.71).aspx Hope this helps, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Kudos
Hi All - With the holidays behind us, we upgraded to the it doesn't look like it will ever go gold wide-beta. Followed the directions in the readme to the letter. Worked wonderfully, continues to work wonderfully 24 hours later. We're low volume, but so far no false positives and no complaints of leakage. The suggestion to keep the rule update process the same was a good one. We used FireDaemon instead of srvany to manage the SNF process. Works fine. We use inv-uribl, Declude (and therefore zerohour) in combo with Message Sniffer. I'm thinking of lowering the weight we delete at! Thanks! Rob # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: I got a strong attack today
Hello Alberto, Friday, January 4, 2008, 4:56:29 PM, you wrote: Hello I got a strong attack today, over thousand messages at the same time!! The usual technique: Impersonate the victim and send to non valid users of one domain of mine!! Changing IP for each message UNBELIEVABLE!! This is very common these days. We call it getting caught in the light. Our spamtrap server is currently experiencing a similar attack and is seeing 1850+ messages per minute. Luckily we've killed this particular campaign a few hours ago so leakage is only 7/min and 890+/min of these messages are being truncated (scan stopped based on IP via GBUdb) The only solution was, to stop all the services and move all the spool files in a temp directory. I won't use the nobody alias because at least the iMail Access Control can stop some bad IPs. My config is: Imail 9.23 Mxguard 3.1 Message Sniffer InvURIBL 3.7 Two questions: 1) There is a way or tool to recycle back good messages from the temp directory into the queue? You should be able to write a cmd script to test the messages in your temp folder against SNF and place the clean messages back into the spool for delivery. This doesn't give you a complete solution, but it is reasonably viable in such cases. I've not heard of it, but you may be able to find or write a similar utility to put the temp messages through the entire scan process at some reasonable pace -- You might ask DG about that - I'm not sure what would be the best way to go about that w/ mxGuard and he may have a solution already or know where it's buried. Side Note: We actually have a technology that we've simulated and not deployed called Gauntlet. Under certain conditions messages are shunted to a waiting area where their scanning and delivery are delayed for a period of time so that filtering systems can catch up... For example, messages that arrive from completely unknown IPs would have to run the gauntlet before being delivered. The sensitivity of the shunting system could be guided by storm data (B and C counts) from GBUdb to reduce the possibility of delaying ordinary messages. What you are describing is a manual version of this process. 2) How can I reduce or block(!) this kind of attacks? The new version of SNF is very good at reducing this kind of attack because the GBUdb component frequently can identify bad IP sources very quickly after a new campaign begins and is able to block many of the messages based on the IP reputation information known by the network. In some cases this might include substantially all of the attack prior to new pattern rules reaching your system -- in all cases at least some fraction of the attack would be identified (based on observations). The system will become more sensitive as more systems begin using the new software -- at this time it is remarkably sensitive even though only a small fraction of SNF users are already using it -- so we expect significant improvements. In this case, for example, many of the messages arriving would be seen by SNF, identified after a very short scan (only the first few hundred bytes), and then most-likely deleted (depending on how you tune your system; also I'm not sure what options are available from mxGuard w/ regard to preempting additional tests and/or test ordering). Given your system's configuration I don't know of any way to block this kind of attack without adding additional components. A couple that come to mind are SPF checking (so that any message pretending to come from your domains must actually be coming from your servers before being accepted), and graylisting which, while sometimes problematic, currently provides some pretty good protection against dumb-bot attacks. (Note that the newer bot softwares out there easily defy gray listing so it's effectiveness is dropping quickly) Hope this helps, Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: I got a strong attack today
3) then be able to create a temporary rule to help block messages - must be viable until SNF has an updated ruleset to start clearing out the attack - I don't think declude (what I use w/SNF) has rule expirations (but would be a nice feature) What I do when I create a temp rule is to call it T_date_A and then B and then C and so forth. I then keep a rule_readme.txt file in the spool\declude directory that I update. John T # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: I got a strong attack today
