[sniffer] assert! ?
What's the status of Assert!? I see this mentioned in your Wiki in August of 05, but it's coming soon on your web site? Thanks! - Jay Sudowski // Handy Networks LLC Director of Technical Services Providing Premium Reseller, Dedicated and Colocation Hosting Solutions Tel: 303-414-6902| Fax: 303-414-6912 www.handynetworks.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Integration with Mailenable
Hi Phil - Good question. We integrate Sniffer into SmarterMail via Declude. However, SmarterMail does have the capability to run a program against a message before it is delivered. We have some customers that use a batch file to call f-prot and get virus scanning integrated into their mail server on the cheap. I believe it would likely be possible to make use of the same functionality to call Sniffer directly, and thus avoid having to purchase Declude. I have just never had a need to attempt this. As for domain keys, I don't believe so. However, you can setup SPFyou're your domains simply by adding the appropriate DNS records to said domains zone files. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Cohen Sent: Friday, March 16, 2007 12:01 PM To: Message Sniffer Community Subject: [sniffer] Re: Integration with Mailenable Jay, Thanks for the heads up on Mailenable. I took a look at SmarterMail and it looks pretty good. How does it interface with Message Sniffer or does it require and external gateway such as EWall? How has support been with it and how have they been as far as updates. Also does it have domain keys capability and SPF support for sending mail to yahoo.com etc... Thanks, Phil At 07:26 PM 3/15/2007, you wrote: Stay Away From MailEnable. There are so many exploits out there for MailEnable, and there are more exploits found monthly, if not weekly. At one particular interval, MailEnable had to re-release the same patch several times in the *same* week because it kept on not actually fixing the root of the issue. If you run MailEnable, odds are that you will end up exploited, even if you stay on the of the patches. On top of that, MailEnable is just simply a CPU and IO hog, much more so than other other mail server I have ever seen. By default, they use entirely text based configuration files, which on occasion get truncated to zero during periods of high activity on the server. In the past year, we have assisted our customers move 20,000+ mailboxes away from MailEnable, mostly all to SmarterMail. Do not waste your time and money with MailEnable. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Cohen Sent: Thursday, March 15, 2007 12:22 PM To: Message Sniffer Community Subject: [sniffer] Integration with Mailenable We are finally going to replace our old Vopmail server. Looking at Mailenable Enterprise. Will Sortmonster work with that program? Is anyone using Mailenable? If so how is it and if it works with Sortmonster how did you use them together. THanks, Phil # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Integration with Mailenable
Re: domain keys: I was looking at that in some older forum posts, and from what I could tell it only did inbound authentication, not outbound signing. But apparently it does DK both ways now. Sorry! I like SmarterMail, but as Matt says it's not perfect. Their support is definitely lacking, even though it's totally paid now, and they have a very rapid development cycle (which is not a bad thing), but they really like to stick it to folks who bought an old version just prior to the release of a new version by making them pay full upgrade price. Not very customer friendly. The CEO seems to be totally missing that point and interacts with customers in public forums using a very arrogant tone. OTOH, they allow service providers to hand out free 50 domain / 250 user licenses to any of their customers, in the hops that the customer will need to upgrade to a larger edition. This is good for the service provider and very good for folks who fit into the free license size. And yes, ME really is a dog - poor performance, poor code, poor overall implementation -Jay From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, March 17, 2007 3:06 PM To: Message Sniffer Community Subject: [sniffer] Re: Integration with Mailenable There is in fact a Domain Keys plug-in for SmarterMail listed on their downloads page: http://www.smartertools.com/Products/SmarterMail/DL/v4.aspx Personally I'm not a fan of any present sender identification implementation. Both SPF and Domain Keys are primarily associated with spam by volume, and SPF can at cause one's customers issues when they do things like use alternative SMTP servers or find themselves behind an SMTP proxy at a hotel or T-Mobile HotSpot...but I digress. I think that both IMail and SmarterMail are decent products, but neither one of them is perfect. SmarterMail certainly has a lower cost of entry. I would trust Jay's experience with MailEnable considering his extensive experience. Matt Jay Sudowski - Handy Networks LLC wrote: Hi Phil - Good question. We integrate Sniffer into SmarterMail via Declude. However, SmarterMail does have the capability to run a program against a message before it is delivered. We have some customers that use a batch file to call f-prot and get virus scanning integrated into their mail server on the cheap. I believe it would likely be possible to make use of the same functionality to call Sniffer directly, and thus avoid having to purchase Declude. I have just never had a need to attempt this. As for domain keys, I don't believe so. However, you can setup SPFyou're your domains simply by adding the appropriate DNS records to said domains zone files. