[sniffer] Re: Short Match FPs.

[Darin Cox]

Thanks for the info, Pete.  Appreciate your proactiveness on this.

Hope you had a good Thanksgiving!

Darin.



From: Pete McNeil
Sent: Tuesday, December 01, 2015 5:57 PM
To: Message Sniffer Community
Subject: [sniffer] Short Match FPs.

Hi Folks,

I'm sorry to report there is a problem.

For the past few days we have been seeing some intermittent corruption in 
some rulebase updates.

Since we made no changes to precipitate this and since it's only been 
reported by a few systems intermittently it's a bit of a challenge to nail 
down. However, it is out top priority at the moment.

Here is what we do know about it:


  a.. The problem appears to have started around Nov 29.
  b.. It is highly intermittent and random.
  c.. It causes some false positives.
  d.. You can identify a short-match event by looking at the index and endex 
of a rule match. If the difference is less than 5 then you have a short rule 
match.
  e.. You can mitigate the problem by temporarily putting the associated 
rule ID in your rule-panic list in your SNF configuration.
  f.. Normally the problem goes away on the next rulebase update.
  g.. Sometimes it doesn't go away but changes the associated rule ID.
For now the best thing to do is add a rule-panic entry when you spot one of 
these. That will solve the problem for that update.


Be sure to remove your rule panic entries occasionally since they won't help 
you after a day.


We will continue to work on this until we understand it and it is resolved.


Best,


_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller

#

This message is sent to you because you are subscribed to

  the mailing list .

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: 

To switch to the DIGEST mode, E-mail to 

To switch to the INDEX mode, E-mail to 

Send administrative queries to  

[sniffer] Re: Bad rule report 6237276

[Darin Cox]

Thanks for your proactiveness, Pete!  We did not see any negative effect 
from the rule.


Darin.

-Original Message- 
From: Pete McNeil

Sent: Wednesday, March 19, 2014 2:42 PM
To: Message Sniffer Community
Subject: [sniffer] Bad rule report 6237276

Hi Sniffer Folks,

A short time ago Rule 6237276 was detected on our conflict instruments
and removed from the core rulebase. The rule was in place from
approximately 1130 to approximately 1400.

We recommend that if you have the ability to release messages matching
this rule from your quarantines and rescan them then please do so.

The rule was coded to catch a variant of the "/goo.gl/ link" spam and
was coded too broadly. The rule was removed when we identified it on our
IP/Rule conflict instruments and reexamined it. It's signature on the
conflict instrument is already falling dramatically and we expect that
most systems auto-panicked the rule making it inert automatically.

We are very sorry for any trouble.

Best,

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: What is your oldest production CPU?

[Darin Cox]

Hi Pete,

Our oldest production servers still have 1.1 - 1.4 GHz P3's in them. 
However, for mail our oldest are quad core 3Ghz Xeons.


Darin.

-Original Message- 
From: Pete McNeil

Sent: Friday, December 27, 2013 9:43 AM
To: Message Sniffer Community
Subject: [sniffer] What is your oldest production CPU?

Hello Sniffer Folks,

We would like to know what your oldest production CPU is.

When building new binaries of SNF or it's utilities we would like to
select the newest CPU we can without leaving anybody behind.

We're also evaluating whether we should split binaries into a
"compatible" version base on Intel i686 (or equivalent AMD), and a
"current" version based on Intel Core2 (or equivalent AMD).

Please respond here.

Thanks for your time!!

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: Slow processing times, errors

[Darin Cox]

How about running performance monitor to watch disk I/O, mem, cpu, page 
file, etc. over time in the hopes of catching one of the events?

Darin.



From: Matt
Sent: Friday, June 28, 2013 12:10 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Slow processing times, errors

Pete,

I'm near positive that it's not system resources that are causing Sniffer to 
not be able to access the files.  I believe these errors are a symptom and 
not the cause.

You have to keep in mind that on the messages that don't throw errors, they 
were taking 30-90 seconds to scan, but immediately after a restart it was 
under 1 second.  The system stayed the same, it was just the state of the 
service that was off in a bad way.

I did add a larger client about a month ago around the time that this 
started, which did inch up load by between 1% and 5% I figure, but I can't 
say for sure that the two things are connected.  I've seen much bigger 
changes however in spam volumes from single spammers.  I have looked at my 
SNFclient.exe.err log and found that the previous slowdowns were all 
represented in this file, and nothing else really since a smattering in 2012 
of other stuff.  I believe that I/O could be the trigger, or general system 
load, but the error in the service that misses opening some files, and is 
otherwise slower than normal by 100 times, will persist when everything else 
is fine again.  I figure that this is all triggered by a short-term lack of 
resources or a killer message type of issue that does something like run 
away with memory.  Certainly there were no recent changes on the server 
prior to this starting to happen, including Sniffer itself which has been 
perfectly solid up until 5/22.

Regarding the ERROR_MSG_FILE batch that I sent you in that log, it did 
happen exactly when I restarted Sniffer, and in fact the SNFclient.exe.err 
log showed a different error while this was happening, and maybe this will 
point you to something else?  That log says "Could Not Connect!" when the 
regular Sniffer log shows "ERROR_MSG_FILE" about 1/8th of the time while in 
a bad state.  When I restarted the Sniffer service, the regular log showed a 
bunch of "ERROR_MSG_FILE" in a row, but the SNFclient.exe.err log below 
shows "XCI Error!: FileError snf_EngineHandler::scanMessageFile() 
Open/Seek".  You can match the message ID's with the other log that I 
provided.  I believe that block of messages was already called to 
SNFclient.exe, but the Sniffer service haddn't yet responded, and so they 
were dumped as a batch into both logs during shut down of the service.

  20130627183807, arg1=F:\\proc\work\D862600e64269.smd : Could Not 
Connect!
  20130627183808, arg1=F:\\proc\work\D86440177431f.smd : Could Not 
Connect!
  20130627183808, arg1=F:\\proc\work\D861200ce41ce.smd : Could Not 
Connect!
  20130627183809, arg1=F:\\proc\work\D864401734321.smd : Could Not 
Connect!
  20130627183809, arg1=F:\\proc\work\D861400da41e3.smd : Could Not 
Connect!
  20130627183810, arg1=F:\\proc\work\D862600d7425f.smd : Could Not 
Connect!
  20130627183811, arg1=F:\\proc\work\D864a00e94346.smd : Could Not 
Connect!
  20130627183811, arg1=F:\\proc\work\D8615019b41f4.smd : Could Not 
Connect!
  20130627183813, arg1=F:\\proc\work\D862900e94282.smd : Could Not 
Connect!
  20130627183815, arg1=F:\\proc\work\D863d01584306.smd : Could Not 
Connect!
  20130627183817, arg1=F:\\proc\work\D86030158416f.smd : Could Not 
Connect!
  20130627183818, arg1=F:\\proc\work\D862300e94255.smd : Could Not 
Connect!
  20130627183819, arg1=F:\\proc\work\D862900e64281.smd : Could Not 
Connect!
  20130627183819, arg1=F:\\proc\work\D864b00d74357.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D864800d7433c.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D861901734205.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D861d01774230.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D8641016d4310.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D865000e64363.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D865000e14361.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D85fe00e64152.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D8610016d41c5.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\work\D861f00ce4231.smd : XCI Error!: 
FileError snf_EngineHandler::scanMessageFile() Open/Seek
  20130627183819, arg1=F:\\proc\

[sniffer] Re: Slow processing times, errors

[Darin Cox]

HI Matt,

We started having that problem coincidentally right after we upgraded to 
3.x.  For us the .tmp file creation in the spool was indicative of sniffer 
processing delays.  We do have Sniffer modifying headers.

Darin.



From: Matt
Sent: Thursday, June 27, 2013 5:32 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Slow processing times, errors

Darin,

I'm not seeing that sort of thing.  With 3.x, there doesn't appear to be any 
extraneous file creation in the Sniffer program directory, and never any TMP 
files in my spool.  I do not have Sniffer modifying headers, so that may be 
different on our systems.

Matt



On 6/27/2013 5:25 PM, Darin Cox wrote:

  When we had sluggish performance similar that yours, resulting in numerous 
sniffer .tmp files in the spool, the cause was eventually traced to a 
proliferation of files in the sniffer directory.  Clearing them out brought 
performance back up to normal.

  Darin.



  From: e...@protologic.com
  Sent: Thursday, June 27, 2013 5:17 PM
  To: Message Sniffer Community
  Subject: [sniffer] Re: Slow processing times, errors

  We were experiencing this several days ago and couldn't find a fix that 
worked or worked for long. We uninstalled SNF and reinstalled and have not 
detected a problem since. I will check the logs and report back if I see 
anything intermittent.




  Sent using SmarterSync Over-The-Air sync for iPad, iPhone, BlackBerry and 
other SmartPhones. May use speech to text. If something seems odd please 
don't hesitate to ask for clarification. E.&O.E.

  On 2013-06-27, at 2:06 PM, Matt wrote:

  > Pete,
  >
  > I've had many recent incidences where, as it turns out, SNFclient.exe 
takes 30 to 90 seconds to respond to every message with a result code 
(normally less than a second), and as a result backs up processing. 
Restarting the Sniffer service seems to do the trick, but I only tested that 
for the first time today after figuring this out.
  >
  > I believe the events are triggered by updates, but I'm not sure as of 
yet. Updates subsequent to the slow down do not appear to fix the situation, 
so it seems to be resident in the service. When this happens, my 
SNFclient.exe.err log fill up with lines like this:
  >
  > 20130627155608, arg1=F:\\proc\work\D6063018a2550.smd : Could Not 
Connect!
  >
  > At the same time, my Sniffer logs start showing frequent 
"ERROR_MSG_FILE" results on about 1/8th of the messages.
  >
  > I'm currently using the service version 3.0.2-E3.0.17. It's not entirely 
clear to me what the most current one is.
  >
  > Any suggestions as to the cause or solution?
  >
  > Thanks,
  >
  > Matt
  >
  >
  > #
  > This message is sent to you because you are subscribed to
  > the mailing list .
  > This list is for discussing Message Sniffer,
  > Anti-spam, Anti-Malware, and related email topics.
  > For More information see http://www.armresearch.com
  > To unsubscribe, E-mail to:
  > To switch to the DIGEST mode, E-mail to
  > To switch to the INDEX mode, E-mail to
  > Send administrative queries to
  >

[sniffer] Re: Slow processing times, errors

[Darin Cox]

When we had sluggish performance similar that yours, resulting in numerous 
sniffer .tmp files in the spool, the cause was eventually traced to a 
proliferation of files in the sniffer directory.  Clearing them out brought 
performance back up to normal.

Darin.



From: e...@protologic.com
Sent: Thursday, June 27, 2013 5:17 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Slow processing times, errors

We were experiencing this several days ago and couldn't find a fix that 
worked or worked for long. We uninstalled SNF and reinstalled and have not 
detected a problem since. I will check the logs and report back if I see 
anything intermittent.




Sent using SmarterSync Over-The-Air sync for iPad, iPhone, BlackBerry and 
other SmartPhones. May use speech to text. If something seems odd please 
don't hesitate to ask for clarification. E.&O.E.

On 2013-06-27, at 2:06 PM, Matt wrote:

> Pete,
>
> I've had many recent incidences where, as it turns out, SNFclient.exe 
> takes 30 to 90 seconds to respond to every message with a result code 
> (normally less than a second), and as a result backs up processing. 
> Restarting the Sniffer service seems to do the trick, but I only tested 
> that for the first time today after figuring this out.
>
> I believe the events are triggered by updates, but I'm not sure as of yet. 
> Updates subsequent to the slow down do not appear to fix the situation, so 
> it seems to be resident in the service. When this happens, my 
> SNFclient.exe.err log fill up with lines like this:
>
> 20130627155608, arg1=F:\\proc\work\D6063018a2550.smd : Could Not 
> Connect!
>
> At the same time, my Sniffer logs start showing frequent "ERROR_MSG_FILE" 
> results on about 1/8th of the messages.
>
> I'm currently using the service version 3.0.2-E3.0.17. It's not entirely 
> clear to me what the most current one is.
>
> Any suggestions as to the cause or solution?
>
> Thanks,
>
> Matt
>
>
> #
> This message is sent to you because you are subscribed to
> the mailing list .
> This list is for discussing Message Sniffer,
> Anti-spam, Anti-Malware, and related email topics.
> For More information see http://www.armresearch.com
> To unsubscribe, E-mail to:
> To switch to the DIGEST mode, E-mail to
> To switch to the INDEX mode, E-mail to
> Send administrative queries to
>

[sniffer] Re: How fast is *my* MessageSniffer? (was: IP Change on rulebase delivery system)

[Darin Cox]

Nice stats, Andrew!

And Pete, thanks for spending so much time and effort to make it work so 
well, despite us beating on you because it doesn’t catch every spam campaign 
from the very first message!  Sniffer has always been our number one tool in 
this battle.

Darin.



From: Colbeck, Andrew
Sent: Thursday, March 28, 2013 7:50 PM
To: Message Sniffer Community
Subject: [sniffer] How fast is *my* MessageSniffer? (was: IP Change on 
rulebase delivery system)

Answer: pretty darn fast for a system that I think is slow anyway



I think my MTA is a busy system, and I know that it’s not MessageSniffer 
that keeps the server busy. A glance with Task Manager or Process Explorer 
shows very little CPU time is spent by MessageSniffer.



I threw some grepping etc and then Excel at the xml file for one average 
business day and came up with…







25% of messages are scanned within 100ms



50% of messages are scanned within 140ms



99% of messages are scanned within 330ms





I also looked at the “setup time”. I’ll spare you the graph; my results are:



80% of messages are loaded so quickly that the time is recorded as zero ms



85% of messages are loaded in 15ms or fewer



95% of messages are loaded in 30ms or fewer



99% of messages are loaded 125ms or fewer



Actually, everything above 98% of my volume takes longer to load but for 
ridiculously smaller volume of messages. A spot check shows that those are 
indeed rodents messages of unusual size.



Thanks for the nudge, Pete. I knew MessageSniffer was fast, I just hadn’t 
bothered to quantify it before.





Andrew.





-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf 
Of Pete McNeil
Sent: Wednesday, March 27, 2013 2:43 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system



On 2013-03-27 17:16, Richard Stupek wrote:

> The spikes aren't as prolonged at the present.



Interesting. A short spike like that might be expected if the message was 
longer than usual, but on average SNF should be very light-weight.



One thing you can check is the performance data in your logs. That will show 
how much time in cpu milleseconds it is taking for each scan and how long 
the scans are in bytes. This might shed some light.



http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp



Look for something like  in each scan.



>From the documentation:



>  - Scan Performance Monitoring (performance='yes') p:s =

> Setup time in milliseconds p:t = Scan time in milliseconds p:l = Scan

> length in bytes p:d = Scan depth (peak evaluator count)

>



Best,



_M





--

Pete McNeil

Chief Scientist

ARM Research Labs, LLC

www.armresearch.com

866-770-1044 x7010

twitter/codedweller





#

This message is sent to you because you are subscribed to

  the mailing list .

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: 

To switch to the DIGEST mode, E-mail to 

To switch to the INDEX mode, E-mail to 

Send administrative queries to  


<>

[sniffer] Re: IP Change on rulebase delivery system

[Darin Cox]

Richard,

Do you have any directories with a large number of files (>4k)?  We had a 
similar problem a few months back with sniffer scans taking much longer to 
complete and sniffer temporary files being left over.  We finally traced the 
performance issues to a frequently accessed directory with thousands of 
files.  We’ve also seen issues in the past with directories with a large 
number of files being very poor performing.

Darin.



From: Richard Stupek
Sent: Thursday, March 28, 2013 12:10 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system

Ok looking at the log I see quite a few messages taking over a second to 
process (samples below):






































On Wed, Mar 27, 2013 at 4:42 PM, Pete McNeil  
wrote:

  On 2013-03-27 17:16, Richard Stupek wrote:

The spikes aren't as prolonged at the present.



  Interesting. A short spike like that might be expected if the message was 
longer than usual, but on average SNF should be very light-weight.

  One thing you can check is the performance data in your logs. That will 
show how much time in cpu milleseconds it is taking for each scan and how 
long the scans are in bytes. This might shed some light.

  
http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp

  Look for something like  in each scan.

  >From the documentation:


 - Scan Performance Monitoring (performance='yes')
p:s = Setup time in milliseconds
p:t = Scan time in milliseconds
p:l = Scan length in bytes
p:d = Scan depth (peak evaluator count)



  Best,


  _M


  -- 
  Pete McNeil
  Chief Scientist
  ARM Research Labs, LLC
  www.armresearch.com
  866-770-1044 x7010
  twitter/codedweller


  #
  This message is sent to you because you are subscribed to
  the mailing list .
  This list is for discussing Message Sniffer,
  Anti-spam, Anti-Malware, and related email topics.
  For More information see http://www.armresearch.com
  To unsubscribe, E-mail to: 
  To switch to the DIGEST mode, E-mail to 
  To switch to the INDEX mode, E-mail to 
  Send administrative queries to  

[sniffer] Re: IP Change on rulebase delivery system

[Darin Cox]

Probably unrelated... and due to a significant increase in spam over the 
past few days.