Hi I got a tool to test all messages in a folder with SNF. All with a non zero result is moved to a spam folder. Its like 84 lines of delphi code. If Pete will host the files I will supply the tool for free including source. Friday, January 4, 2008, 4:56:29 PM, you wrote: Hello I got a strong attack today, over thousand messages at the same time!! The usual technique: Impersonate the victim and send to non valid users of one domain of mine!! Changing IP for each message UNBELIEVABLE!! This is very common these days. We call it getting caught in the light. Our spamtrap server is currently experiencing a similar attack and is seeing 1850+ messages per minute. Luckily we've killed this particular campaign a few hours ago so leakage is only 7/min and 890+/min of these messages are being truncated (scan stopped based on IP via GBUdb) The only solution was, to stop all the services and move all the spool files in a temp directory. I won't use the nobody alias because at least the iMail Access Control can stop some bad IPs. My config is: Imail 9.23 Mxguard 3.1 Message Sniffer InvURIBL 3.7 Two questions: 1) There is a way or tool to recycle back good messages from the temp directory into the queue? You should be able to write a cmd script to test the messages in your temp folder against SNF and place the clean messages back into the spool for delivery. This doesn't give you a complete solution, but it is reasonably viable in such cases. I've not heard of it, but you may be able to find or write a similar utility to put the temp messages through the entire scan process at some reasonable pace -- You might ask DG about that - I'm not sure what would be the best way to go about that w/ mxGuard and he may have a solution already or know where it's buried. Side Note: We actually have a technology that we've simulated and not deployed called Gauntlet. Under certain conditions messages are shunted to a waiting area where their scanning and delivery are delayed for a period of time so that filtering systems can catch up... For example, messages that arrive from completely unknown IPs would have to run the gauntlet before being delivered. The sensitivity of the shunting system could be guided by storm data (B and C counts) from GBUdb to reduce the possibility of delaying ordinary messages. What you are describing is a manual version of this process. 2) How can I reduce or block(!) this kind of attacks? The new version of SNF is very good at reducing this kind of attack because the GBUdb component frequently can identify bad IP sources very quickly after a new campaign begins and is able to block many of the messages based on the IP reputation information known by the network. In some cases this might include substantially all of the attack prior to new pattern rules reaching your system -- in all cases at least some fraction of the attack would be identified (based on observations). The system will become more sensitive as more systems begin using the new software -- at this time it is remarkably sensitive even though only a small fraction of SNF users are already using it -- so we expect significant improvements. In this case, for example, many of the messages arriving would be seen by SNF, identified after a very short scan (only the first few hundred bytes), and then most-likely deleted (depending on how you tune your system; also I'm not sure what options are available from mxGuard w/ regard to preempting additional tests and/or test ordering). Given your system's configuration I don't know of any way to block this kind of attack without adding additional components. A couple that come to mind are SPF checking (so that any message pretending to come from your domains must actually be coming from your servers before being accepted), and graylisting which, while sometimes problematic, currently provides some pretty good protection against dumb-bot attacks. (Note that the newer bot softwares out there easily defy gray listing so it's effectiveness is dropping quickly) Hope this helps, Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED]
[sniffer] Re: I got a strong attack today
Hello Paul, A relatively easy and reliable way to recognize one of these storms is whenever your new SNF engine starts throwing Bs and Cs- That is - you can check the second.stat or minute.stat file for Black and Caution hits: rates c .. m b .. m /rates On most systems Caution and Black events are relatively rare, but during a storm these numbers tend to be high. It is conceivable that you could detect these conditions by checking the stat files and adjust your system's settings during a storm. _M Friday, January 4, 2008, 5:38:38 PM, you wrote: We saw the same thing this morning between 7:00 AM (GMT-0500) and about 8:30 AM. Big chunks were getting through (spam detection rate dropped to about 65-70% (from its normal 97-99%). Sniffer updates seemed to start quelling the attack after about an hour of getting pummeled. Because of the relatively short lifespan of these types of attacks you need to: 1) be aware of attack quickly - e.g. w/in 10-15 mins of seeing average detection rates drop below a certain threshold (maybe 85%?)) and 2) be able to determine if there is an easy way to ID the leaked messages (common