[sniffer] Alligate and Sniffer again
Hi, I need to setup a spam filter server again so once again I will probably go with Alligate plus sniffer. Is that still a viable combination? I have not been following the new these past 3-4 years when we had another solution in place. On the Alligate site I still see Windows 2008 server as the highest recommended version, but we are up to Windows 2012 R2 now, it is my recommended OS for a new Windows server. Alligate still lists Windows 2000 and XP as a possible platform, I would not want to run anything on that today. Is Alligate still being supported as a basis platform for Sniffer? If not, what would be a good platform for a sniffer spam filter server? Although I have some experience with (Debian) Linux servers I rather not use that as I am the only one here with enough experience to know what I am doing, and not even that with Linux mailservers. So I would rather run Sniffer on a Windows platform. With kind regards, Bonno Bloksma system manager tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands t +31 (0)74-255 06 10 b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/> Follow us on Twitter<https://twitter.com/hogeschooltio> / Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610> / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / YouTube<http://www.youtube.com/user/hogeschooltio>
[sniffer] Re: [Alligate]Alligate and Sniffer again (NL)
Hi, Ok, downloaded Alligate trial, installed in on a 2012 R2 server. Made a local dns "server" (resolver) on the machine but I am not sure if I need it now that we can use the Google dns server by default. How do I hook up Sniffer? I used to have Declude (and IMail) and had Sniffer connected that way, I now need to connect sniffer into Alligate. I cannot find anything in the Alligate Docs I downloaded. p.s. It seems there is still some support for Alligate, I noticed a recent update in the "Alligate V3 updates" zip file. But everything else seems to point to 2014 as the last time something was actively done. Even the documentation lists nothing after 2014 and still talks about special settings for the (local) dns server on a Windows 2013 server. With kind regards, Bonno Bloksma system manager tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands t +31 (0)74-255 06 10 b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/> Follow us on Twitter<https://twitter.com/hogeschooltio> / Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610> / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / YouTube<http://www.youtube.com/user/hogeschooltio> Van: discussion-ow...@alligate.com [mailto:discussion-ow...@alligate.com] Namens Bonno Bloksma Verzonden: zondag 17 januari 2016 22:54 Aan: discuss...@alligate.com; sniffer@sortmonster.com Onderwerp: [Alligate]Alligate and Sniffer again (NL) Hi, I need to setup a spam filter server again so once again I will probably go with Alligate plus sniffer. Is that still a viable combination? I have not been following the new these past 3-4 years when we had another solution in place. On the Alligate site I still see Windows 2008 server as the highest recommended version, but we are up to Windows 2012 R2 now, it is my recommended OS for a new Windows server. Alligate still lists Windows 2000 and XP as a possible platform, I would not want to run anything on that today. Is Alligate still being supported as a basis platform for Sniffer? If not, what would be a good platform for a sniffer spam filter server? Although I have some experience with (Debian) Linux servers I rather not use that as I am the only one here with enough experience to know what I am doing, and not even that with Linux mailservers. So I would rather run Sniffer on a Windows platform. With kind regards, Bonno Bloksma system manager tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands t +31 (0)74-255 06 10 b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/> Follow us on Twitter<https://twitter.com/hogeschooltio> / Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610> / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / YouTube<http://www.youtube.com/user/hogeschooltio>
[sniffer] Re: What is your oldest production CPU?