Darin.



From: Richard Stupek
Sent: Wednesday, March 27, 2013 2:18 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system

Not sure if its related but since yesterday SNFserver CPU utilization has 
been inordinately high (>50%) for the middle of the day with not any 
additional volume in mail being received.


On Mon, Mar 25, 2013 at 9:13 AM, Pete McNeil  
wrote:

  Hi Sniffer Folks,

  We are about to change the IP of the rulebase delivery system. This change 
should be completely transparent and you should not need to take any action; 
however if you do notice anything unusual please let us know.

  Thanks,

  _M

  -- 
  Pete McNeil
  Chief Scientist
  ARM Research Labs, LLC
  www.armresearch.com
  866-770-1044 x7010
  twitter/codedweller


  #
  This message is sent to you because you are subscribed to
  the mailing list .
  This list is for discussing Message Sniffer,
  Anti-spam, Anti-Malware, and related email topics.
  For More information see http://www.armresearch.com
  To unsubscribe, E-mail to: 
  To switch to the DIGEST mode, E-mail to 
  To switch to the INDEX mode, E-mail to 
  Send administrative queries to  

[sniffer] Re: GBUdb Tool

[Darin Cox]

Hi Pete,

Would you mind sharing your calculations of confidence and probability?  I'm 
looking at the stats for p=1.0 and curious about the low confidence values. 
I would have expected high confidence where there were no good samples and a 
lot of bad... or do I have something backwards?


Also, while it's easy to parse, it might be nice if the output had one 
delimiter between fields instead of being both tab and comma delimited. 
Makes importing into a database for analysis much easier.


Appreciate it,

Darin.

-Original Message- 
From: Pete McNeil

Sent: Friday, November 23, 2012 3:43 PM
To: Message Sniffer Community
Subject: [sniffer] GBUdb Tool

Hello Sniffer Folks,

We have been playing with a new utility that some of you may enjoy.

http://www.armresearch.com/message-sniffer/download/GBUDBTool-V0.1.zip

GBUDB Tool allows you to create a list of IP addresses from your GBUdb
snapshots (.gbx files). You can select IPs that are "blacker" or
"whiter" than a provided probability figure and confidence figure. It
outputs one IP per line, optionally with details about the statistics
for the IP. This can be useful for feeding-forward blacklists to block
at your firewall or for other research purposes.

Run GBUDBTool without any parameters and it will tell you about it's
command line options.

Please let us know if there is more we can do.

Best,

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: FPs on Sniffer-Schemes

[Darin Cox]

HI Pete,

We are running the older version, and get our updates about every 50-60 
minutes.  We're using GBUdb as a test in Declude, separately from Message 
Sniffer.

I'll look up the info on upgrading gracefully.  Hadn't had much time to do that 
previously.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Monday, March 12, 2012 6:22 PM
Subject: [sniffer] Re: FPs on Sniffer-Schemes


On 3/12/2012 5:41 PM, Darin Cox wrote: 
  Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). 
I think I can see part of the problem (possibly).
I do not have telemetry from your system (based on looking up your Id from your 
domain). I suspect this means that you are running an older version of SNF. By 
extension, that would mean a couple of things:

* Your rulebase update would not come as quickly as for most systems.
* Your SNF engine won't match on many of the newer rules.
* Your SNF engine will not have GBUdb and also will not be able to auto-panic 
new rules that conflict with IP reputation data.

Am I right about these assumptions?
If not, then we should figure out why I don't see your telemetry.

Thanks,

_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 

#

This message is sent to you because you are subscribed to

  the mailing list .

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: 

To switch to the DIGEST mode, E-mail to 

To switch to the INDEX mode, E-mail to 

Send administrative queries to  

[sniffer] Re: FPs on Sniffer-Schemes

[Darin Cox]

More info...

Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST).  Not sure 
if the rule has been pulled or corrected yet.

Had 383 hits, and a very high percentage of those were FPs.  Don't have an 
exact number, due to having to release the messages quickly for delivery, but I 
expect at least 30% were FPs for us.  Most were referencing PO #s or orders for 
various customers.

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Monday, March 12, 2012 5:17 PM
Subject: [sniffer] FPs on Sniffer-Schemes


Hi Pete,

We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784.

Darin.

[sniffer] FPs on Sniffer-Schemes

[Darin Cox]

Hi Pete,

We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784.

Darin.

[sniffer] Re: RulePanic on 3741490

[Darin Cox]

H

"Update notifications happen as soon as the rulebase compilers have created a 
new rulebase."

I don't know what your internal processes are, but if I understand this 
correctly the rule was created at 5:39am ET, and was compiled into the rulebase 
somewhere just before 8:53am ET, at which point update notifications were sent.

>From the customer point of view, when the rule was created or removed doesn't 
>really matter, and those times are meaningless to us.  What matters is when 
>the rulebases that include them are published/updated, as that is what we key 
>off of for updates.

"We have features on the short list to automatically render removed rules inert 
in near real-time (within seconds)"

Sounds good.  That would definitely be better than notifications for us to be 
able to put in RulePanics, assuming there's no negative effect to overall 
performance from checking each rule for active/inactive state.  I assume some 
sort of push mechanism to all subscribers, to notify their systems that a rule 
is no longer valid, is what you're planning here.

Best.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Friday, January 07, 2011 1:43 PM
Subject: [sniffer] Re: RulePanic on 3741490


On 1/7/2011 12:33 PM, Darin Cox wrote: 
  Hmmm... so 70 minutes after the rule was released we were notified of the 
rule update for auto-update of rulebase, but at 10:11ET we still hadn't gotten 
the update for the 8:53am removal.  Anything we can do to speed up the rulebase 
update notifications?

Update notifications happen as soon as the rulebase compilers have created a 
new rulebase. We are in the process of reworking our compiler cluster to 
improve it's performance and further shorten update times.



  Also, for rules identified as problematic and removed, what about an 
automated email so we can remove it immediately via RulePanic.  For peak times 
like beginning of the business day, that would be very helpful.  An hour could 
save a lot of headaches for both us and our customers.  Or are there so many of 
those that we would be swamped with notifications?

We have features on the short list to automatically render removed rules inert 
in near real-time (within seconds).



  Just trying to figure out a way to avoid this as much as possible in the 
future.  It cost me a half hour this morning, and, more importantly, delayed 
over 150 legitimate messages to our customers.

We are constantly improving our process to minimize these cases, increase the 
speed with which we can detect and correct these, and add features to automate 
and expedite the process.



  Thanks in advance for anything you can do.

Thanks very much for your feedback!

_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 
x7010
#

This message is sent to you because you are subscribed to

  the mailing list .

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: 

To switch to the DIGEST mode, E-mail to 

To switch to the INDEX mode, E-mail to 

Send administrative queries to  

[sniffer] Re: RulePanic on 3741490

[Darin Cox]

Hmmm... so 70 minutes after the rule was released we were notified of the rule 
update for auto-update of rulebase, but at 10:11ET we still hadn't gotten the 
update for the 8:53am removal.  Anything we can do to speed up the rulebase 
update notifications?

Also, for rules identified as problematic and removed, what about an automated 
email so we can remove it immediately via RulePanic.  For peak times like 
beginning of the business day, that would be very helpful.  An hour could save 
a lot of headaches for both us and our customers.  Or are there so many of 
those that we would be swamped with notifications?

Just trying to figure out a way to avoid this as much as possible in the 
future.  It cost me a half hour this morning, and, more importantly, delayed 
over 150 legitimate messages to our customers.

Thanks in advance for anything you can do.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Friday, January 07, 2011 11:27 AM
Subject: [sniffer] Re: RulePanic on 3741490


On 1/7/2011 10:19 AM, Darin Cox wrote: 
  Hi guys,

  We're seeing a lot of FPs on 3741490 this morning.  I've added a RulePanic 
for it in our systems.

The rule was created at 0539 and removed at 0853 when it was detected by our 
early warning system.
It codes for a binary segment found in some image files.

_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 
x7010
#

This message is sent to you because you are subscribed to

  the mailing list .

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: 

To switch to the DIGEST mode, E-mail to 

To switch to the INDEX mode, E-mail to 

Send administrative queries to  

[sniffer] RulePanic on 3741490

[Darin Cox]

Hi guys,

We're seeing a lot of FPs on 3741490 this morning.  I've added a RulePanic for 
it in our systems.

Roughly 150 FPs from 6:55am until a few minutes ago...

Darin.

[sniffer] Re: Rule Panic on 3364665

[Darin Cox]

Thanks, Pete.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Tuesday, August 17, 2010 3:37 PM
Subject: [sniffer] Re: Rule Panic on 3364665


On 8/17/2010 3:10 PM, Darin Cox wrote: 
  Hi,

  We've had a lot of FPs on this rule, and wanted to alert everyone on it.

  Pete, can you look into it?

It's already dead.
It was a binary rule for an image spam.

_M



-- 
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com

#

This message is sent to you because you are subscribed to

  the mailing list .

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: 

To switch to the DIGEST mode, E-mail to 

To switch to the INDEX mode, E-mail to 

Send administrative queries to  

[sniffer] Re: Rule Panic on 3364665

[Darin Cox]

We had 231 hits on that rule from 12:15pm to 3:03pm ET.  At least 90% of them 
were FPs.  Since there was a broad spectrum of customers and content affected, 
I'm guessing there was an error or over-generalization in the rule.

Darin.


- Original Message - 
From: Colbeck, Andrew 
To: Message Sniffer Community 
Sent: Tuesday, August 17, 2010 3:31 PM
Subject: [sniffer] Re: Rule Panic on 3364665


I have seen one hit, and it looks like a false positive to me. Sent as a sample 
to the false@ address.

Thanks for the heads-up, Darin.


Andrew.





From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of 
Darin Cox
Sent: Tuesday, August 17, 2010 12:11 PM
To: Message Sniffer Community
Subject: [sniffer] Rule Panic on 3364665


Hi,

We've had a lot of FPs on this rule, and wanted to alert everyone on it.

Pete, can you look into it?

Thanks,

Darin.

[sniffer] Rule Panic on 3364665

[Darin Cox]

Hi,

We've had a lot of FPs on this rule, and wanted to alert everyone on it.

Pete, can you look into it?

Thanks,

Darin.

[sniffer] Re: Volume spike Mon 9AM EST

[Darin Cox]

Hi Pete,

No.  Not leakage.  Sniffer et al are doing their job well.

Just a large spike in incoming spam volume.  It settled down for us by about 
11am.

Darin.


- Original Message - 
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Monday, May 10, 2010 11:46 AM
Subject: [sniffer] Re: Volume spike Mon 9AM EST


On 5/10/2010 11:12 AM, NetEase Operations Manager wrote:
> I am getting a lot of complaints from my customers concerning the huge
> spikes too.
>

Do you mean huge spikes in leakage?

Hope not-- because we're not seeing that in our instrumentation.
If anything is leaking please be sure to get it to us so we can filter it.

We did see a few short spikes for new campaigns that have a lot of
bandwidth behind them but those are well captured now and were captured
very quickly.

We would love to get our eyes on anything new that we're not already seeing.

_M


-- 
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: Volume spike Mon 9AM EST

[Darin Cox]

I'm seeing it, too.

Darin.


- Original Message - 
From: "Peer-to-Peer (Support)" 
To: "Message Sniffer Community" 
Sent: Monday, May 10, 2010 9:21 AM
Subject: [sniffer] Volume spike Mon 9AM EST


Just checking to see if anyone else is seeing a massive spike in volume.
Something started occurring around 9AM EST.  Not yet sure what's happening.

Wondering if this is global attack or simply local on our system?

Anyone seeing unusual activity - high volume?



--Paul R.



#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: RulePanic on 3059196

[Darin Cox]

Hi Pete,

Thanks.

Yes, we did submit a report, but it appears the rule used the wrong set of 
message headers and filtered our customer instead of the spam they were 
reporting.

Darin.


- Original Message - 
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Tuesday, April 06, 2010 1:25 PM
Subject: [sniffer] Re: RulePanic on 3059196


On 4/6/2010 12:48 PM, Darin Cox wrote:
> Hi Pete,
>
> We've put a RulePanic in for 3059196, as we're getting a lot of FPs on it.
>
> Can you look at this rule, and/or let me know what it is?
>

The rule is a bit.ly link found in spamtraps.
The link leads to a specific constant-contact list sign-up page.
Message 41510774 was the source -- apparently submitted as spam by your
system.
I will contact you off list with that information.
I have excluded the rule.

_M



#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: RulePanic on 3059196

[Darin Cox]

Hi Pete,

We've put a RulePanic in for 3059196, as we're getting a lot of FPs on it.

Can you look at this rule, and/or let me know what it is?

Thanks,

Darin.

#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: RulePanic on 2908567

[Darin Cox]

Gotcha.  Thanks, Pete.

Darin.


- Original Message - 
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Wednesday, February 03, 2010 10:06 AM
Subject: [sniffer] Re: RulePanic on 2908567


Darin Cox wrote:
> We're still seeing hits.  I assume the rule removal hasn't propagated to 
> our
> rulebase yet?
>
> BTW, we were seeing hits on the rule across a broad range of emails that
> related to passport.com.
>

The rule will be missing from your next update if it's not already gone
when you get this.
In any case your panic entry makes it inert.
The latest data from the rule panic watcher does not show any further
hits -- so it seems to be gone from most systems already.

_M


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: RulePanic on 2908567

[Darin Cox]

We're still seeing hits.  I assume the rule removal hasn't propagated to our 
rulebase yet?

BTW, we were seeing hits on the rule across a broad range of emails that 
related to passport.com.

Darin.


- Original Message - 
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Wednesday, February 03, 2010 9:41 AM
Subject: [sniffer] Re: RulePanic on 2908567


Darin Cox wrote:
> We're noticing a lot of FPs on this rule, and have added a RulePanic
> entry.
>
> Pete, is there a problem with it?
The rule was for passport.com -- it has already been removed.

_M


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: RulePanic on 2908567

[Darin Cox]

Update on this rule.  Hits started at ~9:20am ET.  We saw 365 hits in 40 
minutes before we added the rule panic, of which ~5% were FPs. We pulled it 
since that is a large number of FPs for a single rule.

In the next 20 minutes there were another 158 hits logged, but with the rule 
panic in place.

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Wednesday, February 03, 2010 9:02 AM
Subject: [sniffer] RulePanic on 2908567


We're noticing a lot of FPs on this rule, and have added a RulePanic entry.

Pete, is there a problem with it?

Darin.

[sniffer] RulePanic on 2908567

[Darin Cox]

We're noticing a lot of FPs on this rule, and have added a RulePanic entry.

Pete, is there a problem with it?

Darin.

[sniffer] Re: Testing a black-list,.. want to help?

[Darin Cox]

Hi Pete,

We would be interested in testing the DNSBL.

Darin.


- Original Message - 
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Friday, January 22, 2010 12:48 PM
Subject: [sniffer] Testing a black-list,.. want to help?


Hello sniffer folks,

I'm testing a dns based blocking list for a future product release.
The list works in the usual way and is derived from GBUdb IP reputation 
data.
The list I want to test contains IPs that are statistically in the 
Truncate range from the perspective of the larger cloud.

If you are interested in testing this for a time please email support@ 
and we will give you the domain for the list.

This might be particularly helpful for you if you are using a system 
that takes connections first and filters later.

We only have a few slots open for testing.

Thanks!

_M


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: RulePanic on 2654821

[Darin Cox]

We had a lot... 534 hits between 3:26 and 4:41pm ET, which is when we added the 
rule panic.  It appears the rule was added in a rulebase that was automatically 
updated at 3:26pm ET.

Pete?  Status?

Darin.


- Original Message - 
From: Colbeck, Andrew 
To: Message Sniffer Community 
Sent: Tuesday, September 08, 2009 5:19 PM
Subject: [sniffer] Re: RulePanic on 2654821


The scores over here for the messages that trigger on rule 2654821 today:

spam that hit the rule: 4
... and were porn: 0
ham that was held by my weight system: 5
ham that was allowed by my weight system: 3
subsequent panic log lines: 139

Thanks for the heads up, Darin.

I was able to re-queue those 5 good messages without the users ever having to 
call the Helpdesk.


Andrew 8)





From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of 
Darin Cox
Sent: Tuesday, September 08, 2009 1:49 PM
To: Message Sniffer Community
Subject: [sniffer] Re: RulePanic on 2654821


Neglected to mention it is a Sniffer-Porn rule.

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Tuesday, September 08, 2009 4:47 PM
Subject: [sniffer] RulePanic on 2654821


We had to put a RulePanic on 2654821.  We were getting a ton of FPs on it.

Pete, let us know what's going on with this rule, please.

Darin.

[sniffer] Re: RulePanic on 2654821

[Darin Cox]

Neglected to mention it is a Sniffer-Porn rule.

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Tuesday, September 08, 2009 4:47 PM
Subject: [sniffer] RulePanic on 2654821


We had to put a RulePanic on 2654821.  We were getting a ton of FPs on it.

Pete, let us know what's going on with this rule, please.

Darin.

[sniffer] RulePanic on 2654821

[Darin Cox]

We had to put a RulePanic on 2654821.  We were getting a ton of FPs on it.