source IP(s), From domains (SPF check would help), subject lines, etc) 3) then be able to create a temporary rule to help block messages - must be viable until SNF has an updated ruleset to start clearing out the attack - I don't think declude (what I use w/SNF) has rule expirations (but would be a nice feature) Paul --- -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Santoni Sent: Friday, January 04, 2008 4:56 PM To: Message Sniffer Community Subject: [sniffer] I got a strong attack today Hello I got a strong attack today, over thousand messages at the same time!! The usual technique: Impersonate the victim and send to non valid users of one domain of mine!! Changing IP for each message UNBELIEVABLE!! The only solution was, to stop all the services and move all the spool files in a temp directory. I won't use the nobody alias because at least the iMail Access Control can stop some bad IPs. My config is: Imail 9.23 Mxguard 3.1 Message Sniffer InvURIBL 3.7 Two questions: 1) There is a way or tool to recycle back good messages from the temp directory into the queue? 2) How can I reduce or block(!) this kind of attacks? With my best regards Alberto # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to sniffer- [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: I got a strong attack today
Hello Alberto, Friday, January 4, 2008, 6:50:55 PM, you wrote: Pete Thank you very much for your very exhaustive response! It's what we do. ;-) Do you have any other information on this technology called Gauntlet that seems me very very interesting. There really isn't much more to it than what's been said. The concept has been around for several years now -- the details are platform and policy specific. We have it on the drawing board to include it as a feature in some platforms that we support - however that is a complicated piece of engineering since each platform is different and we support _MANY_ platforms. (sideline = put messages through the gauntlet) Consider just a few, for example: MDaemon calls SNF as a plugin and doesn't provide any simple (fool proof) method for message re-injection. Also, it is not clear that there is a friendly and reliable way to sideline the messages on this platform. We could sideline messages in IMail by parking the Q and D files in a special directory and then later re-processing them through SNF back to the spool... -- But, if Declude is present then we might instead wish to re-process the messages through the proc folder, and there are uncertainties about when and how to do this and how to pace it. -- If mxGuard is in place -- how would we re-process the messages at all? -- How could we ensure that virus scanning etc would be enabled (or not if desired?) SmarterMail could be handled (presumably) in a similar way to IMail except that the file structures are different as are a few assumptions about message processing and acceptable loads, etc. In Postfix systems we would need to create our own data structures to capture envelope information before we sidelined the message -- all that in addition to considerations of other processes that might be in place (without notice) and might need to be considered when we re-process the messages. Communigate systems store routing information in the message file itself which would simplify sidelining the messages but complicates the re-processing task - and again there are other processes that might be in place unannounced... All that by way of illustrating that the concept of Gauntlet is powerful and simple to understand, but not so simple to implement. For now we've been describing it to folks and helping them implement versions of Gauntlet in their proprietary systems. With a bit of luck and elbow grease we will hopefully release utilities and/or special versions of SNF to support this on some platforms -- This is particularly attractive since the GBUdb engine produces signals that theoretically allow us to activate and deactivate (or desensitize) Gauntlet under specific conditions very accurately. Specifically, GBUdb can provide a clear signal for the presence of a spam storm by monitoring Black and Caution activity. GBUdb also provides ready statistics on IPs so that we can define which IPs not to sideline (when the IP is reasonably well known and reasonably unlikely to send spam). -- That's about all I can think of to say about it at this time (at least without some more specific questions). But I don't think that Mxguard can manage all of this you are explaining in the message. That's probably true -- but not certain. Consider, for example, that your re-injection script could act just like IMail... * Drop the D file back into the spool * Drop the Q file back into the spool * IMMEDIATELY call mxGuard with the Q file in precisely the same way IMail does. In theory this would work for mxGuard or Declude since both programs would see this activity no differently than if IMail had just dropped a new message in for processing. That's a very big In theory -- because I've not tried it, but based on the available documentation the theory is sound. I will try to write a CDM to solve my queue problems Please keep us posted. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] The new version of SNF