Hi Pete, Hello Sniffer Folks, We would like to know what your oldest production CPU is. Oldest production (mail) server is a HP Proliant DL380 G6 with a Xeon E5530 quad cpu With kind regards, Bonno Bloksma Senior system engineer tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: IPv6
Hi, I remember reading somewhere research was being done about ipv6 block lists using the fact that the same /64 net would probably be the same machine or very near it. Prety much what we now Block when we list an ipv4 NATted gateway to a private network which houses an infected PC. Unfortunately I cannot find the reference to that article anymore, I thought I had it bookmarked. :-( Yours sincerely, Bonno Bloksma senior systeembeheerder tio university of applied sciences for hospitality and tourism julianalaan 9 / 7553 ab hengelo netherlands t +31-74-255 06 10 / f +31-74-255 06 11 b.blok...@tio.nl / www.tio.nl -Oorspronkelijk bericht- Van: Message Sniffer Community [mailto:sniffer@sortmonster.com] Namens Peer-to-Peer (Support) Verzonden: vrijdag 11 maart 2011 14:25 Aan: Message Sniffer Community Onderwerp: [sniffer] IPv6 Hi everyone, I've been thinking about the potential risk of IPv6 will have on filtering spam. I suspect RBL's (real time blacklists) may become obsolete once IPv6 arrives.?. From what I've learned, IPv6 has 340 undecillion (1 followed by 36 zeros) IP addresses. And devices can refresh every 24 hours. IPv4 only has 4.3 billion IP addresses. Pete: Grab a cup of coffee. The botNet's are coming... --Paul # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Bad Rule Event
Hi Pete, Hello Sniffer Folks, We have had a bad rule event. The bad rules were created near 0830E, and removed by 1030E. [...] Regarding this event A while ago we talked about sniffer installations exchanging rule-panic info via the GUBdb sync info as that is happening every (few) minute(s) in stead of every few hours. Any idea when a new version of Sniffer with that feature will be launched? Yours sincerely, Bonno Bloksma senior systemadministrator tio university of applied sciences for hospitality and tourism julianalaan 9 / 7553 ab hengelo netherlands t +31-74-255 06 10 / f +31-74-255 06 11 b.blok...@tio.nl / www.tio.nl
[sniffer] how to handle on rule panick?
Hi, It seems the documentation on how to handle a rule panick in the Wiki is not complete, to put it mildly. :-( In my opinion It gives just enough information to frustrate the user into finding PROBABLY the right place to enter the information but then leaves him/her haning. I had several mails caught these past few days (I am not a full time postmaster) and reported the FP mails to sniffer. But I want to disable a rule until I hear back from them. So I went to the wiki and... Sniffer site, rule panick http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives#RulePanic [] 2. Create a rule-panic entry in your .cfg file - this will temporarily deactivate the rule. But how??? In my Sniffer directory there is no .CFG file. Clicking on the .cfg file link also is misleading it seems. I have no LicenseId.cfg file. I do have an identity.xml file with my license in it. Should I edit my snf_engine.xml file? Probably. What should I edit/enter? At this point there is no documentation I was able to find which would help me solve this problem. Grepping some more (grep panic *.xml) I finally found I indeed had to enter a line in the snf_server.xml file, and Oh yeah, don't add a line to the sample lines as they are in a comment box. ;-) All in all I did find it I think but. mostly without using the documentation. It seems the Wiki is out of date, it probably describes a older Sniffer version. I should either describe the current version of report the differences for each version. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl
[sniffer] Re: how to handle on rule panick?
Hi Pete, Maybe you need to do something about the default sortmonster pages as well. When I go to http://www.sortmonster.com/MessageSniffer/ the Wiki link points to Sniffer v2 documentation. You probably need to make two links there one to the new documentation aand explicitly starte that the Wiki is the v2 documentation. That was my second attempt when at first a google search for sniffer and rule panic brought me to the v2 wiki docs. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Monday, November 23, 2009 4:30 PM Subject: [sniffer] Re: how to handle on rule panick? Bonno Bloksma wrote: snip/ It seems the Wiki is out of date, it probably describes a older Sniffer version. I should either describe the current version of report the differences for each version. Very sorry for your frustration. You are correct the page is out of date. I have posted a note at the top of the page indicating this and providing a link to the correct current page. Best, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] panic rule information
Hi Pete/community, If I understand things correctly then the detection of a panick rule is local to the system. So a few systems may have enough traffic to see that a rule is acting wrong and assume a panick for that rule. According to the WiKi that information is sent automatically to the folks at armresearch, but... As far as I know there is yet no mechanism to get that information automatically to the Sniffer comunity. Might it be a good idea to propagate rule panic info via tha GRUdb mechanism? As far as I understand information gets updated and transmitted a lot faster then rulebase updates. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl
[sniffer] how did I run as service?