Pete, let us know what's going on with this rule, please.

Darin.

[sniffer] Re: Problem with Sniffer-Porn rule this morning

[Darin Cox]

Hmmm... I don't think the rule was already pulled.  We update our rulebase upon 
receipt of the notification of a new rulebase being available, and according to 
our logs the rule was in until at least 11:24am EDT.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Friday, July 18, 2008 12:12 PM
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning


Hello Darin,




Friday, July 18, 2008, 9:37:18 AM, you wrote:




  >
 Pete,



  There appears to be a problem with rule 1984485 this morning.  I'm 
getting a number of FP hits on it from AOL users.
 




The rule has been pulled already.




_M













-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.


#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Problem with Sniffer-Porn rule this morning

[Darin Cox]

Yes.  The rule is inert.  However, according to the logs the rule would have 
been hit 27 more times had we not added the rule panic.

Darin.


- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Friday, July 18, 2008 12:16 PM
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning


Hello Darin,




Friday, July 18, 2008, 11:39:47 AM, you wrote:




  >
 We had 18 hits on it from ~6:40-9:30am EDT before putting in the rule 
panic, 5 of which reached our hold weight.  We've had 27 more hits since adding 
the rule panic.
 




When a rule panic is in place the rule should be inert.




Please check your snf_engine_cfg.log to see if the rule panic was picked up in 
your configuration.




Best,




_M













-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.


#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Problem with Sniffer-Porn rule this morning

[Darin Cox]

We had 18 hits on it from ~6:40-9:30am EDT before putting in the rule panic, 5 
of which reached our hold weight.  We've had 27 more hits since adding the rule 
panic.

Darin.


- Original Message - 
From: Colbeck, Andrew 
To: Message Sniffer Community 
Sent: Friday, July 18, 2008 11:30 AM
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning


I also have hit this. A single hit, also from AOL.


Andrew.





From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Friday, July 18, 2008 6:37 AM
To: Message Sniffer Community
Subject: [sniffer] Problem with Sniffer-Porn rule this morning


Pete,

There appears to be a problem with rule 1984485 this morning.  I'm getting a 
number of FP hits on it from AOL users.

Darin.

[sniffer] Re: Problem with Sniffer-Porn rule this morning

[Darin Cox]

Any word on this?

Darin.


- Original Message - 
From: Darin Cox 
To: Message Sniffer Community 
Sent: Friday, July 18, 2008 9:37 AM
Subject: [sniffer] Problem with Sniffer-Porn rule this morning


Pete,

There appears to be a problem with rule 1984485 this morning.  I'm getting a 
number of FP hits on it from AOL users.

Darin.

[sniffer] Problem with Sniffer-Porn rule this morning

[Darin Cox]

Pete,

There appears to be a problem with rule 1984485 this morning.  I'm getting a 
number of FP hits on it from AOL users.

Darin.

[sniffer] Re: Backscatter Spam

[Darin Cox]

SPF does help, and we've used it for about three years here, but only when the 
domain being forged has an SPF policy.  So, it's most useful when the recipient 
domain is being forged as the sender as well.

We've seen some joe job attacks with bounces around 25k to a single address.  
We filtered about 85% of those, but that still meant the customer received a 
bit under 4k.   We've since tweaked our NULL sender filter to catch more, but 
at the risk of catching some read receipts, automated replies, etc.  With 
volumes this high, even 99% filtering results in a huge hit (250 bounces) from 
the customer's perspective.  We're working to get to the 99.9% level consistent 
with the rest of our filtering.

Darin.


- Original Message - 
From: E. H. (Eric) Fletcher 
To: Message Sniffer Community 
Sent: Saturday, June 28, 2008 11:56 PM
Subject: [sniffer] Re: Backscatter Spam


Matt:

We also found SPF records did the trick on the high volume returns to several 
domains especially from some of the appliances.  

Eric
  - Original Message - 
  From: Mxuptime.com 
  To: Message Sniffer Community 
  Sent: Saturday, June 28, 2008 8:50 PM
  Subject: [sniffer] Re: Backscatter Spam


  Intersting idea but the BATV appears to be something that you would need to 
run on the MTA level (i.e the MailServer would need to support the 
functionality) because it rewrites the return address on outgoing emails.

   

  On a side note, I have noticed a significant drop in backscatter when SPF is 
implemented for the particular domain. Most of the backscatter appears to come 
from valid antispam appliances like the Barracuda boxes which would normally 
use SPF. These devices perform the SPF test during the SMTP connection and 
rejects it immediately as opposed to bouncing the message back. So the SPF does 
help.

   

  -Matt

   

  From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of 
Matthew J. Grim
  Sent: Sunday, June 29, 2008 1:25 AM
  To: Message Sniffer Community
  Subject: [sniffer] Re: Backscatter Spam

   

  As an aside, Mdaemon has an excellent backscatter prevention system.

  They appear to be using BATV, an internet draft at the moment.

  Matt in Tampa

[sniffer] Re: Excessive amounts of spam

[Darin Cox]

I've heard comments that it has a higher catch rate... how about FP rate? 
Higher, the same, or lower?

Darin.


- Original Message - 
From: "Pi-Web - Frank Jensen" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Thursday, December 20, 2007 4:17 PM
Subject: [sniffer] Re: Excessive amounts of spam



We have been running it for - I guess - 2 month now without any trouble.


> How stable is the beta version?
>
>
>
> Regards David Moore
> [EMAIL PROTECTED] 
>
> J.P. MCP, MCSE, MCSE + INTERNET, CNE.
> www.adsldirect.com.au  for ADSL and
> Internet www.romtech.com.au  for PC sales
>
> Office Phone: (+612) 9453 1990
> Fax Phone: (+612) 9453 1880
> Mobile Phone: +614 18 282 648
> Skype Phone: ADSLDIRECT
>
> POSTAL ADDRESS:
> PO BOX 190
> BELROSE NSW 2085
> AUSTRALIA.
>
> -
>
> This email message is only intended for the addressee(s) and contains
> information that may be confidential, legally privileged and/or
> copyright. If you are not the intended recipient please notify the
> sender by reply email and immediately delete this email. Use, disclosure
> or reproduction of this email, or taking any action in reliance on its
> contents by anyone other than the intended recipient(s) is strictly
> prohibited. No representation is made that this email or any attachments
> are free of viruses. Virus scanning is recommended and is the
> responsibility of the recipient.
>
> -
>
>
>
> *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On
> Behalf Of *Pete McNeil
> *Sent:* Friday, 21 December 2007 8:10 AM
> *To:* Message Sniffer Community
> *Subject:* [sniffer] Re: Excessive amounts of spam
>
>
>
> Hello David,
>
>
>
> Thursday, December 20, 2007, 3:25:45 PM, you wrote:
>
>
>
>>
>
>
>
> Ø  If you are not yet running the latest beta then that might help quite
> a bit since the GBUdb (IP reputation system) does a good job capturing
> new spam from old bots even before rules are coded.
>
> Please clarify are you saying it would help if we had the beta installed?
>
>
>
> Yes.
>
>
>
> The new GBUdb engine reduces leakage quite a bit. As more systems adopt
> the new version this will improve even more. Most new spam campaigns are
> started with some large fraction of existing bots. Messages from bots
> that have already been identified will be blocked even before new
> content rules can be generated (if needed).
>
>
>
> _M
>
>
>
>
>
>
>
>
>
> -- 
>
> Pete McNeil
>
> Chief Scientist,
>
> Arm Research Labs, LLC.
>
> #
>
>
>
> This message is sent to you because you are subscribed to
>
>
>
>   the mailing list .
>
>
>
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
>
>
>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
>
>
>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
>
>
>
> Send administrative queries to  <[EMAIL PROTECTED]>
>
>
>
>
>


-- 
Mvh. Frank Jensen
[EMAIL PROTECTED]
www.pi.dk



Imponerende, fascinerende og kæmpe
Plakater f.eks. 149 x 149 = 629 kr
Vi kan også lave plakat fra dit digitale foto

www.plakatkunst.dk



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: re subscriptions to list

[Darin Cox]

Either unsubscribe/resubscribe or "Send administrative queries to 
<[EMAIL PROTECTED]>"

Darin.


- Original Message - 
From: "David Payer - IowaLink Administrator" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Thursday, November 29, 2007 11:51 AM
Subject: [sniffer] re subscriptions to list


OK John. The basics. The person asked to change the address he was
subscribed with. Could it be possible he doesn't have access to the old
address and therefore can't unsubscribe and then resubscribe?

Cut the guy some slack. Don't be so quick to criticize someone.

I had seen the list of addresses at the bottom. Among them how does one
change an address without unsubscribing, resubscribing?  Please re read that
sentance before replying.

D


- Original Message - 
From: "John T (lists)" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Thursday, November 29, 2007 10:29 AM
Subject: [S][sniffer] Re: [S][sniffer] Re: Please send email to
[EMAIL PROTECTED]


> Maybe try reading the entire email before you ask. It is at the bottom of
> EVERY post.
>
> John T
>
>
>> -Original Message-
>> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
>> Behalf
> Of
>> David Payer - IowaLink Administrator
>> Sent: Thursday, November 29, 2007 8:17 AM
>> To: Message Sniffer Community
>> Subject: [sniffer] Re: [S][sniffer] Re: Please send email to
> [EMAIL PROTECTED]
>>
>> John, it is often less than clear as to how to do that. For example,
>> where
>> is our customer interface to change things?
>>
>> Is that link on the email?
>>
>> Is that link on the armresearch.com page?
>>
>> If you know this to be the case, please show us all.
>>
>> David P.
>>
>>
>>
>> - Original Message -
>> From: "John T (lists)" <[EMAIL PROTECTED]>
>> To: "Message Sniffer Community" 
>> Sent: Thursday, November 29, 2007 10:00 AM
>> Subject: [S][sniffer] Re: Please send email to [EMAIL PROTECTED]
>>
>>
>> > Please do what you are supposed to do and take responsibility to update
>> > your
>> > own subscription!
>> >
>> > John T
>>
>>
>>
>> #
>> 
>> This message is sent to you because you are subscribed to
>>   the mailing list .
>> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
>> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
>> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
>> Send administrative queries to  <[EMAIL PROTECTED]>
>
>
>
>
> #
> This message is sent to you because you are subscribed to
>  the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>
>
>



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: [S][sniffer] Re: Please send email to r...@bluscs.com

[Darin Cox]

Uhh... at the bottom of postings to the list are the links and information 
to do this.

Darin.


- Original Message - 
From: "David Payer - IowaLink Administrator" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Thursday, November 29, 2007 11:16 AM
Subject: [sniffer] Re: [S][sniffer] Re: Please send email to [EMAIL PROTECTED]


John, it is often less than clear as to how to do that. For example, where
is our customer interface to change things?

Is that link on the email?

Is that link on the armresearch.com page?

If you know this to be the case, please show us all.

David P.



- Original Message - 
From: "John T (lists)" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Thursday, November 29, 2007 10:00 AM
Subject: [S][sniffer] Re: Please send email to [EMAIL PROTECTED]


> Please do what you are supposed to do and take responsibility to update
> your
> own subscription!
>
> John T



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Address

[Darin Cox]

Probably not, but if you have the finder service exposed outside of your 
firewall (not recommended), then yes, this will help.  It has nothing to do 
with SPF.

Darin.


- Original Message - 
From: <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Tuesday, September 25, 2007 12:52 PM
Subject: [sniffer] Re: Address


I have SPF's set up for all the domains I host.  There is a setting
in Imail that says Hide From Information Services.  That was off but
I just enabled it.  Is that a good thing [for me] or not?

At 06:38 PM 9/24/2007, you wrote:
>Hello Greg,
>
>Monday, September 24, 2007, 8:10:23 PM, you wrote:
>
> > Some of the spammers are apparently using my email address as the
> sender.  Any way to defeat
> > that or capitalize on it?  I get several bounces a week from all
> over the world.
>
>One little thing you can do if it's not done already is to set up
>proper SPF records for your domains. That will at least help others
>skip the malware using your addresses more easily.
>
>_M
>
>--
>Pete McNeil
>Chief Scientist,
>Arm Research Labs, LLC.
>
>
>#
>This message is sent to you because you are subscribed to
>   the mailing list .
>To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
>To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
>To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
>Send administrative queries to  <[EMAIL PROTECTED]>

Thanks, Greg

CoffeyNet/AllureTech   v 307-473-2323
1546 E. Burlington  cell  307-259-7962
Casper, WY  82601  fax 307-237-3709



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] FPs on 1573590

[Darin Cox]

Hi Pete,

We're getting a number of FPs on SNIFFER-PORN rule 1573590.  The emails are 
clean, NOT porn-related, and no obvious pattern was in the emails that we could 
see that Sniffer might be FPing on..

Darin.

[sniffer] Re: New campaign not caught

[Darin Cox]

Just got one a short while ago.  Look at these headers:

Received: from p4248-ipbfp02matuyama.ehime.ocn.ne.jp [124.96.113.248] by 
mail.4cweb.com with ESMTP
  (SMTPD-8.22) id A0D001A0; Tue, 07 Aug 2007 12:41:52 -0400
Received: from [126.147.120.198] by p4248-ipbfp02matuyama.ehime.ocn.ne.jp with 
HTTP;
 Wed, 8 Aug 2007 01:42:17 +0900
Message-ID: <[EMAIL PROTECTED]>
From: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Wire instructions-Moi
Date: Wed, 8 Aug 2007 01:42:01 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_NextPart_000_000C_01C7D95D.50E32D80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138

Note the "with HTTP;".  This looks detectable to me, since it also has OE 
headers.  Not sure if there is more to work with in the Message-ID and MIME 
boundaries.


Darin.


- Original Message - 
From: Scott Fisher 
To: Message Sniffer Community 
Sent: Tuesday, August 07, 2007 12:46 PM
Subject: [sniffer] New campaign not caught


Last night I started getting spam with numbers in the subject and a hex code in 
the body.



This morning that switched over to stock spam PDFs.



Hopefully rules can be targeted towards them!



Scott Fisher

Dir of IT

Farm Progress Companies

191 S Gary Ave

Carol Stream, IL 60188

Tel: 630-462-2323



This email message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
Any unauthorized review, use, disclosure or distribution is prohibited. If you 
are not the intended recipient, please contact the sender by reply email and 
destroy all copies of the original message. Although Farm Progress Companies 
has taken reasonable precautions to ensure no viruses are present in this 
email, the company cannot accept responsibility for any loss or damage arising 
from the use of this email or attachments.

[sniffer] Re: July 18

[Darin Cox]

There have been a lot reported today.  It started for us about 8:30am.

We use Declude and added a filter to catch messages with subjects starting 
with "Emailing:", ending with ".pdf" and having a body containing "The 
message is ready to be sent with the following file or link".  This 
combination may result in false positives, but has not for us today.  The 
headers appear too varied to identify anything in them for use in the 
filtering process.

Darin.


- Original Message - 
From: <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, July 18, 2007 3:38 PM
Subject: [sniffer] July 18


Not sure what is up but I'm seeing lots of messages getting through
to my primary folder since yesterday.  Lots of .pdf
attachments  -  Just checked and 10/11 were spam messages in my inbox.




Thanks, Greg

CoffeyNet/AllureTech   v 307-473-2323
1546 E. Burlington  cell  307-259-7962
Casper, WY  82601  fax 307-237-3709



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Spam

[Darin Cox]

Fortunately with Outlook Express we have the Ctrl-W function to initiate the 
forwarding process.  Then we can just type in the first few characters of the 
address and hit Alt-S to send.  Not as quick as a single button, but much 
quicker than Outlook without this toolbar.  Takes me about 4 seconds per 
message.

Darin.


- Original Message - 
From: Bonno Bloksma 
To: Message Sniffer Community 
Sent: Wednesday, May 30, 2007 2:09 AM
Subject: [sniffer] Re: Spam


Hi,

> I recommend "SpamSource", if you are an Outlook user. It's a little
> toolbar applet that you can configure any recipient of the forwarded spam
> and it will include all the original mail headers - just the way Sniffer,
[]
It is a wonderful tools! Thanks Andy

Nobody pays us for our work of reporting not cached messages.
The Sniffer staff should offer for free to our community this tools ;-)

Hmmm, if they do I would love to have it for Outlook Express as well.
It seems a great tool, especialy now that we see a lot of missed spam. It would 
be great if I had a tool to deploy on all staf PC's where we use Outlook 
Express mostly (ca. 90%).
One other thing that would be nice if IMail webinterface had a way to forward 
spam with all information intact.




Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer



tio hogeschool hotelmanagement en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl 

[sniffer] Re: ordb.org

[Darin Cox]

Most blacklists report failure on every lookup for a while before they go
completely offline, so that's probably what's happening here.

Darin.


- Original Message - 
From: <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, May 23, 2007 8:02 PM
Subject: [sniffer] ordb.org


I've noticed quite a few false positives and started some
research.  Many show hits from ORDB.  Apparently ordb.org shut down
late in 2006 but it's still in my mxguard config.  How can it be
coming up with hits when there is no server to check against?  What
blacklists do you recommend that we use?