Hello The new version of SNF is released? How much is it stable? Thanks Alberto # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: The new version of SNF
Hello Alberto, Friday, December 28, 2007, 2:32:55 PM, you wrote: Hello The new version of SNF is released? How much is it stable? It's not yet officially released, but the current beta (1.5) has been production stable for quite a while now. The official release will wait for a few extra features we want to add to make it easier to administer and extend. That release will happen Q1. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Excessive amounts of spam
How stable is the beta version? Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au http://www.adsldirect.com.au/ for ADSL and Internet www.romtech.com.au http://www.romtech.com.au/ for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, 21 December 2007 8:10 AM To: Message Sniffer Community Subject: [sniffer] Re: Excessive amounts of spam Hello David, Thursday, December 20, 2007, 3:25:45 PM, you wrote: Ø If you are not yet running the latest beta then that might help quite a bit since the GBUdb (IP reputation system) does a good job capturing new spam from old bots even before rules are coded. Please clarify are you saying it would help if we had the beta installed? Yes. The new GBUdb engine reduces leakage quite a bit. As more systems adopt the new version this will improve even more. Most new spam campaigns are started with some large fraction of existing bots. Messages from bots that have already been identified will be blocked even before new content rules can be generated (if needed). _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Excessive amounts of spam
We have been running it for - I guess - 2 month now without any trouble. How stable is the beta version? Regards David Moore [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au http://www.adsldirect.com.au/ for ADSL and Internet www.romtech.com.au http://www.romtech.com.au/ for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On Behalf Of *Pete McNeil *Sent:* Friday, 21 December 2007 8:10 AM *To:* Message Sniffer Community *Subject:* [sniffer] Re: Excessive amounts of spam Hello David, Thursday, December 20, 2007, 3:25:45 PM, you wrote: Ø If you are not yet running the latest beta then that might help quite a bit since the GBUdb (IP reputation system) does a good job capturing new spam from old bots even before rules are coded. Please clarify are you saying it would help if we had the beta installed? Yes. The new GBUdb engine reduces leakage quite a bit. As more systems adopt the new version this will improve even more. Most new spam campaigns are started with some large fraction of existing bots. Messages from bots that have already been identified will be blocked even before new content rules can be generated (if needed). _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Excessive amounts of spam
We are using MxGuard, Sniffer, InvURIBL combo on Imail will the beta sniffer still fit with this combination with out issues? Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of E. H. (Eric) Fletcher Sent: Friday, 21 December 2007 8:35 AM To: Message Sniffer Community Subject: [sniffer] Re: Excessive amounts of spam Frank: Thanks for your input. There are definitely things leaking though that wouldn't have leaked through before. We've held off hoping for a production release but it may not be practical much longer. On that note, for anyone else in the same position, we tested adding InvURIBL from Invariant Systems. It's not a sniffer replacement but definitely caught a lot of what sniffer currently lets through for the very valid reasons Pete has covered. The only thing missing seemed to be a white list so that you could white list legitimate publications that might contain links to 'offensive' sites. That can probably be tuned out thru weighting however we'd hoped not to be re-inventing the wheel for a short term solution. Eric - Original Message - From: Pi-Web - Frank Jensen [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, December 20, 2007 1:17 PM Subject: [sniffer] Re: Excessive amounts of spam We have been running it for - I guess - 2 month now without any trouble. How stable is the beta version? Regards David Moore [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au http://www.adsldirect.com.au/ for ADSL and Internet www.romtech.com.au http://www.romtech.com.au/ for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On Behalf Of *Pete McNeil *Sent:* Friday, 21 December 2007 8:10 AM *To:* Message Sniffer Community *Subject:* [sniffer] Re: Excessive amounts of spam Hello David, Thursday, December 20, 2007, 3:25:45 PM, you wrote: Ø If you are not yet running the latest beta then that might help quite a bit since the GBUdb (IP reputation system) does a good job capturing new spam from old bots even before rules are coded. Please clarify are you saying it would help if we had the beta installed? Yes. The new GBUdb engine reduces leakage quite a bit. As more systems adopt the new version this will improve even more. Most new spam campaigns are started with some large fraction of existing bots. Messages from bots that have already been identified will be blocked even before new content rules can be generated (if needed). _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative
[sniffer] Re: Excessive amounts of spam
I have not noticed any increase on FPs on the one server that is running it. John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, December 20, 2007 1:29 PM To: Message Sniffer Community Subject: [sniffer] Re: Excessive amounts of spam I've heard comments that it has a higher catch rate... how about FP rate? Higher, the same, or lower? Darin. - Original Message - From: Pi-Web - Frank Jensen [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, December 20, 2007 4:17 PM Subject: [sniffer] Re: Excessive amounts of spam We have been running it for - I guess - 2 month now without any trouble. How stable is the beta version? Regards David Moore [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au http://www.adsldirect.com.au/ for ADSL and Internet www.romtech.com.au http://www.romtech.com.au/ for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On Behalf Of *Pete McNeil *Sent:* Friday, 21 December 2007 8:10 AM *To:* Message Sniffer Community *Subject:* [sniffer] Re: Excessive amounts of spam Hello David, Thursday, December 20, 2007, 3:25:45 PM, you wrote: Ø If you are not yet running the latest beta then that might help quite a bit since the GBUdb (IP reputation system) does a good job capturing new spam from old bots even before rules are coded. Please clarify are you saying it would help if we had the beta installed? Yes. The new GBUdb engine reduces leakage quite a bit. As more systems adopt the new version this will improve even more. Most new spam campaigns are started with some large fraction of existing bots. Messages from bots that have already been identified will be blocked even before new content rules can be generated (if needed). _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ## ### This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk ## ### This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] ## ### This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Excessive amounts of spam
We are using sniffer and free tools: yasu (URLBL) and RBLCHECK (DNSBL). URLBL does catch some that sniffer dont. URLBL I think has as low false rate as sniffer - but it does not catch as many as sniffer. DNSBL also (mainly spamcop), but with much more false than sniffer. We have added a IP whitelist for DNSBL to lower the false rate. We used to run spam assassin, but the above config has much lower false and uses much less cpu. Frank: Thanks for your input. There are definitely things leaking though that wouldn't have leaked through before. We've held off hoping for a production release but it may not be practical much longer. On that note, for anyone else in the same position, we tested adding InvURIBL from Invariant Systems. It's not a sniffer replacement but definitely caught a lot of what sniffer currently lets through for the very valid reasons Pete has covered. The only thing missing seemed to be a white list so that you could white list legitimate publications that might contain links to 'offensive' sites. That can probably be tuned out thru weighting however we'd hoped not to be re-inventing the wheel for a short term solution. Eric - Original Message - From: Pi-Web - Frank Jensen [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, December 20, 2007 1:17 PM Subject: [sniffer] Re: Excessive amounts of spam We have been running it for - I guess - 2 month now without any trouble. How stable is the beta version? Regards David Moore [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au http://www.adsldirect.com.au/ for ADSL and Internet www.romtech.com.au http://www.romtech.com.au/ for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On Behalf Of *Pete McNeil *Sent:* Friday, 21 December 2007 8:10 AM *To:* Message Sniffer Community *Subject:* [sniffer] Re: Excessive amounts of spam Hello David, Thursday, December 20, 2007, 3:25:45 PM, you wrote: Ø If you are not yet running the latest beta then that might help quite a bit since the GBUdb (IP reputation system) does a good job capturing new spam from old bots even before rules are coded. Please clarify are you saying it would help if we had the beta installed? Yes. The new GBUdb engine reduces leakage quite a bit. As more systems adopt the new version this will improve even more. Most new spam campaigns are started with some large fraction of existing bots. Messages from bots that have already been identified will be blocked even before new content rules can be generated (if needed). _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative
[sniffer] Sniffer Update Timeouts
I'm seeing timeouts and very slow downloads from sniffer today. Is this just me? - Chris -- C:\IMail\Snifferwget -N http://www.sortmonster.net/Sniffer/Updates/user_code.snf -O user_code.new.gz --http-user=sniffer --http-passwd=ki11sp8m --header=Accept-E ncoding:gzip --09:17:19-- http://www.sortmonster.net/Sniffer/Updates/user_code.snf = `user_code.new.gz' Resolving www.sortmonster.net... 74.205.4.93 Connecting to www.sortmonster.net|74.205.4.93|:80... connected. HTTP request sent, awaiting response... Read error (Connection timed out) in hea ders. Retrying. -- -- -- Midtown Micro, Inc. (TM) Programming and Web Hosting http://www.MidtownMicro.com Toll Free: 1-800-442-2447 Voice: (916) 442-2447 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Please send email to r...@bluscs.com