Hi, Using IMail 9.23 and Declude 4.x on a Windows 2003 server with Sniffer. A little while after version 3 was released I upgraded and followed the instrunctions on the site to get the sniffer service running as a service. After that upgraded to the version that used curl in stead of wget to get the rulebase. Now I want to upgrade to the latest version but Does the installer detect how I'm running sniffer as a service? I cannot find the instructions I once followed to get it up and running. So I have no idea which tool I used to get the service running. :-( Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl
[sniffer] Re: New IMPROVED getRulebase.cmd script
Hi Pete, I get what you said. But: I'm nowhere near your timezone, I'm at GMT+1 or +2. So should there not have been a problem long before where my system would see older files at your system several times a day when in fact there would be a newer one? Does that mean my system has been getting only two or three updates a day where it should have gotten over a dozen? I've switched curl so everything should work ok by now. According to my logs I'm getting a new rulebase about every hour. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Wednesday, March 11, 2009 1:57 PM Subject: [sniffer] Re: New IMPROVED getRulebase.cmd script Bonno Bloksma wrote: Why does this problem start just now with a DST shift somewhere? I'n nowhere near your timezone (GMT+1 or +2) so should there not have been a problem long before where my system would see older files at your system several times a day when in fact there would be a newer one? Does that mean my system has been getting only two or three updates a day where it should have gotten over a dozen? Unfortunately I disabled logging a while ago when everything seemed to run smoothly. :-( Someone to your west would have seen a new rulebase every time they checked no matter what DST. Or is it just that you finally noticed it due to the DST shift? The reason DST is an issue is because the previous wget based script stamps the downloaded rulebase with the local clock instead of the timestamp that came with the file from the delivery server. As a result the timestamps might not agree. The recent change in the start of DST in the US is not reflected everywhere AND some locations use different DST start dates. The result of this is that when using the old script the local timestamp created using the local clock is likely to be behind the delivery server's timestamp by an hour. The new update-script mechanism in SNFServer compares the local file's timestamp to the timestamp reported by the delivery server once every minute. When the local timestamp is used and the local time is behind the clock on the delivery server then the freshly downloaded rulebase file _appears_ to be an hour old and this does not change no matter how many times the file is downloaded. Before DST the local clock and the delivery server's clock would generally agree and so there was no problem. Hope this helps, _M
[sniffer] Re: New IMPROVED getRulebase.cmd script
Hi Pete, In your first mail about this problem you wrote: There has long been a bug in the getRulebase script using wget which causes the rulebase file that is downloaded to have the local system's timestamp. Under normal circumstances this does not cause a problem because most system clocks are synchronized and the local timestamp is generally newer than the timestamp of the rulebase file on our servers. What I was getting at: If the rulebase with the old wget software were to get a local timestamp on my server when downloaded, mine would always be far into the future from your original as my server is at GMT+1 or +2 during DST. So if your server is at GMT-5 my rulebase would get a timestamp of the original +6 hours. So it would then NOT download another rulebase for the next 6 hours as every new rulebase would still be in it's past. Or should wget have compensated for timezones as should curl? Because my rulebase files on my server seem to have a local timestamp. However, this is where we probably get beond my techlevel. Does Windows allways use UTC internally and then calculate the local time when displaying the timestamp for a file? Is that what I'm missing? Because I think I've read that somewhere about problems with timestamps on FAT and NTFS. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Thursday, March 12, 2009 3:33 PM Subject: [sniffer] Re: New IMPROVED getRulebase.cmd script Bonno Bloksma wrote: Hi Pete, I get what you said. But: I'm nowhere near your timezone, I'm at GMT+1 or +2. So should there not have been a problem long before where my system would see older files at your system several times a day when in fact there would be a newer one? Does that mean my system has been getting only two or three updates a day where it should have gotten over a dozen? If two systems agree on the time, and then only one of them advances their clock by an hour the two clocks will still be different. Anyway - we've learned more since then (below) I've switched curl so everything should work ok by now. According to my logs I'm getting a new rulebase about every hour. Once per hour is just about right. Pacing is currently set to 55 minutes. --- More that has been learned (technical stuff) and a story (skip if you like, but some might find this interesting): Yesterday while working on this problem and testing on one of our inbound spamtrap processors I noticed that things