Thanks, Greg

CoffeyNet/AllureTech   v 307-473-2323
1546 E. Burlington  cell  307-259-7962
Casper, WY  82601  fax 307-237-3709


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Bad rule alert - minor, but notable...

[Darin Cox]

Thanks, Pete.  I figured it was something like that.

Appreciate your diligence!

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Tuesday, May 01, 2007 12:42 PM
Subject: [sniffer] Bad rule alert - minor, but notable...


Hello Sniffer Folks,

Yesterday evening around 1600 E we created a few rules that contained
errors. Those errors were discovered in the early hours this morning
and the rules were removed as part of our normal QC review process.

The rule IDs are: 1408245 and 1408196.

It does not appear that these rules have caused a lot of trouble - but
we have seen enough related False Positive submissions today that I
thought it would be worth mentioning.

Those of you who do have searchable quarantine systems might consider
releasing any messages that were quarantined based on these rules.

Hope this helps,

Thanks,

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Lots of stock spam getting through

[Darin Cox]

We had a ton pass by Sniffer before they added rules for it, but fortunately
some of our phrase filters caught them.

Darin.


- Original Message - 
From: "Joey Lindstrom" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Monday, February 05, 2007 4:59 PM
Subject: [sniffer] Re: Lots of stock spam getting through


Monday, February 5, 2007, 2:35:25 PM, Chuck wrote:

> We are seeing a major increase in stock spam today with the subject "think
> about it" "think of it"  - Sniffer is not catching these yet.  I checked
and
> our rulebase is up to date.

I had some slip past Message Sniffer but get caught by SpamAssassin.  I
had a whole bunch get caught by both - so I'm guessing the problem's
been fixed.

-- 
Joey Lindstrom




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Pictures worth a few words...

[Darin Cox]

Yep... noticed.  Dictionary attacks also stepped up significantly.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Tuesday, January 16, 2007 10:42 AM
Subject: [sniffer] Pictures worth a few words...


Hello Sniffer Folks,

I'm sure most of you already know about the recent dramatic increases
in blackhat activity. These two graphs show what it looks like from
our spamtrap & submission data-- graphs represent new spam and/or
variants in messages per hour, past 48 hours and past 30 days.

Note on the 48 hour graph that 20 hours ago the rates doubled (as if
somebody "flipped a switch") and this does not appear to be a spike
(It's not coming down).

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.






#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: FTP server / firewall issues - Resolved.

[Darin Cox]

Hmmm... ok.  I guess I tend to oversimplify at times.  I tended to think of
FTP being more complex that HTTP like a fork being more complex than a
spoon - both being so ubiquitous that use and support for both is expected
and well understood, but you and Matt both have excellent points.

I'll shut up now and go get some much-needed sleep.  You do the same... the
sleep part, that is .  You can talk or type during, if you like...

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Saturday, January 06, 2007 1:19 AM
Subject: [sniffer] Re: FTP server / firewall issues - Resolved.


Hello Darin,

Friday, January 5, 2007, 11:22:54 PM, you wrote:

> Thanks, Pete.  Appreciate you taking the time to explain what's happening
in
> more detail.

> I'm curious as to why FTP is more difficult than HTTP to debug, deploy,
> secure, and scale, though. I tend to think of them on equal footing, with
> the exception of FTP being faster and more efficient to transfer files in
my
> experience.

Technically, ftp is a challenge because it requires two pipes instead
of one. In the case of active ftp (old school I know, but still out
there), the server has to actually create a connection back to the
client -- if there is a client firewall in place that often won't (and
probably shouldn't) work.

The "shouldn't" part has to do with security-- there's no good reason
to allow incoming connections to anything other than a server (most of
the time).

If the inbound connection is to a server it is a good rule of thumb
that the inbound connection should ONLY be allowed for some service
that server is itself providing. Other ports should be strictly
off-limits.

Some of this can be simplified for the client side of things with
passive FTP... but what about on our end? With FTP of any kind we have
to have a lot more "holes" in the firewall with FTP because that
second pipe has to come through somewhere -- and unless we're going to
serve only one client at a time that means lots of inbound ports left
open. (I know I'm oversimplifying).

Anyway - the advantages to HTTP is the way we are using it are:

* HTTP is stateless and transaction oriented - that matches exactly
what we want in this case --- The request is simple (give me the file
if it's newer) and the response is just as simple (here's the file,
you don't want it, or I don't have it.) Stateless translates directly
into reliability and scalability -- If a server goes down in the
middle of a transaction - (or more likely between transactions) - the
next exchange of bytes simply goes to a different server. There is no
"session" to keep track of in this case.

Load-balancing is a snap to understand and deploy because there is
always a single, simple TCP connection and a short exchange - once
it's over it's over. Since we're only serving files with this (not
applications) we can strip off anything that might execute a command
on the HTTP server. No commands ever go to the OS - only to the HTTP
software which is only capable (in this case) of reading a file and
sending it to the client.

Although FTP can be used this way - under the covers it is much more
complex because it is designed as a sesson-based protocol. You log in,
use a wide range of commands to browse and otherwise do what you want,
and then you log out... and if something happens during that session
you have a problem to resolve. Did the server go away? Did the client
go away? Did some error occur and if so how do you want to handle
that? Lots of options for every case, as long as the session is still
active, the client can do the unpredictable. If you restrict the
client's options then folks have trouble because there's no single
"correct" way to use an FTP session.

Since not all FTP clients are created equally, and not all FTP scritps
are likely to be equal - the possibility for problems or security
hassles to creep in is much bigger. Even now we have a constant, low
level of problems with log file uploads due to the security measures
we have in place. To a lesser extent the same thing is true of
rulebase downloads via FTP...

For security reasons we strictly limit the commands that are accepted
on our FTP server. It never fails that someone will try to use a
command we don't allow and as a result the system is broken from their
perspective. A little coaching and debugging is generally required in
order to figure out what they or the script or FTP client is trying to
do that isn't allowed, or whether the firewall is the problem
(blocking the data link is a common recurring problem that is often
reported incorrectly or simply causes an ftp client to "hang")...

In contrast, with HTTP - if you have a connection then you have the
connection you need. There is no session to break --- you make your
request and you get your response. Even there - the options are pretty
strictly limited and there is a single correct way-- GET. There's no
need to POST anything so it'

[sniffer] Re: FTP server / firewall issues - Resolved.

[Darin Cox]

Hi Matt,

Hmmm you're right.  I have heard of FTP configuration issues through some 
firewalls, though I haven't seen the problem myself.  Good point.  Thanks for 
commenting.  And yes, the compression (though it's not being used now) would 
obviously be of significant benefit.  

Darin.


- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Friday, January 05, 2007 11:48 PM
Subject: [sniffer] Re: FTP server / firewall issues - Resolved.


Darin,

There are many people with firewall or client configuration issues that cause 
problems with FTP, however HTTP rarely experiences issues and is definitely 
easier to support.  As far as efficiency goes, since the rulebases will all be 
zipped, there is little to be gained from on-the-fly improvements to FTP (and 
there are some for HTTP as well).  In such a case, I would consider it to be 
effectively a wash, nothing gained, nothing lost (measurably).

Matt



Darin Cox wrote: 
Thanks, Pete.  Appreciate you taking the time to explain what's happening in
more detail.

I'm curious as to why FTP is more difficult than HTTP to debug, deploy,
secure, and scale, though. I tend to think of them on equal footing, with
the exception of FTP being faster and more efficient to transfer files in my
experience.

Thanks for the link to save some time.  Much appreciated.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Friday, January 05, 2007 9:47 PM
Subject: [sniffer] Re: FTP server / firewall issues - Resolved.


Hello Darin,

Friday, January 5, 2007, 6:23:22 PM, you wrote:

  Hi Pete,

  Why the change?

Many reasons. HTTP is simpler to deploy and debug, simpler to scale,
less of a security problem, etc...

Also, the vast majority of folks get their rulebase files from us with
HTTP - probably for many of the reasons I mentioned above.

  FTP is more efficient for transferring files than HTTP.

Not necessarily ;-)

  Can we request longer support for FTP to allow adequate time for everyone
to
  schedule, test, and make the change?

I'm not in a hurry to turn it off at this point, but I do want to put
it out there that it will be turned off.

  I remember trying dHTTP initially when this was set up, but it wasn't
working reliably, plus FTP is more efficient, so we went that way.  wget
may
  work better when we have time to try it.

  Also, what's this about gzip?  Is the rulebase being changed to a .gz
file?
  Compression is a good move to reduce bandwidth, but can we put in a plug
for
  a standard zipfile?

Gzip is widely deployed and an open standard on all of the platforms
we support. We're not moving to a compressed file -- the plan is to
change the scanning engine and the rulebase binary format to allow for
incremental updates before too long - so for now we will keep the file
format as it is.

Apache easily compresses files on the fly when the connecting client
can support a compressed format. The combination of wget and gzip
handle this task nicely. As a result, most achieve the benefits of
compression during transit almost automatically.

  Do you have scripts already written to handle downloads the way you want
them now?  If so, how about a link?

We have many scripts on our web site:

http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.AutoUpdates

My personal favorite is:

http://www.sortmonster.com/MessageSniffer/Help/UserScripts/ImailSnifferUpdateTools.zip

I like it because it's complete as it is, deploys in minutes with with
little effort, generally folks have no trouble achieving the same
results, and an analog of the same script is usable on *nix systems
where wget and gzip are generally already installed.

There are others of course.

Hope this helps,

_M


  

[sniffer] Re: FTP server / firewall issues - Resolved.

[Darin Cox]

Thanks, Pete.  Appreciate you taking the time to explain what's happening in
more detail.

I'm curious as to why FTP is more difficult than HTTP to debug, deploy,
secure, and scale, though. I tend to think of them on equal footing, with
the exception of FTP being faster and more efficient to transfer files in my
experience.

Thanks for the link to save some time.  Much appreciated.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Friday, January 05, 2007 9:47 PM
Subject: [sniffer] Re: FTP server / firewall issues - Resolved.


Hello Darin,

Friday, January 5, 2007, 6:23:22 PM, you wrote:

> Hi Pete,

> Why the change?

Many reasons. HTTP is simpler to deploy and debug, simpler to scale,
less of a security problem, etc...

Also, the vast majority of folks get their rulebase files from us with
HTTP - probably for many of the reasons I mentioned above.

> FTP is more efficient for transferring files than HTTP.

Not necessarily ;-)

> Can we request longer support for FTP to allow adequate time for everyone
to
> schedule, test, and make the change?

I'm not in a hurry to turn it off at this point, but I do want to put
it out there that it will be turned off.

> I remember trying dHTTP initially when this was set up, but it wasn't
> working reliably, plus FTP is more efficient, so we went that way.  wget
may
> work better when we have time to try it.

> Also, what's this about gzip?  Is the rulebase being changed to a .gz
file?
> Compression is a good move to reduce bandwidth, but can we put in a plug
for
> a standard zipfile?

Gzip is widely deployed and an open standard on all of the platforms
we support. We're not moving to a compressed file -- the plan is to
change the scanning engine and the rulebase binary format to allow for
incremental updates before too long - so for now we will keep the file
format as it is.

Apache easily compresses files on the fly when the connecting client
can support a compressed format. The combination of wget and gzip
handle this task nicely. As a result, most achieve the benefits of
compression during transit almost automatically.

> Do you have scripts already written to handle downloads the way you want
> them now?  If so, how about a link?

We have many scripts on our web site:

http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.AutoUpdates

My personal favorite is:

http://www.sortmonster.com/MessageSniffer/Help/UserScripts/ImailSnifferUpdateTools.zip

I like it because it's complete as it is, deploys in minutes with with
little effort, generally folks have no trouble achieving the same
results, and an analog of the same script is usable on *nix systems
where wget and gzip are generally already installed.

There are others of course.

Hope this helps,

_M


-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: FTP server / firewall issues - Resolved.

[Darin Cox]

BTW, the first test I did di not upload.  It hung after logging in and
before the file was uploaded.

The second test went through.

I'm concerned that failure like this will cause logs not to get properly
rotated.  Any input on this?

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Friday, January 05, 2007 4:39 PM
Subject: [sniffer] FTP server / firewall issues - Resolved.


Hello Sniffer Folks,

The firewall issues we were having with our new delivery server appear
to have been resolved. I am showing good traffic via FTP at this time.

Normal ftp access for log uploads and SNF rulebase downloads via
www.sortmonster.net / ftp.sortmonster.net should work correctly now.

Note that FTP downloads of SNF rulebases is deprecated. If you are
using FTP to download your rulebase files you should switch to using
http w/ gzip as soon as practical.

FTP access to SNF rulebase files will continue for a time but support
may be removed without notice in the future. It's a safe bet that FTP
access for SNF rulebase files will remain functional through the end
of this month however.

Thanks!

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: FTP server / firewall issues - Resolved.

[Darin Cox]

Hi Pete,

Why the change?  FTP is more efficient for transferring files than HTTP.

Can we request longer support for FTP to allow adequate time for everyone to
schedule, test, and make the change?

I remember trying dHTTP initially when this was set up, but it wasn't
working reliably, plus FTP is more efficient, so we went that way.  wget may
work better when we have time to try it.

Also, what's this about gzip?  Is the rulebase being changed to a .gz file?
Compression is a good move to reduce bandwidth, but can we put in a plug for
a standard zipfile?

Do you have scripts already written to handle downloads the way you want
them now?  If so, how about a link?

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Friday, January 05, 2007 4:39 PM
Subject: [sniffer] FTP server / firewall issues - Resolved.


Hello Sniffer Folks,

The firewall issues we were having with our new delivery server appear
to have been resolved. I am showing good traffic via FTP at this time.

Normal ftp access for log uploads and SNF rulebase downloads via
www.sortmonster.net / ftp.sortmonster.net should work correctly now.

Note that FTP downloads of SNF rulebases is deprecated. If you are
using FTP to download your rulebase files you should switch to using
http w/ gzip as soon as practical.

FTP access to SNF rulebase files will continue for a time but support
may be removed without notice in the future. It's a safe bet that FTP
access for SNF rulebase files will remain functional through the end
of this month however.

Thanks!

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Declude List

[Darin Cox]

Nope... list is still active.  If you're having trouble, I would suggest
calling Declude

Darin.


- Original Message - 
From: "Steve Oren" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Friday, November 03, 2006 1:48 PM
Subject: [sniffer] Re: Declude List


This is list seems broken?

Anyone still getting mail from the Declude Junkmail list?

When you send mail to [EMAIL PROTECTED], you get this:

Unknown user: [EMAIL PROTECTED]

RCPT TO generated following response:
550 Recipient not in route list.

Herb Guenther wrote:
> Thanks Andy;
>
> I appreciate the info.
>
> Herb
>
> Andy Schmidt wrote:
>
>> Hi,
>>
>> for discussions on Declude, you need to subscribe to
>> "Declude.Junkmail" or "Declude.Virus" at [EMAIL PROTECTED]
>> 
>>
>> Here's their standard trailer line:
>>
>>
>> This E-mail came from the Declude.JunkMail mailing list. To
>>
>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>>
>> type "unsubscribe Declude.JunkMail". The archives can be found
>>
>> at _http://www.mail-archive.com_ .
>>
>>
>>
>> Best Regards
>> */Andy Schmidt/*/
>> /
>> Phone:  +1 201 934-3414 x20 (Business)
>> Fax:+1 201 934-9206
>>
>>
>>
>> 
>> *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On
>> Behalf Of *Herb Guenther
>> *Sent:* Wednesday, October 25, 2006 10:06 AM
>> *To:* Message Sniffer Community
>> *Subject:* [sniffer] Re: Declude header not modified correctly
>>
>> I have an active SA, I sent in some service requests and got a ticket
>> number by return email, never a follow up.  Then called in and a chap
>> named Chris Asaro fixed the settings on our account so that I could
>> download the correct version and was quite helpful with that.
>> However, that does not solve the problem and all emails of examples
>> and requests for status since 10/18/06 have gone unanswered.
>>
>> So, basically their answer was install the latest version, and beyond
>> that nothing, not even a reply or a we are working on it and will have
>> something to try on X.  Out users are seeing hundreds of spam messages
>> unmarked in their email boxes a day, and of course want to know why
>> when it is identified as spam they are still getting it.  I personally
>> know that this has been an issue for at least a year.  If I were a
>> spammer I would sure code my emails to exploit this.
>>
>> Anyway, have used Declude for about 5 years as I recall and getting
>> kind of to the end of the line.
>>
>> I also spent some time yet again on their web site, and do not see a
>> discussion board or anything to discuss this issue there vs here.
>>
>> Herb
>>
>>
>>
>
> -- 
> Herb Guenther
> Lanex, LLC
> www.lanex.com
> (262)789-0966x102 Office
> (262)780-0424 Direct
>
>
> This e-mail is confidential and is for the use of the intended
recipient(s)only. If you are not an intended recipient please advise us of
our error by return e-mail then delete this e-mail and any attached files.
You may not copy, disclose or use the contents in any way.
>
> #
>
> This message is sent to you because you are subscribed to
>
>   the mailing list .
>
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
>
> Send administrative queries to  <[EMAIL PROTECTED]>
>
>

-- 
Best Regards,

Steve Oren
President
ServerSide, Inc.
317-596-5000 voice
317-596-5010 fax
888-682-2544 toll free
www.serverside.net


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Declude header not modified correctly

[Darin Cox]

David Barker has also been good about 
responding, but that's not the issue.  We should be able to go through 
standard support channels instead of having to remember to redirect support 
requests to alternative personnel.
Darin.
 