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Cohen Sent: Friday, March 16, 2007 12:01 PM To: Message Sniffer Community Subject: [sniffer] Re: Integration with Mailenable Jay, Thanks for the heads up on Mailenable. I took a look at SmarterMail and it looks pretty good. How does it interface with Message Sniffer or does it require and external gateway such as EWall? How has support been with it and how have they been as far as updates. Also does it have domain keys capability and SPF support for sending mail to yahoo.com etc... Thanks, Phil At 07:26 PM 3/15/2007, you wrote: Stay Away From MailEnable. There are so many exploits out there for MailEnable, and there are more exploits found monthly, if not weekly. At one particular interval, MailEnable had to re-release the same patch several times in the *same* week because it kept on not actually fixing the root of the issue. If you run MailEnable, odds are that you will end up exploited, even if you stay on the of the patches. On top of that, MailEnable is just simply a CPU and IO hog, much more so than other other mail server I have ever seen. By default, they use entirely text based configuration files, which on occasion get truncated to zero during periods of high activity on the server. In the past year, we have assisted our customers move 20,000+ mailboxes away from MailEnable, mostly all to SmarterMail. Do not waste your time and money with MailEnable. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Cohen Sent: Thursday, March 15, 2007 12:22 PM To: Message Sniffer Community Subject: [sniffer] Integration with Mailenable We are finally going to replace our old Vopmail server. Looking at Mailenable Enterprise. Will Sortmonster work with that program
[sniffer] Re: Integration with Mailenable
Stay Away From MailEnable. There are so many exploits out there for MailEnable, and there are more exploits found monthly, if not weekly. At one particular interval, MailEnable had to re-release the same patch several times in the *same* week because it kept on not actually fixing the root of the issue. If you run MailEnable, odds are that you will end up exploited, even if you stay on the of the patches. On top of that, MailEnable is just simply a CPU and IO hog, much more so than other other mail server I have ever seen. By default, they use entirely text based configuration files, which on occasion get truncated to zero during periods of high activity on the server. In the past year, we have assisted our customers move 20,000+ mailboxes away from MailEnable, mostly all to SmarterMail. Do not waste your time and money with MailEnable. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Cohen Sent: Thursday, March 15, 2007 12:22 PM To: Message Sniffer Community Subject: [sniffer] Integration with Mailenable We are finally going to replace our old Vopmail server. Looking at Mailenable Enterprise. Will Sortmonster work with that program? Is anyone using Mailenable? If so how is it and if it works with Sortmonster how did you use them together. THanks, Phil # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer as passthrough filter
Just to add: whatever you do in regards to this, make sure that you do recipient address validation at your gateway. If you do not, your mail server will relay all messages for the gateway'd domain to the destination server, which has the effective impact of enabling a catch-all account on a domain and then forwarding all the mail to a remote system. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Thursday, March 08, 2007 11:44 PM To: Message Sniffer Community Subject: [sniffer] Re: Sniffer as passthrough filter Yes, it is called email gateway service and many of us do that and it is fairly straightforward to setup but there are a number of steps. John T -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of K Mitchell Sent: Thursday, March 08, 2007 6:16 PM To: Message Sniffer Community Subject: [sniffer] Sniffer as passthrough filter I've been running Message Sniffer here with IMail and mxGuard for a number of the domains we service. I have another customer that runs their own Exchange server, and wishes to continue doing so, but inquired as to the possibility of us doing pass-through filtering for them. Is this possible with the setup I have? Thanks, -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Uploading problems
You will very likely need to use passive mode then, as TCP Port filtering works very much the same way as a firewall, at least as it applies to FTP. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of K Mitchell Sent: Thursday, December 07, 2006 11:29 PM To: Message Sniffer Community Subject: [sniffer] Re: Uploading problems At 10:22 PM 12/7/2006 -0500, Pete McNeil wrote: Hello K, At this point it just hangs, no transfer occurring. In the event that it might be transferring but not displaying the hash marks, I left it sit for over 30 minutes(10mb logfile)...nothing. I'm not sure what else to try. What you've described usually goes along with a firewall problem. Firewalls and FTP are always a challenge. What seems to be happening is that the command channel is working fine, but when it's time to set up the data channel that fails- and so you don't get any data. There is no firewall. I have TCP port filtering set up on the machine, but both 20 and 21 are open. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Experimental Abstract