still weren't quite right. This discovery led me to break a paradigm in my thinking and begin to see another problem (perhaps the key problem). Paradigm: I had been very focused on the one hour time difference, DST, and the obvious coincidence with the DST storm -- Our countermeasures at the server and deployment of the new getRulebase script had essentially mitigated the problem... so I was expecting everything to work fine. Having loaded the new getRulebase script on the system I was monitoring it didn't make sense that there was still a problem. Even worse, the telemetry was showing timestamps that were close, but off by a few minutes -- as if the server had picked up the time shifted file instead of the original posting... but that didn't make sense. I wondered if something else was going on and so I loaded up the UTC as a reference: http://www.worldtimeserver.com/current_time_in_UTC.aspx To my wonder and amazement the telemetry I was looking at showed the UTC reference for the ruelbase on the server in the future by one hour! That can't be right, I said to myself, and then I checked the timestamp again on the delivery server. I rechecked the math and sure enough the timestamp on the delivery server was correct! I hate a mystery. I went to the main SYNC server to see if something had happened to it -- Why would it report the file's timestamp in the future when the timestamp on the file system is correct? We hadn't made any changes to the software. The only thing that had happened was DST. I made my priority getting the reported timestamp correct, and I made the assumption that there might be some obscure DST bug in this version of RedHat or one of the libraries that I would solve later. I began looking for a way to tweak the SYNC server code to adjust the time stamp before reporting it when these conditions were detected... A way to work around the bug. I would fix the bug later. Of course, to do this tweak I would need to find a way to detect the condition so I started to look for ways to do that reliably. I know it's a funny notion -- looking for a reliable way to leverage a system that you have already determined is unreliable... but that is the nature of what we
[sniffer] Re: New IMPROVED getRulebase.cmd script
Hi, First one comment about the script. Just before the CLEANUP label the lck file is deleted. Right after that it is deleted again in the CLEANUP section. The first can savely be removed. Second, Why does this problem start just now with a DST shift somewhere? I'n nowhere near your timezone (GMT+1 or +2) so should there not have been a problem long before where my system would see older files at your system several times a day when in fact there would be a newer one? Does that mean my system has been getting only two or three updates a day where it should have gotten over a dozen? Unfortunately I disabled logging a while ago when everything seemed to run smoothly. :-( Someone to your west would have seen a new rulebase every time they checked no matter what DST. Or is it just that you finally noticed it due to the DST shift? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Tuesday, March 10, 2009 2:40 PM Subject: [sniffer] New IMPROVED getRulebase.cmd script Hello Sniffer Folks, At the following link you will find a zip file containing the open source CURL utility and an updated version of the new getRulebase.cmd script. The old getRulebase.zip file has been replaced with the new one in the same location (you may want to clear your browser cache if you downloaded the previous version): http://www.armresearch.com/message-sniffer/download/CURL-getRulebase.zip The new getRulebase.cmd script produces a getRulebase.txt file each time it is run so that you can see what happened. No errors are reported to the screen. If there are errors they will show up in the getRulebase.txt file. There is a comment at the bottom of the script where you can add a line to email the getRulebase.txt file to yourself if you want to have the script inform you each time it runs. _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] files in the Sniffer dir
Hi, I was wondering about something and could not find info about it on the Sniffer documentation page. I have several files in my sniffer directory with a date of today. Logfiles, rulesbases etc. The next most recent files are my GBUdbIgnoreList.txt getrulebase.cmd, etc. which I have made changes to. But there are at least three strange files file no filename part: .handshake, .state, and .tmp of which the .handshake has a dat of today but the other two are of july 2008 (aroung my installation date for sniffer 3) What are those three files for and should those dates indeed be that old? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl
[sniffer] upgraded to 3.0
Hi, Well I did it, upgraded to 3.0 as well. The automatic rule panic feature and all the other stuff seemed a good idea. :-) Setting it up turned out to be straight forward, just follow the instructions. Ran into just 2 things and one question. 1) Forgot to set correct path to identity file, was set to a nonexisting path. Started server. -start screenshot-- C:\IMail\declude\Sniffer3c:\IMail\declude\Sniffer3\SNFServer3.0.exe c:\IMail\declude\Sniffer3\snf_engine.xml SNF Server Version 3.0 Build: Jun 26 2008 13:25:19 SNFMulti Engine Version 3.0 Build: Jun 26 2008 13:25:06 Launching with c:\IMail\declude\Sniffer3\snf_engine.xml Unhandled Exception: snf_LoadNewRulebase() Zero length SecurityKey Thrown! -end screenshot-- Should have said something like error in path to identity file 2) On page http://www.armresearch.com/support/articles/software/snfServer/core.jsp resultcode 63 is still listed as Received IPs from spamtraps research. in stead of Black.. Question: Is there still a log file for me to ZIP every night or is all logging now at ARM research? p.s. Aren't we at version 3.01? This one I just downloaded still reports 3.0 as it's version. Ot was that just the *nix version? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] Re: Integration with Mailenable - Domain Keys