 
- Original Message - 
From: Computer 
House Support 
To: Message Sniffer Community 
Sent: Wednesday, October 25, 2006 11:15 AM
Subject: [sniffer] Re: Declude header not modified 
correctly

Dear Sniffer Folks,
 
As I mentioned in a previous post, we have been very happy 
with the response from Declude Tech Support.
 
Feel free to use this E-mail address if you need 
help:  [EMAIL PROTECTED]
 
Linda has been very good at responding, and she has given 
permission for me to post her address here.
 
 
Michael SteinComputer House

  - Original Message - 
  From: 
  Herb Guenther 
  To: Message Sniffer Community 
  Sent: Wednesday, October 25, 2006 10:06 
  AM
  Subject: [sniffer] Re: Declude header not 
  modified correctly
  I have an active SA, I 
  sent in some service requests and got a ticket number by return email, never a 
  follow up.  Then called in and a chap named Chris Asaro fixed the 
  settings on our account so that I could download the correct version and was 
  quite helpful with that.  However, that does not solve the problem and 
  all emails of examples and requests for status since 10/18/06 have gone 
  unanswered.So, basically their answer was install the latest version, 
  and beyond that nothing, not even a reply or a we are working on it and will 
  have something to try on X.  Out users are seeing hundreds of spam 
  messages unmarked in their email boxes a day, and of course want to know why 
  when it is identified as spam they are still getting it.  I personally 
  know that this has been an issue for at least a year.  If I were a 
  spammer I would sure code my emails to exploit this.Anyway, have used 
  Declude for about 5 years as I recall and getting kind of to the end of the 
  line.I also spent some time yet again on their web site, and do not 
  see a discussion board or anything to discuss this issue there vs 
  here.HerbDarin 
  Cox wrote: 
  I have an active SA.  I've sent support requests twice in the past few
months to support@ and have gotten no response.

Darin.


- Original Message - 
From: "Computer House Support" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, October 25, 2006 9:11 AM
Subject: [sniffer] Re: Declude header not modified correctly


David Waller wrote:  they don't respond to support emails from this
registered user...


Dear David,

I am curious to know if you have an active Service Agreement with Declude?
Among the hundreds of vendors that I deal with, I found their support to be
one of the best.  I seldom wait more than an hour for a response.


Michael Stein
Computer House



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

  -- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
  #

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Declude header not modified correctly

[Darin Cox]

I have an active SA.  I've sent support requests twice in the past few
months to support@ and have gotten no response.

Darin.


- Original Message - 
From: "Computer House Support" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, October 25, 2006 9:11 AM
Subject: [sniffer] Re: Declude header not modified correctly


David Waller wrote:  they don't respond to support emails from this
registered user...


Dear David,

I am curious to know if you have an active Service Agreement with Declude?
Among the hundreds of vendors that I deal with, I found their support to be
one of the best.  I seldom wait more than an hour for a response.


Michael Stein
Computer House



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Increase in spam

[Darin Cox]

We saw a sudden ~50% increase on July 16th, but only fluctuations and
moderate growth since then.  On weekdays we're now at 80% spam, 95% or
better on weekends.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, October 18, 2006 9:23 AM
Subject: [sniffer] Re: Increase in spam


Hello K,

Wednesday, October 18, 2006, 8:52:17 AM, you wrote:

>   I've been seeing a massive increase in spam over the last 2 days getting
> through with minimal scores. Could this be due to the drawback of the
> filter involved with false positives, or something else?

It's hard to pin down, but not likely to be the pulled rule. We have
seen a relative increase in new spam campaigns over the past 2 days
preceded by a lull. That may be what you're noticing.

I've attached a graph to illustrate.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.






#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Significant increase in false positives

[Darin Cox]

That's where the rule was, I believe.  It started over the weekend, and Pete
removed the rule morning or mid-day yesterday.

Darin.


- Original Message - 
From: "Greg Evanitsky" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Tuesday, October 17, 2006 9:35 AM
Subject: [sniffer] Re: Significant increase in false positives



On Oct 16, 2006, at 5:17 PM, Darin Cox wrote:

> Anyone else seeing a sudden increase in FPs?  We normally report a
> few each day, but we're seeing a 10x increase in FPs for the past
> three days.

What particular group, if any, are you seeing them in? The
experimental-abstract (61) category is my main fp problem lately.

Curious,
Greg



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Pete,
 
You're exactly right, but we often get spoiled by 
the high quality of your detection rate.  It's easy to expect perfection 
when it means less work for us .
 
Thanks for all you do to keep the quality so 
high.
Darin.
 
 
- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Tuesday, October 17, 2006 8:42 AM
Subject: [sniffer] Re: Significant increase in false 
positives

Hello Computer,

Monday, October 16, 2006, 11:09:03 PM, you wrote:



  
  

  >

  Dear Pete,
   
  Sniffer blocked 35,000 messages today, and roughly 
  7200 of them were blocked by the 1174356 rule.
   
  Do you think many of these were false positives? 
    Do you know a way of searching through 35,000 Imail messages to 
  find the FP's ?
   
  What would you suggest in this situation.
  

This was not a bad-rule alert or rule-panic situation. Most of these messages 
were probably NOT false positives. The rule does have a higher rate than is 
acceptable (so it was dropped), but it doesn't catch every message with an 
image, and it does catch primarily image spam.

If I felt strongly about researching this there would be 7200 to look through 
(not 35000) and I would probably only look through those that failed no other 
tests or were below some very low weight threshold otherwise - that would 
probably bring the number down into a range < 100 messages (based on what 
I've seen reported). 

[ Educated guess items: > 80% of content is usually spam. On weekends this 
number is higher. This weekend there were some new, aggressive image spam 
campaigns - so the number of spam captured by a rule like this would be higher 
than normal rather than lower. The rule was essentially in place only during the 
weekend and only received FP reports late Sun through early Mon and some systems 
have reported no discernable increase in false positives during this period. 20% 
of 7200 is close to 150, so the conservative number likely not to be spam in 
that group is less than that (due to the weekend) so approximately 100 seems 
reasonable. If there are FPs then it is likely they failed no other tests. ]

Hope this helps,

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Pete,
 
Can you clarify what this .xhdr option is and how 
we can enable it?  I don't remember anything in the 
documentation that describes it.  I think there were references to the 
config file previously, but there was never anything about it in mine.  If 
you could give an example of how to enable and use the info it would be greatly 
appreciated.
Darin.
 
 
- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 11:13 PM
Subject: [sniffer] Re: Significant increase in false 
positives

Hello Matt,

Monday, October 16, 2006, 10:03:04 PM, you wrote:



  
  

  >

  Pete,
  
  Would you please clarify this a bit.  Declude of 
  course doesn't record the rule in the headers, so this is difficult to 
  figure out.  Knowing the pattern may help identify the problematic 
  messages.  Also knowing the start time and end time of the rule would 
  also help.

The rule was coded for a binary segment in an image file. Here is the rule 
information:



  
  

  
  


  
Rule - 1174356

  
Name 
  
image spam binary segment as text 

!1AQaq"2

  
Created 
  
2006-10-14

  
Source 
  
!1AQaq"2

  
Hidden 
  
false

  
Blocked 
  
false

  
Origin 
  
Spam Trap

  
Type 
  
Simple Text

  
Created By 
  
[EMAIL PROTECTED]

  
Owner 
  
[EMAIL PROTECTED]

  
Strength 
  
3.20638481603822

  
False Reports 
  
11

  
From Users 
  
7

  


Rule belongs to following groups
[252] 
Problematic

I removed the rule as soon as we began receiving reports - about mid-day 
today.



  
  

  >

  
  I would be nice too if you talked with Declude about 
  allowing for the insertion of headers, or even if you did this on your 
  own.  I believe the D* file may be editable when the external app is 
  launched.  That would make recovery of this so much easier for me 
  (minutes instead of hours of work).

I have discussed this with Declude and I am hopeful that we will have better 
integration w/ Declude some time in the future.

In the mean time, our next version will include a feature to inject headers 
into message files. Understand, however, that this is an expensive feature that 
will substantially increase the I/O requirements on any mail server. Injecting 
headers requires that the entire message file must be written to disk an 
additional time. This is not a small consideration-- Where once most spam were 
tiny text/html files (often less than 5K) today's image spam variants are 
frequently 5 to 10 times the size of the old spam we used to know.

Also- note that this kind of thing can be very buggy on Winx systems -- 
sometimes changes to files are not reflected immediately between processes. For 
example, rename operations are not atomic - so when the old message file is 
deleted and the new version is renamed from it's temp file to the original 
message file name, other Winx processes that depend on that file may not respond 
reliably.

For all of these reasons and more I've probably not thought of - this feature 
will be a "use at your own risk / YMMV" option.

All that said, there is an existing option in the current version of SNF to 
produce a .xhdr file for each message. This option is frequently used in *nix 
systems that use SNF. It would be possible to write a short utility (perhaps 
even a script) that would modify quarantined messages out-of-band to include the 
contents of the .xhdr file as X- headers. Such a utility is not currently on our 
development list, however, and I hallucinate that such a device would tend to 
evolve into something somewhat system specific.

The best option would be for Declude to add a feature that picks up x-headers 
created by external programs (perhaps in files named 
.xhdr) so that they can be added in a single message 
rewrite along with the headers that Declude already adds. This would solve the 
I/O problems and standardize the mechanism for any other external programs that 
might wish to add headers.

Hope this helps,

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail 

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Matt,
 
I know Pete has requested this in the past, but 
Declude hasn't been willing to make the change necessary for this to make it in 
the headers.  But I totally agree with you, I'd love to see this in the 
headers so tracking down the rule isn't such a pain.
Darin.
 
 
- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 10:03 PM
Subject: [sniffer] Re: Significant increase in false 
positives
Pete,Would you please clarify this a bit.  Declude 
of course doesn't record the rule in the headers, so this is difficult to figure 
out.  Knowing the pattern may help identify the problematic messages.  
Also knowing the start time and end time of the rule would also help.I 
would be nice too if you talked with Declude about allowing for the insertion of 
headers, or even if you did this on your own.  I believe the D* file may be 
editable when the external app is launched.  That would make recovery of 
this so much easier for me (minutes instead of hours of 
work).Thanks,MattPete McNeil wrote: 

  
  

  Hello Darin,
  
  Monday, October 16, 2006, 5:17:26 PM, you wrote:
  
  
  


  
>
  
Anyone else seeing a sudden increase in FPs? 
 We normally report a few each day, but we're seeing a 10x increase 
in FPs for the past three days.
  
  Not sure if this is it, but there was an image segment rule that went in 
  over the weekend and resulted in an unusual number of false positives today. 
  The rule was removed. IIRC the rule id was: 1174356
  
  Hope this helps,
  
  _M
  
  -- 
  Pete McNeil
  Chief Scientist,
  Arm Research Labs, LLC.#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>




  

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Pete,
 
I haven't looked at the Sniffer logs, as cross 
referencing from the Declude logs is a bit of a pain, but many of the FPs did 
have images, so that probably accounts for most of them if it was an 
Experimental rule.
Darin.
 
 
- Original Message - 
From: Pete McNeil 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 8:46 PM
Subject: [sniffer] Re: Significant increase in false 
positives

Hello Darin,

Monday, October 16, 2006, 5:17:26 PM, you wrote:



  
  

  >

  Anyone else seeing a sudden increase in FPs?  We 
  normally report a few each day, but we're seeing a 10x increase in FPs for 
  the past three days.

Not sure if this is it, but there was an image segment rule that went in over 
the weekend and resulted in an unusual number of false positives today. The rule 
was removed. IIRC the rule id was: 1174356

Hope this helps,

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Significant increase in false positives

[Darin Cox]

For us, it doesn't calculate the proper weight when 
this happens, and only acts on the weight seen in the topmost headers.  One 
of these years I'll finally exercise the right to use our 4.x license, I just 
don't have time for new problems at this point.
Darin.
 
 
- Original Message - 
From: Robert Grosshandler 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 5:57 PM
Subject: [sniffer] Re: Significant increase in false 
positives

That's been a problem for a long time, but for us, it still 
treats that e-mail as spam, with the appropriate weight.  100% of the time 
if Declude does that, the e-mail is beyond our delete 
weight.
 
Rob


From: Message Sniffer Community 
[mailto:[EMAIL PROTECTED] On Behalf Of Herb 
GuentherSent: Monday, October 16, 2006 4:35 PMTo: Message 
Sniffer CommunitySubject: [sniffer] Re: Significant increase in false 
positives
Hi Darin;Not seeing a lot of false pos messages, but there 
are lots of spam messages sneaking through our system because  declude is 
not modifying the header correctly.  It is adding a header stub to the 
bottom of the message so that users mail client filters which look for the 
modified subject line is not working.  Anyone else having that 
issue?HerbDarin Cox wrote: 

  
  

  Anyone else seeing a sudden increase in 
  FPs?  We normally report a few each day, but we're seeing a 10x increase 
  in FPs for the past three days.
  Darin.
   
   -- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.

[sniffer] Re: Significant increase in false positives

[Darin Cox]

Ahh... good.  The first thing they'll probably 
tell you is to update to the latest 4.x version, see if the problem persists, 
then re-report it.
Darin.
 
 
- Original Message - 
From: Herb Guenther 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 5:51 PM
Subject: [sniffer] Re: Significant increase in false 
positives
Not sure, this is what my declude diags.txt saysDeclude 
4.1.0 DiagnosticsCompilation Platform: SmarterMailCopyright (c) 
2000-2005 Declude, Inc.HerbDarin Cox wrote: 

  
  We see this occasionally with Declude 
  1.82.  What version are you running?
  Darin.
   
   
  - 
  Original Message - 
  From: 
  Herb Guenther 
  To: Message Sniffer Community 
  Sent: Monday, October 16, 2006 5:35 PM
  Subject: [sniffer] Re: Significant increase in false 
  positives
  Hi Darin;Not seeing a lot of false pos messages, but 
  there are lots of spam messages sneaking through our system because  
  declude is not modifying the header correctly.  It is adding a header 
  stub to the bottom of the message so that users mail client filters which look 
  for the modified subject line is not working.  Anyone else having that 
  issue?HerbDarin Cox wrote: 
  



Anyone else seeing a sudden increase in 
FPs?  We normally report a few each day, but we're seeing a 10x 
increase in FPs for the past three days.
Darin.
 
 -- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.-- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.

[sniffer] Re: Declude header not modified correctly

[Darin Cox]

Ping them on the Declude list for the lack of 
response, and CC David Barker for a response.  He seem to be the best 
means ot getting results these days.
 
What version are you running?  Understandably 
you'll only get a response if you're running the latest 3.x or 4.x, as older 
versions are no longer supported.
Darin.
 
 
- Original Message - 
From: Herb Guenther 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 5:58 PM
Subject: [sniffer] Re: Declude header not modified 
correctly
It is frustrating because sniffer is catching them and they are 
not getting marked so they still end up in the ol inbox.  Have opened some 
tickets at declude a few times and never got a response.  So no one has a 
magic bullet on this one?HerbKami Razvan wrote: 

  
  We see that a lot too.. we run 2.14
   
  Kami
  
  
  From: Message Sniffer Community [mailto:sniffer@sortmonster.com] 
  On Behalf Of Darin CoxSent: Monday, October 16, 2006 5:44 
  PMTo: Message Sniffer CommunitySubject: [sniffer] Re: 
  Significant increase in false positives
  We see this occasionally with Declude 
  1.82.  What version are you running?
  Darin.
   
   
  - 
  Original Message - 
  From: 
  Herb Guenther 
  To: Message Sniffer Community 
  Sent: Monday, October 16, 2006 5:35 PM
  Subject: [sniffer] Re: Significant increase in false 
  positives
  Hi Darin;Not seeing a lot of false pos messages, but 
  there are lots of spam messages sneaking through our system because  
  declude is not modifying the header correctly.  It is adding a header 
  stub to the bottom of the message so that users mail client filters which look 
  for the modified subject line is not working.  Anyone else having that 
  issue?Herb-- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.

[sniffer] Re: Significant increase in false positives

[Darin Cox]

We see this occasionally with Declude 
1.82.  What version are you running?
Darin.
 
 
- Original Message - 
From: Herb Guenther 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 5:35 PM
Subject: [sniffer] Re: Significant increase in false 
positives
Hi Darin;Not seeing a lot of false pos messages, but 
there are lots of spam messages sneaking through our system because  
declude is not modifying the header correctly.  It is adding a header stub 
to the bottom of the message so that users mail client filters which look for 
the modified subject line is not working.  Anyone else having that 
issue?HerbDarin Cox wrote: 

  
  

  Anyone else seeing a sudden increase in 
  FPs?  We normally report a few each day, but we're seeing a 10x increase 
  in FPs for the past three days.
  Darin.
   