I was setting a lower weight on the experimental/abstract result codes due to inconsistent results in the past. However, after a review of customer spam that was still getting through, I increased the weighting on those codes to equal our hold weight. Customer is much happier now. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 09, 2006 6:15 PM To: Message Sniffer Community Subject: [sniffer] Re: Experimental Abstract Hello Alberto, In earlier times we had a philosophy that no single test should trap a message. The idea was that my combining tests the accuracy of the filter system would always (qualified) be improved. The blackhats have become extremely aggressive about burning IPs and generating image spam and/or other abstracted, short lived, and narrowly targeted campaigns. As a result of these changes, it is often the case that our abstract rules are the only thing that will fire on a message. The bad news is that holding on any single test will probably lead to more false positives. The good news is that SNF:Experimental/Abstract has a very low false positive rate. It may be time to alter our philosophy w/ regard to the experimental/abstract rules group and recommend that wherever practical, messages should probably be held (not deleted) based on a hit in this rule group. Hope this helps, _M Monday, October 9, 2006, 5:59:44 PM, you wrote: Hello I'm getting storms of spam and Sniffer sets them as (Experimental Abstract) Can someone explain how have I to treat them? Many thanks in advance Alberto # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Possible Paypal Phishing
The owner of a domain need not authorize a reverse DNS PTR record in any way, shape or form. If the netblock was owned, or the netblock owner had delegated rDNS to a malicious customer, they could easily set rDNS to whatever they wanted. Aol.com, paypal.com, ebay.com, chase.com ... -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 12:38 PM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing It's really from PostDirect.com aka YesMail.com ... You can tell that it's authorized because the reverse DNS which ends in PayPal.com (ok, that does set off alarm bells when it's someone else's netblock) matches the forward lookup of the resulting address at PayPal. Therefore, PayPal is deliberately allowing that reverse IP in someone else's netblock. That, or both the netblock and PayPal's DNS have been p0wned. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:31 AM To: Message Sniffer Community Subject: [sniffer]Possible Paypal Phishing Attached are the headers to an e-mail I am suspecting as a clever phising that has me worried. It looks like a legit message sent on behalf of Paypal, however, it is sent from an IP address not owned by Paypal BUT which has a REVDNS that ends in paypal.com. The message is full of links to images.postdirect.com but does have legit links to paypal.com. John T eServices For You Seek, and ye shall find! # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
RE: [sniffer] New Rulebot F001
There's been at least one FP ;) -- Rule - 861038 NameF001 for Message 2888327: [216.239.56.131] Created 2006-03-02 Source 216.239.56.131 Hidden false Blocked false Origin Automated-SpamTrap TypeReceivedIP Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength2.08287379496965 False Reports 0 From Users 0 [FPR:B] The rule is below threshold, and/or badly or broadly coded so it will be removed from the core rulebase. My concern with automated IP rule coding is that we use Sniffer because it's extremely accurate. Coding rules linked to IPs, particularly IPs that are used by google or any large ISP to send large amounts of (mostly legitimate) email is contrary to what Sniffer is great at, which is tagging spam that no one else is. Is response code 63 going to be utilized for any other purposes? If not, I will let Declude know to weight these responses lower than normal Sniffer. - Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, March 06, 2006 3:00 PM To: sniffer@sortmonster.com Subject: [sniffer] New Rulebot F001 Hello Sniffer folks, The first of the new rulebots is coming online. Rulebot F001 creates IP rules for sources that consistently fail many tests while also reaching the cleanest of our spamtraps. The rules will appear in group 63. The bot is playing catchup a bit (since there have been few IP rules at all since we disabled the old bots). The algorithms used in this bot have been tested manually for 2 weeks with no false positives. Expect an increase in your rulebase size while F001 catches up with current spamtrap data. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Search your sniffer logs and include the log lines for that particular message. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Wednesday, February 15, 2006 3:55 PM To: sniffer@SortMonster.com Subject: [sniffer] False Positives My users have been getting a lot of FPs by Sniffer lately. They send me the email with the FULL HEADERS displayed and I forward this email on to SortMonster. The program they use to analyze incoming submissions check MY email headers, determine that SNIFFER was not at fault and sends me back an email saying it didn't find any flags. How the heck am I supposed to submit FPs from my users to SNIFFER?!! I also save my user's email and attach it to my submissions to sortmonster, but these too are not flagged. Very frustrating, esp since SNIFFER FPs are particularly dangerous since I give it so much weight. --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Joe Jobs...