My email address has changed. Please email [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: [S][sniffer] Re: Please send email to r...@bluscs.com
John, it is often less than clear as to how to do that. For example, where is our customer interface to change things? Is that link on the email? Is that link on the armresearch.com page? If you know this to be the case, please show us all. David P. - Original Message - From: John T (lists) [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, November 29, 2007 10:00 AM Subject: [S][sniffer] Re: Please send email to [EMAIL PROTECTED] Please do what you are supposed to do and take responsibility to update your own subscription! John T # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: re subscriptions to list
Regarding this thread and to nobody in particular: I would like to say a word or two before this gets out of hand. Our policy on this list is to provide the answers needed no matter how obvious or well posted those answers may be. Emotionally negative responses are discouraged and generally not useful. RTFM type answers should be emotionally neutral, should summarize a quick answer, and should provide a link to TFM. For whatever reason, these kinds of requests are made and these kinds of questions are asked. The folks who make these requests or ask these questions - no matter how obvious - need help. The best thing we can do is provide that help. Keep in mind also that these messages are archived so that they remain searchable on the 'web. This means that any solutions we post here, including references to obvious or well posted answers, serve to make those answers easier to find. Please: Be kind and helpful, or stay away from the send button. I can't remember the number of times something simple and obvious baffled me when I needed it least -- and I'm sure many of us have had similar moments.* A simple answer to an obvious question can go a long way in a positive direction. Please help us keep this forum active, positive, and informative. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. * One of the biggest problems with technology is that as people come up the learning curve they tend to forget what it was like when they didn't know the obvious. All too often, once we have come up the learning curve a bit we go on to punish those who are just starting out. Even the best of us leave unintentional barriers by simply not discussing the obvious. * Those of us who should already know the obvious are still subject to moments from time to time when it escapes us -for whatever reason. Think of how much time we could all save if it were easier to escape those moments. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: re subscriptions to list
All auto-responders should be burnt in hell Have a nice day :) Matt Pete McNeil wrote: Regarding this thread and to nobody in particular: I would like to say a word or two before this gets out of hand. Our policy on this list is to provide the answers needed no matter how obvious or well posted those answers may be. Emotionally negative responses are discouraged and generally not useful. RTFM type answers should be emotionally neutral, should summarize a quick answer, and should provide a link to TFM. For whatever reason, these kinds of requests are made and these kinds of questions are asked. The folks who make these requests or ask these questions - no matter how obvious - need help. The best thing we can do is provide that help. Keep in mind also that these messages are archived so that they remain searchable on the 'web. This means that any solutions we post here, including references to obvious or well posted answers, serve to make those answers easier to find. Please: Be kind and helpful, or stay away from the send button. I can't remember the number of times something simple and obvious baffled me when I needed it least -- and I'm sure many of us have had similar moments.* A simple answer to an obvious question can go a long way in a positive direction. Please help us keep this forum active, positive, and informative. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] REVDNS
Pete, Rulebase Update Notifications from BI.Arm1.armresearch.com [74.205.4.85] are failing Declude's REVDNS. Might a PTR be in order? DNSSTUFF doesn't show one. George
[sniffer] Re: REVDNS
Yup, same here X-RBL-Warning: FROMNOMATCH: Env sender ([EMAIL PROTECTED]) From: () mismatch. X-RBL-Warning: HELOBOGUS: Domain UnknownHost returns a server failure for MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 74.205.4.85 with no reverse DNS entry. george kulman wrote: Pete, Rulebase Update Notifications from BI.Arm1.armresearch.com [74.205.4.85] are failing Decludes REVDNS. Might a PTR be in order? DNSSTUFF doesnt show one. George -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FTP access to snf rulebase files is no longer available.