   -- 
Herb Guenther
Lanex, LLC
www.lanex.com
(262)789-0966x102 Office
(262)780-0424 Direct


This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.

[sniffer] Significant increase in false positives

[Darin Cox]

Anyone else seeing a sudden increase in FPs?  
We normally report a few each day, but we're seeing a 10x increase in FPs for 
the past three days.
Darin.
 
 

[sniffer] Re: Sniffer does not catch as much as it used to.

[Darin Cox]

Hi Rick,

It's a constant battle, with spammers getting more sophisticated, and
filtering tools trying to catch up and anticipate the next move.

That said, we do not see the kind of leakage you see, probably due to other
tests we run on our systems.  I would recommend you supplement with BLs and
other Declude tests to stop the leakage.  Also, make sure any negative
weights you have are not allowing the leakage.

An external test you may consider is invURIBL from invariant systems.  We
haven't run it, but have heard good reports from others who do run it.

All the best,

Darin.


- Original Message - 
From: "Rick Hogue" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, September 20, 2006 8:34 AM
Subject: [sniffer] Sniffer does not catch as much as it used to.


I just signed my annual renewal for Sniffer but it seems that it used to
catch lots of the email and now is only catching about 50% of the email Why
when we are sending in our information does this continue to happen? We are
getting lots of you won, Pharmacy spelled wrong and nonsense emails that
sail through both Declude and Sniffer. Between the 2 of them that is over
$1000 per year for spam/virus/hijack protection that seems not be happening
like it used to. Any answers as to when we will get relief on these?

Rick Hogue
Intent.Net
Web Hosting

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.12.5/451 - Release Date: 9/19/2006




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Paypal failing SNIFFER-GENERAL

[Darin Cox]

Hi Pete,

I'm not sure which column is which, but here are the log lines for the
message (minus the authorization code)

 20060823163449 D83a20d3001502962.SMD 0 32 Match 1100444 60 1502
1551 98
 20060823163449 D83a20d3001502962.SMD 0 32 Final 1100444 60 0 3798
98

The FP was submitted at 1:34pm ET.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, August 23, 2006 2:22 PM
Subject: [sniffer] Re: Paypal failing SNIFFER-GENERAL


Hello Darin,

I may be behind... but I don't see an FP report on this. Do you have
the rule id?

_M

Wednesday, August 23, 2006, 1:36:08 PM, you wrote:

>
>
> FYI... I just reported one of these, so watch  out.
>

> Darin.
>
>
>
>

>


-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Paypal failing SNIFFER-GENERAL

[Darin Cox]

FYI... I just reported one of these, so watch 
out.
Darin.
 
 

[sniffer] Re: Lot of stock spam getting through....

[Darin Cox]

Great job, Pete!  And thanks for all of your efforts to simultaneously
increase the catch rate and decrease the FP rate.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Friday, July 07, 2006 11:11 AM
Subject: [sniffer] Re: Lot of stock spam getting through


Hello Chuck,

Friday, July 7, 2006, 10:48:28 AM, you wrote:

> We are seeing a lot of stock spam that is only a picture image getting
> through sniffer.

I had a big fight with one like that all last night -- there are some
unusual characters in the message that made it hard to filter and it
took some time to do the analysis (picking through them with a hex
editor).

I think these are handled now (as of about 0400e this morning) as I
don't have any getting through spamtraps at the moment. I will look
into it again.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: New purchase question

[Darin Cox]

We zip ours nightly and save for 30 days just to make sure we don't miss
anything in reviewing the hold queue.  In practice, a week may be enough,
but two is probably preferable.

Darin.


- Original Message - 
From: "Phillip Cohen" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Thursday, June 15, 2006 5:00 PM
Subject: [sniffer] Re: New purchase question


Roger,

Thanks for the info, that is a good way to deal with the mass spam
storage.  Do you ever have the requirement to go back through the
SPAM that you have saved? How long do you save it and do you just
delete it after a certain date? How do your clients ask you or what
do you do to retrieve a possible real message that might have been
considered spam? If sniffer never makes a false positive I guess it
is no big deal just to delete the spam, but on the rare chance there
are false positives I would sure hate to delete an important message.

This mail server supports about 60 domains so having all of the spam
in one folder is a bit of a mess. VOPMAIL allows for individual
mailbox agents so I guess somehow I could have a bat file for each
user or pass parameters to a bat file, but I hate to think about that
one. Going through each mailbox on the server to enter the agent
commands will be a real pain timewise.

Wondering what other VOPMAIL users do out there if there are any of us left.

Phil


At 12:14 PM 6/15/2006, you wrote:
>This is how I do it, although there may be better ways.
>
>I create a scheduled task to run a batch file called spam.cmd that
>runs from within the spam folder.  This copies the spam caught that
>day into a dated folder.  That way I can delete old spam, and keep
>the folder organized.  This seems to work well, with imail, but if
>there are probably better ways out there.
>
>Here is my batch file
>
>REM This portion gets the date
>FOR /F "TOKENS=2-4 DELIMS=/ " %%F IN ('DATE /T') DO (
>  SET MM=%%F
>  SET DD=%%G
>  SET =%%H
>)
>
>REM This portion creates a folder with todays date MM-DD-
>mkdir %MM%-%DD%-%%
>
>REM moves the current files into the dated folder.
>move *.smd .\%MM%-%DD%-%%\
>move *.GSE .\%MM%-%DD%-%%\
>
>Hope thats of help.
>
>Roger



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]

[Darin Cox]

>Thunderbird and Netscape just takes the full original source and
>attaches it as a message/rfc822 attachment.  I forwarded this message
>back to the list by just pressing "Forward".

Interesting that they include the headers with a simple forward, without
specifying forward as attachment.  I haven't ever seen that behaviour before
in a mail client.  Seems like a few forwards would create a very bloated
message with all of the old headers.

>I'm pretty sure that
>Outlook Express works simply by just pressing Forward As Attachment, or
>at least it gives me enough of the original, including the full headers,
>to determine how to block the spam.

Yes it does.  However you've missed the point.  The issue is not how to get
the headers.  It is how to keep an email client from encoding the message
and headers differently, so that Sniffer can properly identify the rule that
caught the message.

>Please excuse me for wanting more detail about the Outlook attachment
>trick, but would you mind attaching this message to a response so that I
>could look at the headers and such?

Sorry, I don't use Outlook.  But I can tell you the steps to take in Outlook
2003 (other versions are almost exactly the same).  I have my Outlook users
follow these with no problem.

1. Create a new email message
2. Click the arrow beside the paperclip icon, select item instead of file
from the dropdown
3. Browse mailboxes from the popup dialog to select the message to attach.
4. Viola, original message and headers attached.

>There was a discussion about Outlook's behavior with Scott some time
>ago.  Apparently Microsoft was pressured by customers to remove headers
>when forwarding because they felt that they were a security/privacy
>risk.  No one told them that Outlook was a security/privacy risk on it's
>own :)  ...but that's another story.  I would probably feel different if
>I had the need for groupware though, but digs at Microsoft are
>irresistible sometimes.

I don't remember that discussion, and am not sure we're talking about the
same thing.  If you attach the original message via the steps above, you get
the full original message, headers and body.  We have a number of customers
who send spam reports this way, mostly on Outlook 2002 and 2003.

Darin



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]FP suggestions

[Darin Cox]

Of course I'm sending the full message as an 
attachment.  You can do that with Outlook by attaching and item, then 
browsing your mail folders for the message to attach.  And yes, that's how 
you do it with Outlook Express as well.  I don't use Thunderbird or 
Netscape mail, but I would assume you still need to attach the original message 
to avoid the headers being lost.
 
What I was referring to was a little more involved 
than that... namely the possibility of it not matching a rule because the 
attachment was encoded differently.  For example, I've seen mail go 
through that baes64 encoded an attached email that was not originally 
base64 encoded.
 
From Pete's responses, it sounded like "no rule 
found" really did mean no rule was matched.  Especially since he has a 
separate code for "rule already removed".  FPs we send are always from same 
day, or, at the very least, within 24 hours.
Darin.
 
 
- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Wednesday, June 07, 2006 11:46 PM
Subject: Re: [sniffer]FP suggestions
Darin,Outlook will strip many of the headers when 
forwarding.  Outlook Express needs to forward the messages using "Forward 
As Attachment" in order to insert the full original headers.  
Thunderbird/Netscape Mail will work just by forwarding.  If you paste the 
full source in a message, you should send as plain text.I have many FP's 
that come back as having no rules found, but these are more likely to be from 
rules that were already removed.  So I wouldn't jump to a conclusion that 
the rule was not found because of formatting unless you are not sending the full 
unadulterated original message source.  I would imagine that it would 
mostly be IP rules that aren't found when not forwarding the full original 
source.MattDarin Cox wrote: 

  It is unclear - we receive FPs that have traveled through all sorts of
clients, quarantine systems, changed hands various numbers of times,
or not (to all of those)... Right now I don't want to make that
research project a high priority.

Understood.

  
  That's true it wouldn't change, but submitting the message directly
would not be correct - the dialogue is with you, and in any case,
additional trips through the mail server also modify parts of the
header and sometimes parts of the message (tag lines, disclaimers,
etc)...

Hmmm... with attaching the original message, I guess it still makes more
sense to deliver to us first for now.  Just looking for an alternative that
gets you the message as close as possible to the original form as possible.
Maybe we'll write a script to copy and forward the D*.SMD file as an
attachment to you for FPs at some point in the future.




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

>It is unclear - we receive FPs that have traveled through all sorts of
>clients, quarantine systems, changed hands various numbers of times,
>or not (to all of those)... Right now I don't want to make that
>research project a high priority.

Understood.

>That's true it wouldn't change, but submitting the message directly
>would not be correct - the dialogue is with you, and in any case,
>additional trips through the mail server also modify parts of the
>header and sometimes parts of the message (tag lines, disclaimers,
>etc)...

Hmmm... with attaching the original message, I guess it still makes more
sense to deliver to us first for now.  Just looking for an alternative that
gets you the message as close as possible to the original form as possible.
Maybe we'll write a script to copy and forward the D*.SMD file as an
attachment to you for FPs at some point in the future.




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

>Unfortunately, by the time the message gets to us it is sometimes just
>different enough that the original pattern cannot be found. There are
>some folks who consistently have success, and some who occasionally
>have problems, and a few who always have a problem.

Different in what way?  Is the mail client encoding differently in the
forwarding process?  If so, do you know what clients are altering the
messages and how?  If there's one that's better for this, we could always
use it for forwarding since we currently send it to ourselves first, then
forward.

If we rewrite the Q file and queue directly from IMail, encoding shouldn't
change, correct?  If that avoids this issue, we could do that instead.

>The best solution is to include the headers during the scan since they
>will travel with the message.

What do you mean?  The XHDR?  We would love that for more several reasons,
but Declude is not the same company anymore.

>The next best is to automate matching
>the log entries with the message so they can be included with the
>submission (some do this to prevent the "second trip").

Yeah, we'd have to automate it.  I can't imagine taking the time to manually
match for each occurrence of "no rule found".  Another item for the
automation list.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

Awesome.  Great job, Pete.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, June 07, 2006 6:49 PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP
suggestions


Hello Matt,

Wednesday, June 7, 2006, 4:22:05 PM, you wrote:

>
>  Pete,
>
>  Since the %WEIGHT% variable is added by Declude, it might make
> sense to have a qualifier instead of making the values space
> delimited.

I don't want to mix delimiters... everything so far is using spaces,
so it makes sense to continue that way IMO.

> Errors in Declude could cause values to not be inserted,
> and not everyone will want to skip at a low weight. I haven't seen
> any bugs with %WEIGHT% since shortly after it was introduced, but
> you never know. I have seen some issues with other Declude inserted
variables though.

Well, errors are always a possibility, but in this case it _should_ be
reasonably safe. For example, if this is used to gate SNF, then a
missing %WEIGHT% would result in trying to launch a program with the
same name as the authentication string, and it is highly unlikely that
would be found, so the result would be the "program not found" error
code. That's not perfect because it's a nonzero result, but it is safe
in that it is not likely to launch another program.

>  One other thing that I came across with the way that Declude calls
> external apps...you can't delimit the data with things like quotes.
> There is no mechanism for escaping a functional quote from a quote
> that should appear in the data that you pass to it...so don't use
> quotes as delimiters :)

Not a problem...

I just whipped together a utility called WeightGate.exe that can be
downloaded here (for now):

http://www.messagesniffer.com/Tools/WeightGate.exe

Suppose you wanted to use it in Declude to skip running SNF if your
weight was already ridiculously low (perhaps white listed) or already
so high that you want to save the extra cycles. Then you might do
something like this:

SNF external nonzero "c:\tool\WeightGate.exe -50 %WEIGHT% 30
c:\SNF\sniffer.exe authenticationxx" 10 0

(hopefully that didn't wrap, and if it did you will know what I meant ;-)

To test this concept out you might first create a copy of
WeightGate.exe callled ShowMe.exe (case matters!) and then do
something like this:

SNF external nonzero "c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe
authenticationxx" 10 0

The result of that would be the creation of a file c:\ShowMe.log that
contained all of the parameters ShowMe.exe was called with -- that way
you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS
returns zero, so this _should_ be safe ;-)

If you run WeightGate on the command line without parameters it will
tell you all about itself and it's alter ego ShowMe.exe.

That description goes like this (I may fix the typo(s) later):

WeightGate.exe
(C) 2006 ARM Research Labs, LLC.

This program is distributed AS-IS, with no warranty of any kind.
You are welcome to use this program on your own systems or those
that you directly support. Please do not redistribute this program
except as noted above, however feel free to recommend this program
to others if you wish and direct them to our web site where they
can download it for themselves. Thanks! www.armresearch.com.

This program is most commonly used to control the activation of
external test programs from within Declude (www.declude.com) based
on the weigth that has been calculated thus far for a given message.

As an added feature, if you rename this program to ShowMe.exe then
it will emit all of the command line arguments as it sees
them to a file called c:\ShowMe.log so that you can use it
as a debugging aid.

If you are seeing this message, you have used this program
incorrectly. The correct invocation for this program is:

WeightGate , ,... 

Where:
   = a number representing the lowest weight to run .
   = a number representing the actual weight to evaluate.
   = a number representing the highest weight to run .
   = the program to be activated if  is in range.
  ,  = arguments for .

If  is in the range [,] then WeightGate will run
 and pass all of , ,...  to it. Then
WeightGate will collect the exit code of  and return it as
WeightGate's exit code.

If WeightGate gets the wrong number of parameters it will display
this message and return FAIL_SAFE (zero) as it's exit code.

If  is not in range (less than  or greater than )
then WeightGate will NOT launch  and will return FAIL_SAFE
(zero) as it's exit code.

As a deubgging aid, I was called with the following arguments:

arg[0]  = WeightGate

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-m

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

[Darin Cox]

Right.  Anything forwarded would be either above our delete weight, or
reviewed and forwarded from within our hold range.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, June 07, 2006 6:59 PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design
question - how many DNS based tests?


Hello Darin,

Wednesday, June 7, 2006, 5:09:27 PM, you wrote:



>>That would be a bad idea, sorry. After 30 days (heck, after 2) spam is
>>usually long-since filtered, or dead. As a result, looking at 30 day
>>old spam would have a cost, but little benefit.

> You misinterpreted what I was saying.  I was not at all suggesting sending
> old spam.  What I was talking about was copying spam@ with spam that does
> not fail sniffer _as it comes in_, or _during same day/next day reviews_

Sorry, I did misinterpret then. _as it comes in_ is good, provided the
weights are high enough to prevent a lot of FPs. We're all trained
pretty well on how to skip those - but the more we see, the more
likely we are to slip up ;-)

>>What we do use from time to time are virtual spamtraps. In a virtual
>>spamtrap scenario, you can submit spam that reached a very high (very
>>low false positive) score but did not fail SNF. Generally this is done
>>by copying the message to a pop3 account that can be polled by our
>>bots.

> That is exactly what I was suggesting.  We'll put it on our list to write
a
> filter to do so when time permits.  Just trying to help.

Thanks very much!

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

That would be great if you could add message rewriting.  With the complete
lack of response by Declude to support emails and the support list, they're
going to lost most of us as customers as soon as someone comes out with am
IMail/SmarterMail compatible product that has weighting and the array of
tests and scriptable filters we've come to rely on.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, June 07, 2006 4:09 PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions


Hello Matt,

Wednesday, June 7, 2006, 3:37:36 PM, you wrote:

>
>  Pete,
>
>  An X-Header would be very, very nice to have. I understand the
> issues related to waiting to see if something comes through, and
> because of that, I would maybe suggest moving on your own.

I've got it on the list to have a message rewriting option... it's
just not as high as some others. I hadn't thought about the weight
gating utility - though that seems like something that would be useful
in general for external tests...

"weightgate -5 %WEIGHT% 20 " 5 0

 is executed if %WEIGHT% is in the range [-5,20]
and the exit code of  is returned.

That seems like a pretty simple utility to knock out - perhaps I will
;-)

Also, on the FP reporting links idea, that would break the process -
it's important for us to see the message for many reasons, and it's
important for the FP resolution process to be interactive.