Hi, ErrorLevel is a variable as of Windows 2000 so: call C:\Program Files\FSI\F-Prot\fpcmd.exe -silent -auto -ai -archive -saferemove -disinf -del -append -report=C:\SmarterMail\logs\virusscan.log %1 Set ERR=%ErrorLevel% IF %ERR% EQU 0 GOTO CLEAN @REM echo Virus scanned by F-Prot (%ERR%) viruses found %1 MOVE /Y %1 C:\SmarterMail\Viruses GOTO END :CLEAN @REM echo Virus scanned by F-Prot (%ERR%) viruses found %1 :END Would work as well, just not on NT4 or lower. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Jay Sudowski - Handy Networks LLC To: Message Sniffer Community Sent: Sunday, March 18, 2007 1:36 AM Subject: [sniffer] Re: Integration with Mailenable - Domain Keys I really don't see why it wouldn't be possible to do. Here is the script that's used for f-prot: - SET ERR=0 call C:\Program Files\FSI\F-Prot\fpcmd.exe -silent -auto -ai -archive -saferemove -disinf -del -append -report=C:\SmarterMail\logs\virusscan.log %1 IF NOT ERRORLEVEL 1 GOTO CLEAN IF ERRORLEVEL 1 SET ERR=1 IF ERRORLEVEL 2 SET ERR=2 IF ERRORLEVEL 3 SET ERR=3 IF ERRORLEVEL 4 SET ERR=4 IF ERRORLEVEL 5 SET ERR=5 IF ERRORLEVEL 6 SET ERR=6 @REM echo Virus scanned by F-Prot (%ERR%) viruses found %1 MOVE /Y %1 C:\SmarterMail\Viruses GOTO END :CLEAN @REM echo Virus scanned by F-Prot (%ERR%) viruses found %1 :END - I think you should be able to modify it so that it calls Sniffer, rather than FProt. %1 is the path to the mail file. Based upon the error code/return code, you could then delete/hold spam detected by Sniffer accordingly. As for SM not having a GUI, it really hasn't be an issue for us... -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Chris Bunting Sent: Saturday, March 17, 2007 4:03 PM To: Message Sniffer Community Subject: [sniffer] Re: Integration with Mailenable - Domain Keys The other issue with SmarterMail is it doesn't have any gui. Which I guess isn't a bad thing. But I sometimes like a gui for certain things. Also Declude seemed very expensive to use with sniffer Sent via my BlackBerry - Ask me about it! -Original Message- From: E. H. \(Eric\) Fletcher [EMAIL PROTECTED] Date: Sat, 17 Mar 2007 14:42:43 To:Message Sniffer Community sniffer@sortmonster.com Subject: [sniffer] Re: Integration with Mailenable - Domain Keys Phil / Jay: I am also looking at SmarterMail as an addition to or replacement for several IMail servers and looking at calling MessageSniffer from it without Declude because of the Declude bundling of things we don't want or see value in. While doing a little more reading on the SmarterTools site I saw a link that addresses your discussion on domain keys: http://smartermail.exhalus.net/domainkeys/ Eric - Original Message - From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Saturday, March 17, 2007 1:43 PM Subject: [sniffer] Re: Integration with Mailenable Hi Phil - Good question. We integrate Sniffer into SmarterMail via Declude. However, SmarterMail does have the capability to run a program against a message before it is delivered. We have some customers that use a batch file to call f-prot and get virus scanning integrated into their mail server on the cheap. I believe it would likely be possible to make use of the same functionality to call Sniffer directly, and thus avoid having to purchase Declude. I have just never had a need to attempt this. As for domain keys, I don't believe so. However, you can setup SPFyou're your domains simply by adding the appropriate DNS records to said domains zone files. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Cohen Sent: Friday, March 16, 2007 12:01 PM To: Message Sniffer Community Subject: [sniffer] Re: Integration with Mailenable Jay, Thanks for the heads up on Mailenable. I took a look at SmarterMail and it looks pretty good. How does it interface with Message Sniffer or does it require and external gateway such as EWall? How has support been with it and how have they been as far as updates. Also does it have domain keys capability and SPF support for sending mail to yahoo.com etc... Thanks, Phil At 07:26 PM 3/15/2007, you wrote: Stay Away From MailEnable. There are so many exploits out there for MailEnable, and there are more exploits found monthly, if not weekly. At one particular interval, MailEnable had to re-release the same patch several times in the *same* week because it kept on not actually fixing the root
[sniffer] Re: My rulebase download and log upload script
Hi John, Weekend, what is that? That's the days where those pesky users are usualy not messing with the network so YOU can mess with it. ;-) Groetjes, Bonno Bloksma -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 07, 2006 6:24 PM To: Message Sniffer Community Subject: [sniffer] My rulebase download and log upload script The last thing before I leave for the weekend... [..] Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Spam Storm - It's a big one.