Thanks, Pete. I was looking for the code I needed to add to the scripts that would automate that? Thanks, Bill Foresman Matrosity Hosting 850-656-2644 -Original Message- From: "Pete McNeil" [EMAIL PROTECTED] Sent 11/23/2007 9:52:45 AM To: "Message Sniffer Community" sniffer@sortmonster.com Subject: [sniffer] Re: FTP access to snf rulebase files is no longer available. Hello Bill, Friday, November 23, 2007, 4:55:09 AM, you wrote: Hi Pete, I don't think our logs are being compressed even though I'm using the snifferupdatetools. I see where this is mentioned but after checking the scripts I don't think this is happening. How can I do this? It is ok to compress your log files before uploading them. Compress one file at a time -- not groups of logs. .zip or .gz formats are ok. There's nothing else special about it. For example, your licenseid.log file is compressed with gzip or zip and ends up being licenseid.log.gz or licenseid.log.gz -then you upload the compressed version. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FTP access to snf rulebase files is no longer available.
Hello Bill, Friday, November 23, 2007, 4:55:09 AM, you wrote: Hi Pete, I don't think our logs are being compressed even though I'm using the snifferupdatetools. I see where this is mentioned but after checking the scripts I don't think this is happening. How can I do this? It is ok to compress your log files before uploading them. Compress one file at a time -- not groups of logs. .zip or .gz formats are ok. There's nothing else special about it. For example, your licenseid.log file is compressed with gzip or zip and ends up being licenseid.log.gz or licenseid.log.gz -then you upload the compressed version. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FTP access to snf rulebase files is no longer available.
Hi Pete, I don't think our logs are being compressed even though I'm using the snifferupdatetools. I see where this is mentioned but after checking the scripts I don't think this is happening. How can I do this? Thanks, Bill Foresman Matrosity Hosting 850-656-2644 -Original Message- From: "Pete McNeil" [EMAIL PROTECTED] Sent 11/23/2007 2:34:58 AM To: "Message Sniffer Community" sniffer@sortmonster.com Subject: [sniffer] FTP access to snf rulebase files is no longer available. Hello Sniffer Folks, It has come to our attention that a few folks out there have not yet changed their rulebase update scripts to use http (usually wget + gzip) and are still using FTP. FTP access to SNF rulebases was deprecated some time ago. With the recent upgrades to our servers we have discontinued FTP access to the rulebase files. Please adjust your scripts to use http instead of ftp. Most likely you will wish to use wget and gzip (the combination can ensure that downloads only occur when a new file is available and can allow the file to be compressed on-the-fly to substantially reduce the bandwidth requirements). You can find a number of example scripts by following these links: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.AutoUpdates http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.SubmittedScripts Shortly after the next version of SNF is out of beta we hope to discontinue FTP access for uploading rulebase files. The new version of SNF provides real-time telemetry so that uploaded log files are no-longer necessary. Sorry for any confusion about this. Thanks for your patience and support! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] No email updates.
Fred # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: No email updates.