Generally because they don't know any better. Backscatter just makes the problems 10 times worse. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Stanford Sent: Thursday, December 15, 2005 1:11 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Joe Jobs... That brings a question up...why do some/many/most postmasters feel that it is so important to notify senders of a virus to a spoofed email address? Also, I have yet to see a legitimate email that contained a virus..so why not turn the notification off all together? Just curious... Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, December 15, 2005 11:30 AM To: sniffer@sortmonster.com Subject: [sniffer] Joe Jobs... Hello Sniffer Folks, Please be aware that there are several spam and possibly virus (other malware?) campaigns being transmitted with my madscientist address and possibly other addresses from our company in the From: headers and SMTP envelope. Though this has happened in the past at low levels, I have noted recently a very high level of bounces and warnings returning to me (erroneously) from systems that claim they have received viruses and spam from my address. I suspect that this might have been triggered by recent press activity, - especially a Washington Post article which included my email address without modification. If you receive any of these messages, please treat them as the spam/malware that they are and ignore the source. I have verified that we are not sending any such messages ( unintentionally) from any of our systems. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] YAhoo mails failing sniffer?
I noticed some as well. We received one confirmed fp report, which I sent in yesterday, but a look at the logs showed potentially up to 5 messages that were sent from legit Yahoo mail servers, that could have been legit mail that sniffer caught. Still haven't received a response on the fp submission either. Thanks! - Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Van Hefner Sent: Thursday, September 22, 2005 12:24 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] YAhoo mails failing sniffer? I got a record number of false-positives from Sniffer yesterday. The category was always Scam Patterns. Two of them were from Yahoo! as well. Although the total was low (something like four FP's total), that is more in one day than I usually see in a month with Sniffer. There must have been some incredibly-badly written code that slipped though, as they were personal e-mails that should never have been tagged. Personal e-mails are really the only ones that I truly consider false positives. I get dozens of mailing list messages trapped each month, but I don't consider those a big deal. Customers rarely miss these. I very, very rarely see any truly personal e-mails get trapped by Sniffer though. Hopefully, they have already fixed the problem. I haven't seen any as of this afternoon. William Van Hefner Network Administrator Vantek Communications, Inc. 555 H Street, Ste. C Eureka, CA 95501 707.476.0833 ph 800-331.4638 fx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Wednesday, September 21, 2005 9:09 PM To: sniffer@SortMonster.com Subject: [sniffer] YAhoo mails failing sniffer? I'm seeing a few legit e-mails from Yahoo failing sniffer. Anyone else? --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] OT test settings
DSBLip4rlist.dsbl.org * 15 0 MXRATE-BLACKip4r pub.mxrate.net 127.0.0.2 15 0 SBLXBL4 ip4rxbl.spamhaus.org127.0.0.4 15 0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Sunday, September 11, 2005 10:20 PM To: sniffer@SortMonster.com Subject: [sniffer] OT test settings Hi pete Can you please give the settings for the following tet that appears in the MDLP reports: DSBL MXRATE-BLACK SBL-XBL4 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Sniffer and SmarterMail?