Hi Pete, Watch out for today's spam storm -- it's a lot bigger than we've seen in a long while. 48 hour image attached. This has low priority but. I've tried to find a live version of that graph you've sent but I cannot find it at http://kb.armresearch.com/index.php?title=Message_Sniffer.LiveReports which would seem to be the logical place. Is it nowhere live to be found or am I looking at the wrong place? Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer] [Fwd: Diann Helms]
Hi Pete, [] If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. I think I could use such a black rulw without getting to may FPs, but in which catagoeries would that rule then go? I score the several Sniffer results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 would put it several points below my hold weight. An extra hit would be needed to get it held. If you want such a black rule added to your rulebase please send a request off-list to [EMAIL PROTECTED] As the above information might be of interest to others I'll ask here first. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] auto update tmp files
Hi, I had trouble for a while with the del %1 functionality, but I had a problem with the script running in the wrong directory. I [] Yeah, my script does explicitly enter the sniffer directory, and the line to delete the file is explicit as well: Del s:\imail\spool\%1 ...but that never worked. Maybe if I cd into the spool first it might It would not work because.. I have the %1 parameter in the email sent to me as part of the reporting. Using IMail 8.21 Here is what's in the email: Rulefile OK, updated C:\IMail\spool\tmp6C40.tmp As you can see the %1 is a complete path. So just Del %1 should do the trick. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] auto update tmp files
Hi, Ok, I had auto update pretty much in the air. Seems all I needed was a program alias that fired the script. ;-) There's just one thing, I end up with alot of "tmpID.tmp" files in my spool directory. Any way of deleting those automagically? I could simply delete all tmp.tmp files in my midnight run. Would that be a problem? The only program alias I have is the sniffer update. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool toerisme en hospitality julianalaan 9 / 7553 ab hengelo t 074 255 06 10 / f 074 255 06 16 [EMAIL PROTECTED] / www.tio.nl
[sniffer] false positives which catagories?
Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma
Re: [sniffer] Declude and Sniffer
Hi, I currently tag subject lines at 10 and delete at 20. Sniffer results are scored at 9. No two tests currently result in more than 18 and therefore it takes three failed tests to delete. I tag at 12, hold on 20 and delete on 27. Sniffer is at 19, just 1 under hold. If anything agrees with sniffer it is held, is several sources agree with sniffer it is deleted. We are a prepschool/university and process about 4K to 5K msg a day. I have one to two false positives in the held mail each year. Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] midnight ftp upload
Hi, When I started using sniffer, April 2004, uploading the log took about 20 seconds. Then on June 19th 2004 it suddenly took over 13 minutes. After that it has consistently taken arround 13 minutes to upload the small logfile. I've never found a reason, the suggestion overhere was it might be because of the load arround midnight Central European time. About a week ago, Jan 18th, I did some experimenting with the time. At first I rotated the logs a minute later to get them rotated closer to midnight, the upload started and finished one minute later. Then a few days later, Jan 21th,I delayed the ftp upload by 10 minutes to get a better timeslot. To my surprise it STILL took 13 minutes to upload the small logfile. Anybody ANY idea where I, or Pete, can start to look for a clue about what is going on? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? Log snippets: 2004/04/16 23:59:02 : Running logrotate 2004/04/16 23:59:21 : Ready rotating logs 2004/04/17 23:59:00 : Running logrotate 2004/04/17 23:59:21 : Ready rotating logs 2004/04/18 23:59:00 : Running logrotate 2004/04/18 23:59:23 : Ready rotating logs 2004/04/19 23:59:01 : Running logrotate 2004/04/19 23:59:20 : Ready rotating logs 2004/04/20 23:59:00 : Running logrotate 2004/04/20 23:59:20 : Ready rotating logs 2004/04/21 23:59:01 : Running logrotate 2004/04/21 23:59:20 : Ready rotating logs []2004/06/16 23:59:02 : Running logrotate 2004/06/16 23:59:21 : Ready rotating logs 2004/06/17 23:59:00 : Running logrotate 2004/06/17 23:59:20 : Ready rotating logs 2004/06/18 23:59:01 : Running logrotate 2004/06/19 00:12:27 : Ready rotating logs 2004/06/19 23:59:01 : Running logrotate 2004/06/20 00:12:27 : Ready rotating logs 2004/06/20 23:59:00 : Running logrotate 2004/06/21 00:12:26 : Ready rotating logs 2004/06/21 23:59:01 : Running logrotate 2004/06/22 00:12:26 : Ready rotating logs 2004/06/22 23:59:01 : Running logrotate 2004/06/23 00:12:26 : Ready rotating logs [] 2004/06/28 23:59:01 : Running logrotate 2004/06/28 23:59:01 : Starting ftp upload 2004/06/29 00:12:27 : Finished ftp upload 2004/06/29 00:12:27 : Ready rotating logs 2004/06/29 23:59:00 : Running logrotate 2004/06/29 23:59:00 : Starting ftp upload 2004/06/30 00:12:26 : Finished ftp upload 2004/06/30 00:12:26 : Ready rotating logs [.]2005/01/16 23:59:00 : Running logrotate 2005/01/16 23:59:00 : Starting ftp upload 2005/01/17 00:12:14 : Finished ftp upload 2005/01/17 00:12:14 : Ready rotating logs 2005/01/17 23:59:01 : Running logrotate 2005/01/18 00:00:01 : Starting ftp upload 2005/01/18 00:13:12 : Finished ftp upload 2005/01/18 00:13:12 : Ready rotating logs 2005/01/18 23:59:00 : Running logrotate 2005/01/19 00:00:01 : Starting ftp upload 2005/01/19 00:13:11 : Finished ftp upload 2005/01/19 00:13:11 : Ready rotating logs 2005/01/19 23:59:01 : Running logrotate 2005/01/20 00:00:01 : Starting ftp upload 2005/01/20 00:13:12 : Finished ftp upload 2005/01/20 00:13:12 : Ready rotating logs 2005/01/20 23:59:00 : Running logrotate 2005/01/21 00:00:01 : Renaming logfile 2005/01/21 00:10:04 : Starting ftp upload 2005/01/21 00:23:15 : Finished ftp upload 2005/01/21 00:23:15 : Ready rotating logs 2005/01/21 23:59:03 : Running logrotate 2005/01/22 00:00:04 : Renaming logfile 2005/01/22 00:10:07 : Starting ftp upload 2005/01/22 00:23:18 : Finished ftp upload 2005/01/22 00:23:18 : Ready rotating logs 2005/01/22 23:59:00 : Running logrotate 2005/01/23 00:00:01 : Renaming logfile 2005/01/23 00:10:04 : Starting ftp upload 2005/01/23 00:23:15 : Finished ftp upload 2005/01/23 00:23:15 : Ready rotating logs 2005/01/23 23:59:01 : Running logrotate 2005/01/24 00:00:01 : Renaming logfile 2005/01/24 00:10:05 : Starting ftp upload 2005/01/24 00:23:15 : Finished ftp upload 2005/01/24 00:23:15 : Ready rotating logs
[sniffer] log rotation
Hi, I recently changed a bit in my rotate script in order to rotate it closer to midnight. I start the script at 23:59 to get the current date in some variables. As of the 17th I have added a sleep 1m to get the rotation for the logfile at midnight. Somehow the sniffer log still covers the same timepriod, I think. Looking at the log for the 16th, it starts at 15-jan-2005, 23:00:09 and stops at 16-jan-2006, 22:58:18. The log for the 18th, it starts at 17-jan-2005, 23:01:56 and stops at 18-jan-2005, 22:57:37. Still an hour short for the day. I'm not running any persistent instances, we only process aboy 4K messages a day. Am I doing something wrong, I want my logfile for a certain day to contain the log for that day, from midnight till midnight. My log for the job, renaming the id.log file to snfmmdd.log occurs just before the ftp upload, which at night from the 17th to the 18th happens indeed one minute later. LOGROT.LOG 2005/01/15 23:59:00 : Running logrotate 2005/01/15 23:59:00 : Starting ftp upload 2005/01/16 00:12:11 : Finished ftp upload 2005/01/16 00:12:11 : Ready rotating logs 2005/01/16 23:59:00 : Running logrotate 2005/01/16 23:59:00 : Starting ftp upload 2005/01/17 00:12:14 : Finished ftp upload 2005/01/17 00:12:14 : Ready rotating logs 2005/01/17 23:59:01 : Running logrotate 2005/01/18 00:00:01 : Starting ftp upload 2005/01/18 00:13:12 : Finished ftp upload 2005/01/18 00:13:12 : Ready rotating logs 2005/01/18 23:59:00 : Running logrotate 2005/01/19 00:00:01 : Starting ftp upload 2005/01/19 00:13:11 : Finished ftp upload 2005/01/19 00:13:11 : Ready rotating logs snf0115.log idnum 20050114230001 D4ee10334027cb259.SMD 125 16 Match 236533 60 841 880 34 idnum 20050114230001 D4ee10334027cb259.SMD 125 16 Match 271368 61 1508 1526 34 [...] idnum 20050115225621 D9f8e16bb0206d48a.SMD 125 0 Final 273425 61 0 2441 34 idnum 20050115225659 D61a81450b30.GSC 125 0 Clean 0 0 0 2126 31 snf0116.log