For what it's worth, it is working for my two licences. I received email update notifications at: 90 minutes ago 3 18 minutes ago 4 38 minutes ago 6 hours 13 minutes ago Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday, November 21, 2007 5:47 AM To: Message Sniffer Community Subject: [sniffer] No email updates. Fred # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Server didnt restart
Hello My server rebooted last night. Sniffer server did not restart correctly. I fixed that, but i have 40K+ message in the imail/spool/proc, most inbound and not yet localy delivered. Will they be reprocessed automaticaly ? or is there something else i need to do ? How long will it take ? (dual xeon 1.266 GHz) TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Server didnt restart
They will get processed it's just a matter of how long it will take. I think the answer will depend on how many messages per hour your server normally processes. You didn't specify how long your server was offline so we can only guess how long it took to accumulate 40k messages (and thus a per hour inbound rate). At max capacity I see my main server process (through sniffer/latest beta) about 800-1000 messages per minute (60k/hour)...that would be on a quad xeon (on SATA drives). So at that rate (assuming no other incoming email which can slow the overall process down) maybe an hour. But since the server also has normal incoming emails to deal with as well, it may take 90-120 mins to completely clear a queue that size. Keep an eye on your proc folder q file count... dir q*.* /w Paul --- -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, November 20, 2007 8:02 AM To: Message Sniffer Community Subject: [sniffer] Server didnt restart Hello My server rebooted last night. Sniffer server did not restart correctly. I fixed that, but i have 40K+ message in the imail/spool/proc, most inbound and not yet localy delivered. Will they be reprocessed automaticaly ? or is there something else i need to do ? How long will it take ? (dual xeon 1.266 GHz) TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude EVA] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] AW: [sniffer] Server didnt restart
Hi, I would stop all mailservices (Queuemgr, SMTPD32, Decludeproc) and restart them all. We had over 40 k on Sunday (crashed decludeproc) and it took about 6 hours (dual Xeon 3.0) Alex -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Serge Gesendet: Dienstag, 20. November 2007 14:02 An: Message Sniffer Community Betreff: [sniffer] Server didnt restart Hello My server rebooted last night. Sniffer server did not restart correctly. I fixed that, but i have 40K+ message in the imail/spool/proc, most inbound and not yet localy delivered. Will they be reprocessed automaticaly ? or is there something else i need to do ? How long will it take ? (dual xeon 1.266 GHz) TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to sniffer- [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Server didnt restart
Oh, forgot Most of the processor time was use by declude proc Also, since i go thru 2 satellite connections, DNS queries usualy take much longer than you guys Would probably be calling on Darell next week for help optimizing my declude tests/filters - Original Message - From: Serge [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, November 21, 2007 1:57 AM Subject: Re: [sniffer] Server didnt restart Thank you all for your input It took about 9+ hours to process the backlog Server was processing about 125 msg/minute, with an average of about 75 from the backlog and 50 new/minutes Pete mentioned AVAFTERJM, curently i dont use this command, so i suppose it is set to declude default (on?); Should i change this ? Regards Serge - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, November 20, 2007 4:32 PM Subject: [sniffer] Re: Server didnt restart Serge, If you wanted to feed those back logged messages into the proc folder on a scheduled interval you may want to use one of our utilities (MoveFiles). It's free. The benefit is that new mail coming in will not be delayed and you can feed those messages back into the proc folder as your server can process them and keep up with new mail. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Paul Rogers wrote: They will get processed it's just a matter of how long it will take. I think the answer will depend on how many messages per hour your server normally processes. You didn't specify how long your server was offline so we can only guess how long it took to accumulate 40k messages (and thus a per hour inbound rate). At max capacity I see my main server process (through sniffer/latest beta) about 800-1000 messages per minute (60k/hour)...that would be on a quad xeon (on SATA drives). So at that rate (assuming no other incoming email which can slow the overall process down) maybe an hour. But since the server also has normal incoming emails to deal with as well, it may take 90-120 mins to completely clear a queue that size. Keep an eye on your proc folder q file count... dir q*.* /w Paul --- -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, November 20, 2007 8:02 AM To: Message Sniffer Community Subject: [sniffer] Server didnt restart Hello My server rebooted last night. Sniffer server did not restart correctly. I fixed that, but i have 40K+ message in the imail/spool/proc, most inbound and not yet localy delivered. Will they be reprocessed automaticaly ? or is there something else i need to do ? How long will it take ? (dual xeon 1.266 GHz) TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude EVA] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