_M


-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]FP suggestions

[Darin Cox]

Oh, I assumed the rule had been removed.  Are 
you saying there was a rule in place, but the FP processing somehow failed to 
find it?  If so, I'd say that is a major failing on the part of the FP 
processing.
 
There's no way that we can find time to go 
through the Sniffer logs after this bounces back with "no rule found".  
This would have to be automated to have any chance of occurring, but again I 
would say the FP processing needs to be corrected to identify the rule the 
message failed since the complete message, headers and body, are included in the 
report.
Darin.
 
 
- Original Message - 
From: Scott 
Fisher 
To: Message Sniffer Community 
Sent: Wednesday, June 07, 2006 10:08 AM
Subject: Re: [sniffer]FP suggestions

For me the pain of false positives submissions is 
the research that happens when I get a "no rule found" return.
 
I then need to find the queue-id of the original 
message and then find the appropriate Sniffer log and pull out the log lines 
from there and then submit it. Almost always in these cases, a rule is 
removed.
 
If this process could be improved that would really 
be a time saver.

Re: [sniffer]SPF

[Darin Cox]

Huh?  No, not at all.  Check it 
again.  It will work as specified.
Darin.
 
 
- Original Message - 
From: Computer 
House Support 
To: Message Sniffer Community 
Sent: Wednesday, June 07, 2006 10:00 AM
Subject: Re: [sniffer]SPF

Hi Darin,
 
FYI, I tried putting in v=spf1 mx 
-all as the SPF Record, but it somehow disabled the SOA record 
for our domain.  Apparently our older version of BIND requires the complete 
text:
 

computerhouse.com. IN TXT "v=spf1 mx 
~all"mail.computerhouse.com. IN TXT "v=spf1 a -all"
Does this sound right to you?
 
 
Mike Stein
 

  - Original Message ----- 
  From: 
  Darin Cox 
  To: Message Sniffer Community 
  Sent: Tuesday, June 06, 2006 9:54 
PM
  Subject: Re: [sniffer]SPF
  
  What's your hold weight?  If spam is only 
  failing SPF and nothing else, then the message doesn't get held, so you don't 
  see it.
   
  Also, I do not recommend negative weighting 
  SPFPASS.  Spammers have SPF records, too, so you're giving them an 
  opportunity to exploit it.
   
  Lastly, I think you may be confused on your SPF 
  records.  They should not have the "name" portion.  There is only 
  one SPF record per domain.
   
  So, for computerhouse.com, your SPF record should 
  simply be
   
  v=spf1 mx -all
   
  which tells it your MX is allowed to send mail 
  for your domain (the "mx" part) , but all others should fail ( the "-all" 
  part).
   
  Please keep related communication on the 
  list for others' benefit as well.
  Darin.
   
   
  - Original Message - 
  From: Computer House Support 
  To: [EMAIL PROTECTED] 
  Sent: Tuesday, June 06, 2006 9:40 PM
  Subject: SPF
  
  Hi Darin,
   
  Thanks for your offer to help.  I am E-mailing you 
  off-list.
   
  We do use Declude.  The entry in our 
  $default$.junkmail file looks like this:
   
  SPFFAIL   WARNSPFPASS   WARNSPFUNKNOWN  WARN
   
  However, I have never seen an "SPF Failure" in the 
  header of a spam mail.
   
  Global.cfg:  
  SPFFAIL   spf  fail x 3 0SPFPASS   spf  pass x -1 0
   
   
  Our SPF Record looks like this:
   
  computerhouse.com. IN TXT "v=spf1 mx 
  mx:mail.computerhouse.com"mail.computerhouse.com. IN TXT "v=spf1 a 
  -all"
   
  Your insight is appreciated.
   
   
  Michael SteinComputer House
   
   
   
   
   
  
- Original Message - 
From: 
Darin Cox 
To: Message Sniffer Community 
Sent: Tuesday, June 06, 2006 9:30 
PM
Subject: Re: [sniffer]Numeric 
spam

What do you use for spam filtering?  
Declude has the ability to test SPF, for example.
 
Also, what is your SPF record for the domain in 
question?
Darin.
 

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

[Darin Cox]

>> This also got me thinking of the flip side, spam reporting.  There's a
>> significant untapped load of spam that sniffer doesn't fail that we
filter.
>> I was thinking about creating a filter to copy your spam@ address with
>> messages that get moved to our archive (we archive held spam for 30 days
in
>> case we missed an FP) that did not fail Sniffer.  This would be after we
>> have already processed for FPs.

>That would be a bad idea, sorry. After 30 days (heck, after 2) spam is
>usually long-since filtered, or dead. As a result, looking at 30 day
>old spam would have a cost, but little benefit.

You misinterpreted what I was saying.  I was not at all suggesting sending
old spam.  What I was talking about was copying spam@ with spam that does
not fail sniffer _as it comes in_, or _during same day/next day reviews_

>What we do use from time to time are virtual spamtraps. In a virtual
>spamtrap scenario, you can submit spam that reached a very high (very
>low false positive) score but did not fail SNF. Generally this is done
>by copying the message to a pop3 account that can be polled by our
>bots.

That is exactly what I was suggesting.  We'll put it on our list to write a
filter to do so when time permits.  Just trying to help.

Darin.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

>> Can I interpret this as email address and matching source IP are
sufficient
>> if the correct email address is used to submit?

>Yes.

Ok, so the answer to my original suggestion is yes.  Great.

> If not, do you have any suggestions on how you would like to see us
> inserting the license ID in the D file?

>To clarify, nothing should be inserted in the D file. The original
>message should be attached as an RFC 822 attachment is as close to the
>original form as possible.

Uh, but the D file contains mime segments corresponding to attachments.

>The license id, if included at all, should be in the subject line of
>the submission message.

Good.  Subject line is easier and more reliable to parse out.  Not that it's
needed per the original question.

Darin.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Re[2]: [sniffer]FP suggestions

[Darin Cox]

Hi Pete,

Can I interpret this as email address and matching source IP are sufficient
if the correct email address is used to submit?

If not, do you have any suggestions on how you would like to see us
inserting the license ID in the D file?

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, June 07, 2006 8:25 AM
Subject: [sniffer]Re[2]: [sniffer]FP suggestions


Hello Darin,

Wednesday, June 7, 2006, 7:31:29 AM, you wrote:

>
>
> The one issue with this I have is
>
>
>
> 1) Forward full  original source to Sniffer with license code.
>
> If we could do it without the license code, it  would be much
> easier to automate on our end. I already have a process in  place
> to copy and reroute false positives by rewriting the Q file. I'm
> hesitant to alter the message itself to add the license code. If we
> could  authenticate the FP report via some other means it would help
> greatly. How  about connecting IP instead?

At the moment that is how it's done: a combination of email address
and source IP are matched with the license ID.

The reason we ask for the license ID is because folks submitting false
positives occasionally forget that we authenticate on their registered
email address and use some other address.

-- The rule is that if the system can't match the email address it
should/may drop the message rather than evaluating it. We get a lot of
spam and attempts to game the system at our false@ address... so when
it's heavy we do drop messages that can't be properly identified.

However, in an effort to provide the best service possible, if the
license ID is present and we have the time we will look to see if it
could be a legit FP submission by researching the source and domain -
and if we think it is likely to be legitimate we will process the FP
and respond with an additional code reminding the submitter that they
must use their registered email address or an authorized alias.

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]FP suggestions

[Darin Cox]

The one issue with this I have is
 
1) Forward full 
original source to Sniffer with license code.
If we could do it without the license code, it 
would be much easier to automate on our end.  I already have a process in 
place to copy and reroute false positives by rewriting the Q file.  I'm 
hesitant to alter the message itself to add the license code.  If we could 
authenticate the FP report via some other means it would help greatly.  How 
about connecting IP instead?
Darin.
 
 
- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Wednesday, June 07, 2006 12:59 AM
Subject: Re: [sniffer]FP suggestions
Pete,Regarding suggestions for easing the 
reporting process, I would recommend the following possible modifications:
1) An E-mail submission tool similar to the one now, but replies 
  would be automated2) Send back links or rather an HTML form with 
  checkboxes in an E-mail auto-response allowing one to block rules.3) Make 
  blocked rules automatic for the submitter, but throw them into a queue for 
  manual review by Sniffer folk in order to determine whether the blocks should 
  become applied to all rulebases.4) Have automatic triggers that lower rule 
  strengths based on users blocking rules regardless of direct Sniffer 
  action.The gist of this is to make it more point and 
click.  The fact that you need full source is cumbersome, so the above 
recommendations seek ways to make the process easier for both the customer and 
for Sniffer while dealing with the need to send the full source.  No direct 
customer interaction would be necessary in most cases, and you would have a 
queue full of items to review and make a determination about that customers have 
preened for you.  To the customer, the process would look like the 
following:
1) Forward full original source to Sniffer with license 
  code.2) Seconds later there would be an automated reply received in HTML 
  format with a check box for every rule failed (or note that no active rules 
  were found), a text box for optional comments, and submit button.3) 
  Customer checks the boxes for the rules he wants to block, adds notes in a 
  text field if they feel like it, and they press submit.  End of 
story.You could also add a Web interface for this if you wanted 
to, but E-mail seems the most appropriate for most.I don't think it 
would be beneficial to rehash a lot of things involving how FP's occur, at least 
on this list.  I know from my system where my customers have single-click 
reprocessing capability, that they miss about 97% of all FP's either because 
they don't bother to do review, or they don't bother to reprocess anything but 
personal E-mail that may get blocked.  I would imagine that Sniffer sees a 
similar rate of customer reported FP's due in part to the difficulty, and in 
part for the same reasons that relate to my own users.The three biggest 
sources of false positives are obscure foreign domains/IP's, rules generated 
from bulk mailings that are too broadly targeted, and things reported to Sniffer 
that are advertising, but not spam.  All three of these things are 
difficult and time consuming to deal with, particularly the last two.  
Here's some stats for Sniffer FP's on my system going back about 15 
months:
SNIFFER-GENERAL         
  283SNIFFER-EXPERIMENTAL    167    * 
  Excluded 79 FP's from bad rule event on 1/17 - 
  1/18/2006SNIFFER-IP          
       
  61SNIFFER-PHISHING 
  52SNIFFER-GETRICH    
    29    * Excluded 115 FP's from 
  bad rule event on 4/18 - 4/19/2006SNIFFER-PHARMACY   
        25SNIFFER-PORN    
           
  24SNIFFER-TRAVEL    
     
  13SNIFFER-INSURANCE         
  7SNIFFER-OBFUSCATION   
  6SNIFFER-DEBT           
     6SNIFFER-MALWARE    
     
  4SNIFFER-AVSOFT         
     3SNIFFER-CASINO       
       2SNIFFER-INK    
     
  1SNIFFER-MEDIA    
   
  1SNIFFER-SPAMWARE          
  0It is quite notable how high the FP's are with 
SNIFFER-GENERAL which is where most bulk-mailers and customer reported spam 
rules are tagged.  This is also what my numbers show even though my 
customers are much less likely to reprocess bulk mail, and of course they only 
reprocess a small fraction of my overall FP's.  This is almost all customer 
reported stuff.  I score SNIFFER-GENERAL at 53% of my Hold weight.  
SNIFFER-IP is another standout.  I only score SNIFFER-IP at 38% of my Hold 
weight and it hits less than 2% of all Sniffer hits, yet it scored comparably 
high so that is worth noting. The FP rate on SNIFFER-IP hasn't really changed 
since you made adjustments.  SNIFFER-EXPERIMENTAL is a top category that 
caught a lot of zombie spam which is important to many systems, but it did seem 
to have a high FP rate.  SNIFFER-PHISHING was worse for me until around 
January or February.  It seemed to have a lot of FP's on security related 
newsletters and chain letters.  I have mixed feelings about those 
things.  Maybe more efforts on wh

Re: [sniffer]SPF

[Darin Cox]

What's your hold weight?  If spam is only 
failing SPF and nothing else, then the message doesn't get held, so you don't 
see it.
 
Also, I do not recommend negative weighting 
SPFPASS.  Spammers have SPF records, too, so you're giving them an 
opportunity to exploit it.
 
Lastly, I think you may be confused on your SPF 
records.  They should not have the "name" portion.  There is only one 
SPF record per domain.
 
So, for computerhouse.com, your SPF record should 
simply be
 
v=spf1 mx -all
 
which tells it your MX is allowed to send mail for 
your domain (the "mx" part) , but all others should fail ( the "-all" 
part).
 
Please keep related communication on the list 
for others' benefit as well.
Darin.
 
 
- Original Message - 
From: Computer 
House Support 
To: [EMAIL PROTECTED] 
Sent: Tuesday, June 06, 2006 9:40 PM
Subject: SPF

Hi Darin,
 
Thanks for your offer to help.  I am E-mailing you 
off-list.
 
We do use Declude.  The entry in our 
$default$.junkmail file looks like this:
 
SPFFAIL   WARNSPFPASS   WARNSPFUNKNOWN  WARN
 
However, I have never seen an "SPF Failure" in the 
header of a spam mail.
 
Global.cfg:  
SPFFAIL   spf  fail x 3 0SPFPASS   spf  pass x -1 0
 
 
Our SPF Record looks like this:
 
computerhouse.com. IN TXT "v=spf1 mx 
mx:mail.computerhouse.com"mail.computerhouse.com. IN TXT "v=spf1 a 
-all"
 
Your insight is appreciated.
 
 
Michael SteinComputer House
 
 
 
 
 

  - Original Message - 
  From: 
  Darin Cox 
  To: Message Sniffer Community 
  Sent: Tuesday, June 06, 2006 9:30 
PM
  Subject: Re: [sniffer]Numeric spam
  
  What do you use for spam filtering?  Declude 
  has the ability to test SPF, for example.
   
  Also, what is your SPF record for the domain in 
  question?
  Darin.
   

Re: [sniffer]Numeric spam

[Darin Cox]

What do you use for spam filtering?  Declude 
has the ability to test SPF, for example.
 
Also, what is your SPF record for the domain in 
question?
Darin.
 
 
- Original Message - 
From: Computer 
House Support 
To: Message Sniffer Community 
Sent: Tuesday, June 06, 2006 9:16 PM
Subject: Re: [sniffer]Numeric spam

Hi Darin,
 
Thanks for your reply.  Sure wish I understood what 
you're saying
 
 
Michael SteinComputer House
 

  - Original Message - 
  From: 
  Darin Cox 
  To: Message Sniffer Community 
  Sent: Tuesday, June 06, 2006 8:10 
PM
  Subject: Re: [sniffer]Numeric spam
  
  They do, but you have to both specify that email 
  for your domains only comes from your mail servers AND use a test in your spam 
  filtering that checks SPF and pushes fails over your hold limit.
  Darin.
   
   
  - Original Message - 
  From: Computer House Support 
  To: Message Sniffer Community 
  Sent: Tuesday, June 06, 2006 8:07 PM
  Subject: Re: [sniffer]Numeric spam
  
  I thought that having an SPF record would prevent a 
  spammer from forging your domain name, but our SPF record did not seem to help 
  with these odd numeric E-mails which appear to be coming from our 
  own domain.
   
  Does anyone have any info about SPF records and if they 
  really work to combat this type of junkmail?
   
   
  Michael SteinComputer House
   
   
  
- Original Message - 
From: 
Colbeck, 
Andrew 
To: Message Sniffer Community 
Sent: Tuesday, June 06, 2006 7:37 
PM
Subject: Re: [sniffer]Numeric 
spam

Both of which are reasonable, particularly given the 
recent Blue Security debacle that showed that it was possible for the 
spammers as well as the spammees to coordinate their information.  It 
might be in a spammer's best interest to pursue either of your 
suggestions.
 
However, I still think it is more credible to assume 
that this is a case of the spammer being simple-stupid instead of 
uber-clever.
 
Andrew 8)
 

  
  
  From: Message Sniffer Community 
  [mailto:[EMAIL PROTECTED] On Behalf Of John T 
  (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: 
  Message Sniffer CommunitySubject: Re: [sniffer]Numeric 
  spam
  
  
  My thought is 
  they are either building a db of valid names or testing delivery 
  techniques.
   
  
  John 
  T
  eServices For 
  You
   
  "Seek, and ye 
  shall find!"
   
  
  -Original 
  Message-From: 
  Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 
  06, 2006 3:46 
  PMTo: Message Sniffer 
  CommunitySubject: Re: 
  [sniffer]Numeric spam
   
   
  
  
  On Jun 6, 2006, at 7:51 AM, Steve 
  Guluk wrote:
  
  We're 
  getting the same and today it started hitting a different account 
  (Domain).
  
   
  
  What are these 
  things? I thought exploratory, maybe looking for replies to build a DB for 
  a later spam wave? Their not malicious in content and look 
  like someone's virus working incorrectly. But, I doubt they are 
  really so benign. 
  
   
  
  Any understand 
  their purpose?
  
   
  
   
  
  
  On 
  Jun 6, 
  2006, at 
  6:32 
  AM, Goran Jovanovic 
  wrote:
  
  I started 
  seeing these messages Monday (yesterday) morning EDT. The 
  from
  and to are the 
  same (ie you sent it to yourself). I am tagging it 
  but
  there is not 
  enough stuff to push it into DELETE 
  territory.
   