idnum 20050115230009 Da076099d015660ce.SMD 125 0 Clean 0 0 0 3886 38 idnum 20050115230143 Da0d509ac0156d108.SMD 125 16 Match 215399 63 1 54 39 [] idnum 20050116225610 D3401d7f0c2c.GSC 140 0 Clean 0 0 0 4823 30 idnum 20050116225818 D34211fc0c70.GSC 188 0 Clean 0 0 0 1265 31 snf0117.log idnum 20050116230728 Df3af11310234769b.SMD 125 47 Match 272652 57 1849 1877 37 idnum 20050116230728 Df3af11310234769b.SMD 125 47 Match 272654 57 2023 2088 37 [] idnum 20050117225648 D42a90f2801a6f844.SMD 203 0 Clean 0 0 0 2704 38 idnum 20050117225756 D06817510b08.GSC 125 0 Clean 0 0 0 1348 31 snf0118.log idnum 20050117230156 D43e008580160b509.SMD 250 46 White 73573 0 1 497 41 idnum 20050117230156 D43e008580160b509.SMD 250 46 Final 73573 0 0 12715 41 [...] idnum 20050118225648 D58d6a4d0a98.GSC 141 0 Clean 0 0 0 2536 34 idnum 20050118225737 D58e27340b80.GSC 218 16 Clean 0 0 0 9468 33 Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
Hi, [] I understand. I have no reasonable explanation for your experience. There have been no other reported problems and I have been unable to recreate your conditions. BB I just once more installed the 2.3.2 exe, we'll see what happens. As it is BB close to 9 PM overhere it should not disrupt any business going on and let BB me do some testing. Thanks for your efforts. Well, still no problems so far so I'll write it up to . earth rays, solar spots, pick whatever you want. It seems it was a one time thing. [] One change you should make is to adjust your Declude configuration so that your message file name is emitted into your message headers. This way when a false positive does occur we can match the message up to the log entries and identify the rule or rules that fired. Did that, so for the next time something like this happens.. ;) Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
Hi, Well, still no problems so far so I'll write it up to . earth rays, solar spots, pick whatever you want. It seems it was a one time thing. You must be referring to the RAW law. RAW? Random Answer Whatchamacallit? John Tolmachoff Engineer/Consultant/Owner eServices For You Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] New Version 2-3.2 has been officially released.
Hi, BB Just to let you know. We had a problem after updating to 2.3.2 this morning BB where suddenly a lot of our internal mail got caught as spam by sniffer. Ive BB allready sent a report to the support address. For whatever reason I could BB net send to the false@ address. BB All I did was replace the 2.3.1 exe with the 2.3.2 exe (of course with the BB correct id name). I am unable to duplicate your results. I have re-verified my testing. I have version 2-3.2 running on our test server without any problems and it is capturing 9+ / 10 messages which is typical. Please verify that you have the correct executable in place by running the program from the command line with no parameters. The correct build information is: build - v2-3.2 Nov 23 2004 01:21:33 Then please also verify that you have the correct rulebase in place. The version is the same as you say. The rulebase was downloaded last night and later that morning once more but not updated because there were no changes. I verify every downloaded rulebase. Like I wrote, all I did was early thismorng replace the 2.3.1. exe with the 2.3.2 exe. After that the problems started. When I replace the 2.3.2 exe with the 2.3.1 exe all problems disappeared. As I had to attend a seminar this afternoon I did not any time for further testing. I just once more installed the 2.3.2 exe, we'll see what happens. As it is close to 9 PM overhere it should not disrupt any business going on and let me do some testing. Did you receive the mail I sent along with the caught e-mail and the logfiles? Anything that pointed to a special rule? Should I change the logging when this happens so as to provide more information about what might be happening? Hope this helps, _M We'll see. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] logrotate
Hi, In the default logrotate.cmd script is a move in stead of a ren command. Is there any special reason for that? As Ren is an internal command and move an external command I would have expected Ren to be used. p.s. Did my comment about an updated AutoSNF.cmd file make it to you Pete? I sent it to the list friday april 9th but it never made it back overhere? Groetjes, Bonno Bloksma