If you have a current SA with Declude, you can move from iMail Declude to SmarterMail Declude for free. I suggest that you contact Declude about this - that is, assuming you are completely shutting down your iMail server. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 01, 2005 8:31 PM To: Joe Wolf Subject: Re[2]: [sniffer] Sniffer and SmarterMail? Hi Joe, Yeah, we had talked about buying the low cost Declude Virus/JM versions and then letting Sniffer hook into those as well as then hooking with SmarterMail... That's an option for you too. -jason - - - - - - - - - - - - - - - - - - Wednesday, June 1, 2005, 7:02:30 PM, you wrote: JW Mdaemon may be great, but it's out of my budget. I can't afford $2500 for JW the mail server and then another $1600 for the anti-virus. Especially when JW I compare it to SmarterMail at $600. JW I would love to continue to use Sniffer... I respect it more than Imail and JW Declude combined! But the fact is that it's time to move on. Ipswitch has JW completely lost their mind and just doesn't give a damn about their JW customers, failed to fix major problems, and raised their prices thru the JW roof. JW It may be very simple to plug in Sniffer to SmarterMail, but I'm not a JW developer. I don't really want to run a non-supported implementation. JW If there's a better option than SmarterMail I'd love to hear it, but I can't JW compare a $4000+ server to a $600 one. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] MDLP Tests
Hello - I am reviewing your MDLP report at http://www.sortmonster.com/MDLP/MDLP-Example-Long.html, and find some tests that are seemingly quite effective that I'm not familiar with. If anyone has any informaiton about these tests, please let me know: - FABEL (is this the same as FABELSOURCES at http://www.declude.com/Articles.asp?ID=97Redirected=Y?) - MXRATE-* - UCEPROTEC* Also, perhaps I am misunderstanding the data, but SNIFFER has a SQ of .802 - isn't that relatively bad ? Thanks! - Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com http://www.handynetworks.com/ This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] MDLP Tests
Ahh, that makes more sense now. ham is just what does not pass the spam threshold. In this light, if Sniffer is hyper accurate and catches more real spam than all others, it will appear less accurate overall because of the deficienes in the other tests. For some reason, I was thinking that ham was being calculated differently. Thanks for the tests, as well. -Jay PS - I did read your stuff about hyper-accuracy, but everything wasn't meshing for me, hence my question :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, April 02, 2005 4:43 PM To: Jay Sudowski - Handy Networks LLC Subject: Re: [sniffer] MDLP Tests On Saturday, April 2, 2005, 4:09:31 PM, Jay wrote: JSHNL Hello - JSHNL I am reviewing your MDLP report at JSHNL http://www.sortmonster.com/MDLP/MDLP-Example-Long.html, and find JSHNL some tests that are seemingly quite effective that I'm not JSHNL familiar with. If anyone has any informaiton about these tests, please let me know: JSHNL - FABEL (is this the same as FABELSOURCES at JSHNL http://www.declude.com/Articles.asp?ID=97Redirected=Y?) FABEL ip4rspamsources.fabel.dk127.0.0.2 JSHNL - MXRATE-* MXRATE-BLACKip4rpub.mxrate.net 127.0.0.2 MXRATE-WHITEip4rpub.mxrate.net 127.0.0.3 MXRATE-SUSP ip4rpub.mxrate.net 127.0.0.4 JSHNL - UCEPROTEC* UCEPROTECRDOip4rdnsbl-1.uceprotect.net 127.0.0.2 UCEPROTECCMUL ip4rdnsbl-2.uceprotect.net 127.0.0.2 UCEPROTECCVIR ip4rdnsbl-3.uceprotect.net 127.0.0.2 JSHNL Also, perhaps I am misunderstanding the data, but SNIFFER has a JSHNL SQ of JSHNL .802 - isn't that relatively bad ? Actually, that's the hyper-accuracy penalty at work. I wrote a bunch about that on the MDLP page. What's going on is that SNF frequently catches spam that virtually no other tests are catching yet and as a result the total weight never reaches the threshold. Every one of those events shows up counting against it. We research these periodically (we used to look at them constantly) and with very rare exceptions we find that these are not false positives. In fact, on our systems last year SNF had fewer than 10 FP. (several of those were messages from customers that actually contained examples of spam, malware, or logs with spammy URI). Of course, our numbers are a more than bit skewed because the vast majority of traffic on our system is spam... so we can't use that to calculate a false positive rate that has any real meaning. The closest we can really get to an indication of false positive rates from SNF is to point at our FP rate page: http://www.sortmonster.com/MessageSniffer/Performance/FalseReportsRates. jsp This page shows counts of all false positives reported to us on a daily basis for all of our customers. At least two of these systems are service providers with 10 or more licenses which submit false positives automatically as they are reported from their customers. So anyway, the short answer is that the SA and SQ values on the SNIFFER tests are skewed by the hyper-accuracy penalty inherent in how MDLP develops these scores. The true accuracy values are very much higher and this is regularly confirmed by both hard reviews of the data and anecdotal evidence from our customers. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