  
   
  So no one has 
  any idea what the purpose of these emails are?
  Random 
  numbers for no apparent reason...?
   
  Regards, 
   
   
  Steve 
  Guluk
  SGDesign
  (949) 
  661-9333
  ICQ: 
  7230769
   
   
   
  
   

Re: [sniffer]Numeric spam

[Darin Cox]

They do, but you have to both specify that email 
for your domains only comes from your mail servers AND use a test in your spam 
filtering that checks SPF and pushes fails over your hold limit.
Darin.
 
 
- Original Message - 
From: Computer 
House Support 
To: Message Sniffer Community 
Sent: Tuesday, June 06, 2006 8:07 PM
Subject: Re: [sniffer]Numeric spam

I thought that having an SPF record would prevent a 
spammer from forging your domain name, but our SPF record did not seem to help 
with these odd numeric E-mails which appear to be coming from our 
own domain.
 
Does anyone have any info about SPF records and if they 
really work to combat this type of junkmail?
 
 
Michael SteinComputer House
 
 

  - Original Message - 
  From: 
  Colbeck, 
  Andrew 
  To: Message Sniffer Community 
  Sent: Tuesday, June 06, 2006 7:37 
PM
  Subject: Re: [sniffer]Numeric spam
  
  Both of which are reasonable, particularly given the 
  recent Blue Security debacle that showed that it was possible for the spammers 
  as well as the spammees to coordinate their information.  It might be in 
  a spammer's best interest to pursue either of your 
  suggestions.
   
  However, I still think it is more credible to assume that 
  this is a case of the spammer being simple-stupid instead of 
  uber-clever.
   
  Andrew 8)
   
  


From: Message Sniffer Community 
[mailto:[EMAIL PROTECTED] On Behalf Of John T 
(Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message 
Sniffer CommunitySubject: Re: [sniffer]Numeric 
spam


My thought is 
they are either building a db of valid names or testing delivery 
techniques.
 

John 
T
eServices For 
You
 
"Seek, and ye 
shall find!"
 

-Original 
Message-From: Message 
Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 
2006 3:46 
PMTo: Message Sniffer 
CommunitySubject: Re: 
[sniffer]Numeric spam
 
 


On Jun 6, 2006, at 7:51 AM, Steve 
Guluk wrote:

We're 
getting the same and today it started hitting a different account 
(Domain).

 

What are these 
things? I thought exploratory, maybe looking for replies to build a DB for a 
later spam wave? Their not malicious in content and look like someone's 
virus working incorrectly. But, I doubt they are really so 
benign. 

 

Any understand 
their purpose?

 

 


On 
Jun 6, 
2006, at 
6:32 
AM, Goran Jovanovic 
wrote:

I started seeing 
these messages Monday (yesterday) morning EDT. The 
from
and to are the 
same (ie you sent it to yourself). I am tagging it 
but
there is not 
enough stuff to push it into DELETE 
territory.
 

 
So no one has 
any idea what the purpose of these emails are?
Random numbers 
for no apparent reason...?
 
Regards, 
 
 
Steve 
Guluk
SGDesign
(949) 
661-9333
ICQ: 
7230769
 
 
 

 

Re: [sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?

[Darin Cox]

> Can you recommend an alternate process, or changes to the existing
> process that would be an improvement and would continue to achieve
> these goals? We are always looking for ways to improve.

I've been thinking about this recently.  I'm mostly concerned with FPs for
the best tests, like Sniffer, so I was thinking about grouping held messages
by highest weight test that they failed something I'm considering for
the spam queue review app I'm working on in "spare" time.  I do have a
framework in place in the app to assign a keystroke to an action, like
copying the message, altering the copy to send to your false@ address, and
releasing back for delivery.  That makes FP processing on my end much
easier, with one keystroke doing everything we need.

This also got me thinking of the flip side, spam reporting.  There's a
significant untapped load of spam that sniffer doesn't fail that we filter.
I was thinking about creating a filter to copy your spam@ address with
messages that get moved to our archive (we archive held spam for 30 days in
case we missed an FP) that did not fail Sniffer.  This would be after we
have already processed for FPs.

Thoughts?

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Tuesday, June 06, 2006 7:29 PM
Subject: [sniffer]Re[2]: [sniffer]A design question - how many DNS based
tests?


Hello Matt,

Tuesday, June 6, 2006, 12:37:56 PM, you wrote:



> appropriately and tend to hit less often, but the FP issues with
> Sniffer have grown due to cross checking automated rules with other
> lists that I use, causing two hits on a single piece of data.  For
> instance, if SURBL has an FP on a domain, it is possible that
> Sniffer will pick that up too based on an automated cross reference,
> and it doesn't take but one  additional minor test to push something
> into Hold on my system.

Please note. It has been quite some time now that the cross-reference
style rule-bots have been removed from our system. In fact, at the
present time we have no automated systems that add new domain rules.

Another observation I might point out is that many RBLs will register
a hit on the same IP - weighting systems using RBLs actually depend on
this. An IP rule hit in SNF should be treated similarly to other RBL
type tests. This is one of the reasons that we code IP rules to group
63 - so that they are "tumped" by a rule hit in any other group and
therefore are easily isolated from the other rules.



> handling false positive reports with Sniffer is cumbersome for both
> me and Sniffer.

The current process has a number of important goals:

* Capture as much information as possible about any false positive so
that we can improve our rule coding processes.

* Preserve the relationship with the customer and ensure that each
case reaches a well-informed conclusion with the customer's full
knowledge.

* Protect the integrity of the rulebase.

This link provides a good description of our false positive handling
process:

http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives

Can you recommend an alternate process, or changes to the existing
process that would be an improvement and would continue to achieve
these goals? We are always looking for ways to improve.

> I would hope that any changes
> seek to increase accuracy above all else.  Sniffer does a very good
> job of  keeping up with spam, and it's main issues with leakage are
> caused by  not being real-time, but that's ok with me.  At the same
> time Sniffer is the test most often a part of false positives, being
> a contributing  factor in about half of them.

Log data shows that SNF tags on average more than 74% of all email
traffic and a significantly higher percentage of spam typically.

It would seem that it is likely that SNF would also represent highly
in the percentage of false positives (relative to other tests with
lower capture rates) for any given system since it is represented
highly in email traffic as a whole.

You've also indicated that you weight SNF differently than your other
tests - presumably giving it more weight (this is frequently the case
on many systems).

How much do you feel these factors contribute to your findings?

>   About 3/4 of all FP's (things that are  blocked by my system) are
> some form of automated or bulk E-mail.  That's not to say that other
> tests are more accurate; they are just scored more appropriately and
> tend to hit less often, but the FP issues with Sniffer have grown
> due to cross checking automated rules with other lists that I use,
> causing two hits on a single piece of data,

W/regard "causing two hits on a single piece of data": SNF employs a
wide variety of techniques to classify messages so it is likely that a
match in SNF will coincide with a match in some other tests. In fact,
as I pointed out earlier, filtering systems that apply weights to
tests depend on this very fact to some extent.

What mak

Re: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....

[Darin Cox]

I thought it had been a bit quiet of late .

Appreciate the efforts, Pete.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox" 
Sent: Friday, May 05, 2006 11:32 AM
Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer


On Friday, May 5, 2006, 11:02:00 AM, Darin wrote:

DC> Not just drugs, but some others too have been slipping through the past
DC> couple of days.  We've reported a little under 40 in the past couple of
DC> days.

We saw a bit of a lull, then a rash of new campaigns bunched together
with some new obfuscation techniques. We're getting a handle on it
now. Looks like the burst started about 30 hours ago and is tailing
off now.

Attached image - new arrival rates last 2 days.




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Lot of Drugs Spam getting through sniffer....

[Darin Cox]

Not just drugs, but some others too have been slipping through the past
couple of days.  We've reported a little under 40 in the past couple of
days.

Darin.


- Original Message - 
From: "Kevin Stanford" <[EMAIL PROTECTED]>
To: 
Sent: Friday, May 05, 2006 10:49 AM
Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer


I have been getting them here also and have forwarded some to
[EMAIL PROTECTED]

I guess to get past the filters the spammers misspell key words throughout
the email with new web links. It is misspelled so badly that I cannot really
make sense of it. Are there actual people out there that would buy this
stuff from a spam email like that?



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Daniel Bayerdorffer
Sent: Friday, May 05, 2006 9:38 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer

Here too.

--
Daniel Bayerdorffer  [EMAIL PROTECTED] Numberall Stamp & Tool Co., Inc.
PO Box 187 Sangerville, ME 04479 USA
TEL 207-876-3541  FAX 207-876-3566
www.numberall.com



> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
> Sent: Friday, May 05, 2006 10:34 AM
> To: sniffer@sortmonster.com
> Subject: [sniffer] Lot of Drugs Spam getting through sniffer
>
> The last few days tons on Drus spam is coming in and sniffer is
> catching none of it.
>
> Chuck Schick
> Warp 8, Inc.
> (303)-421-5140
> www.warp8.com
>
>
>
> This E-Mail came from the Message Sniffer mailing list. For
> information and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
>




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] False positive processing

[Darin Cox]

Right.  15 from today.  Let me know what you find out.  The ones from the
10th were replies to FP processing to investigate further and apply white
rules.  The others were normal FP reports.

Thanks,

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox" 
Sent: Tuesday, March 21, 2006 11:52 AM
Subject: Re[2]: [sniffer] False positive processing


On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote:

DC> Nope.  None of them.

DC> I haven't heard back from the replies to a couple of false positives on
the
DC> 10th, and we haven't heard anything from our submissions on the 16th (6)
and
DC> 17th (2).  I don't remember if we've heard anything from those on the
15th
DC> (4).

Right now I'm preparing to process FPs. I have a total of 24. 15 from
you. I don't show any others pending. When I'm done I'll go back and
look at the 10th, 16th, and 17th to see if I received and responded.

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] False positive processing

[Darin Cox]

Nope.  None of them.

I haven't heard back from the replies to a couple of false positives on the
10th, and we haven't heard anything from our submissions on the 16th (6) and
17th (2).  I don't remember if we've heard anything from those on the 15th
(4).

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox" 
Sent: Tuesday, March 21, 2006 11:21 AM
Subject: Re: [sniffer] False positive processing


On Tuesday, March 21, 2006, 9:38:46 AM, Darin wrote:

DC>
DC>
DC> Hi Pete,
DC>
DC>
DC>
DC> Are you getting behind on false positive  processing? We have
DC> gotten a response in a few days, and are still  forwarding false
DC> positives for an FP report that we asked for a while rule on  the 10th.

I'm not behind.

Did the message get tagged on it's way out of your system?

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] False positive processing

[Darin Cox]

Hi Pete,
 
Are you getting behind on false positive 
processing?  We have gotten a response in a few days, and are still 
forwarding false positives for an FP report that we asked for a while rule on 
the 10th.
 
Appreciate you looking into it.
Darin.
 
 

Re: Re[2]: [sniffer] New RuleBot F002 Online

[Darin Cox]

Hi Pete,

Don't worry about customizing our local rulebase for this.  Just take this
as a simple suggestion for future segregation to make it easy for new
rulesets to be addressed differently in weighting schemes.

Thanks for all of your efforts!

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox" 
Sent: Monday, March 13, 2006 10:23 AM
Subject: Re[2]: [sniffer] New RuleBot F002 Online


On Friday, March 10, 2006, 3:41:00 PM, Darin wrote:

DC> Totally agree.  I'd like to see some separation between rules created by
DC> newer rulebots and preexisting rules.  That way if there becomes an
issue
DC> with a bot, we can turn off one group quickly and easily.

There is no way to do this without completely reorganizing the result
codes or defeating the competitive ranking mechanisms.

If you feel strongly about it I can move these rule groups to lower
numbers on your local rulebase or make some other numbering scheme -
but I don't recommend it. Moving these rule groups to lower numbers
would cause them to win competitions with other rules where they would
normally not win.

At some point in the future we might renumber the rule groups again,
but I like to avoid this since there are so many folks that just don't
get the message (no matter what we do to publish it) when we make
changes like this and so any large scale changes tend to cause
confusion for very long periods.

For example: I still, on occasion, have questions about the
gray-hosting group which has not existed for quite a long time.

So far there has not been one FP reported on bot F002 and extremely
few on F001 - the vast majority of those associated with the very
first group of listings prior to the last two upgrades for the bot.

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] New RuleBot F002 Online

[Darin Cox]

Totally agree.  I'd like to see some separation between rules created by
newer rulebots and preexisting rules.  That way if there becomes an issue
with a bot, we can turn off one group quickly and easily.

Darin.


- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Friday, March 10, 2006 3:37 PM
Subject: Re: [sniffer] New RuleBot F002 Online


Pete,

In light of current and prolonged issues, this seems like a good and
safe tactic.  I would appreciate it however if maybe you could place the
rules in another result code since this result code is not as accurate
as some others are and some of us weight it lower than others.

Thanks,

Matt



Pete McNeil wrote:

>Hello Sniffer Folks,
>
>  Rulebot F002 has been placed online.
>
>  This rulebot captures and creates geocities web links from the
>  "chatty" campaigns. This is largely a time saver for us humans... we
>  will focus our attention more on abstracts for these campaigns now
>  that F002 will be capturing the raw links.
>
>  Rules from F002 will produce a 60 result code (Ungrouped).
>
>  The engine is following a standard protocol that we have used for
>  months. I expect no false positives from this one.
>
>Thanks,
>_M
>
>Pete McNeil (Madscientist)
>President, MicroNeil Research Corporation
>Chief SortMonster (www.sortmonster.com)
>Chief Scientist (www.armresearch.com)
>
>
>This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
>
>
>


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] F001 Rule Bot Change

[Darin Cox]

Good job, Pete.  Through these changes we saw a minimal increase in false
positives on one day, and detection seems to have improved as well.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, March 09, 2006 3:08 AM
Subject: [sniffer] F001 Rule Bot Change


Hello Sniffer Folks,

  The F001 Rule Bot has been adjusted. The number of repeat offenses
  required for an IP to be listed has been increased. It's important
  to note also: Messages that are filtered out by other rules are
  excluded from this evaluation. Consequently, for an IP to be added
  to the F001 bot rules it must not only be seen quite a few times,
  but it must also be generating messages that are not filtered using
  other active rules.

  As part of this adjustment we removed approximately 2 IP rules
  that had shown either weak or no activity since they were created.
  This may cause rulebase file sizes to change noticeably.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] New Rulebot F001

[Darin Cox]

Thanks, Pete.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox" 
Sent: Monday, March 06, 2006 6:17 PM
Subject: Re[2]: [sniffer] New Rulebot F001


On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:

DC> We just reviewed this morning's logs and had a few false positives.  Not
DC> sure if these are due to the new rulebot, but it's more than we've had
for
DC> the entire day for the past month.

DC> Rules
DC> --
DC> 873261
DC> 866398
DC> 856734
DC> 284831
DC> 865663

Three of these are from F001 and have been removed.

865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182

856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200

873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227
 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227


I haven't yet processed the fps, only looked up the rules.

There are currently 32820 rules authored by the F001 bot.

Hope this helps,

_M





This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] New Rulebot F001

[Darin Cox]

We just reviewed this morning's logs and had a few false positives.  Not
sure if these are due to the new rulebot, but it's more than we've had for
the entire day for the past month.

Rules
--
873261
866398
856734
284831
865663

Darin.


- Original Message - 
From: "Jay Sudowski - Handy Networks LLC" <[EMAIL PROTECTED]>
To: 
Sent: Monday, March 06, 2006 3:13 PM
Subject: RE: [sniffer] New Rulebot F001


There's been at least one FP ;)

--
Rule - 861038
NameF001 for Message 2888327: [216.239.56.131]
Created 2006-03-02
Source  216.239.56.131
Hidden  false
Blocked false
Origin  Automated-SpamTrap
TypeReceivedIP
Created By  [EMAIL PROTECTED]
Owner   [EMAIL PROTECTED]
Strength2.08287379496965
False Reports   0
>From Users  0
[FPR:B]

The rule is below threshold, and/or badly or broadly coded so it will be
removed from the core rulebase.


My concern with automated IP rule coding is that we use Sniffer because
it's extremely accurate.  Coding rules linked to IPs, particularly IPs
that are used by google or any large ISP to send large amounts of
(mostly legitimate) email is contrary to what Sniffer is great at, which
is tagging spam that no one else is.

Is response code 63 going to be utilized for any other purposes?  If
not, I will let Declude know to weight these responses lower than normal
Sniffer.

- Jay
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Monday, March 06, 2006 3:00 PM
To: sniffer@sortmonster.com
Subject: [sniffer] New Rulebot F001

Hello Sniffer folks,

  The first of the new rulebots is coming online.

  Rulebot F001 creates IP rules for sources that consistently fail
  many tests while also reaching the cleanest of our spamtraps.

  The rules will appear in group 63.

  The bot is playing catchup a bit (since there have been few IP rules
  at all since we disabled the old bots).

  The algorithms used in this bot have been tested manually for 2
  weeks with no false positives.

  Expect an increase in your rulebase size while F001 catches up with
  current spamtrap data.

Thanks,

_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html