[sniffer] Report one off spams
When sending occasional one off spam not caught to spam@ would it help to attach the original headers and source of the body as text files to the forwarded email? John T eServices For You # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Error Code 69
I am seeing the following in the log with the Sniffer header not being added to the email. John T eServices For You # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] gbudb source new
Using Message Sniffer as part of Declude on a SmarterMail install, I want to add weight to a source new when gbudb indicates such. What is the best way to do that? John T eServices For You # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: gbudb source new
Thanks Linda. I guess I should not have dismissed the "that would be too easy" thought next time. -Original Message- From: "Linda Pagillo" Sent: Wednesday, July 26, 2017 12:50pm To: "Message Sniffer Community" Subject: [sniffer] Re: gbudb source new HI John. The best way to do this would be to create a filter in Declude with the following line and score it how you like by changing the 0 to a value: HEADERS 0 PCRE (?im:X-GBUdb-Analysis.+New) Thanks! On Tue, Jul 25, 2017 at 2:01 PM, John Tolmachoff < johnl...@eservicesforyou.com> wrote: > Using Message Sniffer as part of Declude on a SmarterMail install, I want > to add weight to a source new when gbudb indicates such. What is the best > way to do that? > > John T > eServices For You > > > # > This message is sent to you because you are subscribed to > the mailing list . > This list is for discussing Message Sniffer, > Anti-spam, Anti-Malware, and related email topics. > For More information see http://www.armresearch.com > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to > Send administrative queries to > > # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Declude configuration
I am new to Sniffer, and have it up and running with the basic line looking for a nonzero return code. I would now like to start setting different weights for different return codes. Does some one have a example configuration I can use? John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Declude configuration
Thanks for the replies and explanations. :-)> John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Declude configuration
On any external test, if all configurations are the same except for the return code, the test is only ran once. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dan Stratton > Sent: Monday, June 14, 2004 10:32 AM > To: [EMAIL PROTECTED] > Subject: RE: [sniffer] Declude configuration > > Does Declude have to run Message sniffer for each test in this > configuration? > > Dan... > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Monday, June 14, 2004 9:52 AM > To: [EMAIL PROTECTED] > Subject: RE: [sniffer] Declude configuration > > Thanks for the replies and explanations. > > :-)> > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > --- > [This E-mail scanned for Spam and Viruses by > http://www.innovationnetworks.ca] > > --- > [This E-mail scanned for Spam and Viruses by http://www.innovationnetworks.ca] > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Problem sending logs
Trying to set up a new client. Testing the logrotate script. Starting at about 01:10 AM to test, can not upload logs. I kept getting not connected messages. Any one else experiencing this? My log upload went fine at 11:45 PM. __ ftp> Connected to www.sortmonster.net. ftp> open ftp.sortmonster.net Not connected. ftp> user snifferlog ki11sp8m Not connected. ftp> binary Not connected. ftp> put C:\Logs\Sniffer\clientid.log quit ___ John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Problem sending logs
Still occurring. Attached are the files used. I am using these same scripts on my server and it is working fine. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of John Tolmachoff (Lists) > Sent: Wednesday, June 23, 2004 1:31 AM > To: [EMAIL PROTECTED] > Subject: [sniffer] Problem sending logs > > Trying to set up a new client. > > Testing the logrotate script. > > Starting at about 01:10 AM to test, can not upload logs. I kept getting not > connected messages. > > Any one else experiencing this? My log upload went fine at 11:45 PM. > __ > ftp> Connected to www.sortmonster.net. > > ftp> open ftp.sortmonster.net > Not connected. > > ftp> user snifferlog ki11sp8m > Not connected. > > ftp> binary > Not connected. > > ftp> put C:\Logs\Sniffer\clientid.log > quit > ___ > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html open ftp.sortmonster.net user snifferlog ki11sp8m binary put C:\Logs\Sniffer\clientid.log quit rem logrotate.cmd 20030404 _M rem rem Provided As-Is - this is only an example. rem You _MUST_ alter this file to fit your needs. rem rem This script works with the file logrotate.ftp to automatically rem rotate and upload your Message Sniffer log files. Typically you rem would schedule this script to execute using AT or the scheduler rem so that it runs once per day. rem First, get into your sniffer directory so everything is local. cd c:\Imail\sniffer rem Next move the current log file out so it can be uploaded and then rem we launch FTP using a script (logrotate.ftp) to send it on it's way. rem rem Be sure to modify the logrotate.ftp script so that it looks for the rem correct log file name to upload. Avoid trying to upload the live log rem file as this can cause you trouble. Always move the live log file to rem a new name first as we have below. rem rem FTP is present on NT, Win2k, and XP for sure... probably others as well. rem If you have trouble with your FTP please see your windows help. rem rem NOTE that we've prepended our domain because we're using a common rem license id. If we were using a unique license ID his would not be rem necessary. When uploading log files it is important that the file rem name is unique. copy clientid.log C:\Logs\Sniffer\ del clientid.log ftp -n -s:logrotate.ftp >ftpupload.log rem This next part keeps some old log files around. You can adjust it rem to the number of days you like to keep... we only keep 3 days. If rem you don't want to keep any then here would be a good place to simply rem delete the log file you just uploaded. It's a good idea to do something rem here so that the file eventually goes away. CD C:\Logs\Sniffer C: namedate.exe /Y /U /Z: "mdY" clientid.log rem To add more days to the backup logs simply edit the delete line and rem add more rename lines with appropriate number extensions. rem rem NOTE that when you're starting this off, may of the rename lines rem will fail... but that is harmless! If you want to clean this up rem you can include an if exist statement like we have for the del. We rem leave it off here for brevity.
RE: [sniffer] Reporting - was: spam leakage up
As a new user of Sniffer, I am not familiar with reports available, but I would be interested in learning if there is a way to create reports from the logs or otherwise. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Thursday, June 24, 2004 11:00 AM > To: Aaron Caviglia > Subject: [sniffer] Reporting - was: spam leakage up > > We are working on specs for real-time reporting out of Sniffer and > haven't had a lot of feedback on the XML based format. We were looking > at this format because, in theory anyway, it's easy to port into a > database or even directly into a web page or other format. > > Am I guessing right that the reason we didn't get a lot of feedback is > because not many folks can really use XML data in practice? > > Should we adopt a different format for a "real-time scoreboard" > output file? Tab delimited? CSV? --- perhaps directly to HTML? > > (if HTML then I will continue with the XML concept and use DOM to read > the XML as a data island and format the output - anybody have experience > with this - it seems harder in practice than the examples let on.) > > Any thoughts would be appreciated. > > Thanks, > _M > > (The idea of a "scoreboard" was to create some useful indicators that > could be read in near real-time - without a lot of heavy lifting. At > the time it seemed there was a pressing need for this kind of > functionality. I'm beginning to wonder - I don't want to spend effort > on something that nobody really cares about. There are plenty of other > features planned that we could focus on. I need some feedback. > Thanks!) > > On Thursday, June 24, 2004, 12:02:06 PM, Aaron wrote: > > AC> Thanks Herb but we don't have Coldfusion. > > AC> Looks great tho! > > AC> Aaron > AC> www.vantech.net > > AC> On Jun 24, 2004, at 8:55 AM, Herb Guenther wrote: > > >> I wrote a coldfusion page that parses the logs into a sql database > >> every night, and then the display page you saw. If you have a > >> coldfusion server I would be happy to give you the code. > >> > >> Herb > >> > >> Aaron J.Caviglia wrote: > >> > >> Herb, > >> > >> How did you generate that SPAM report? > >> > >> Thanks, > >> Aaron Caviglia > >> www.vantech.net > >> > >> On Jun 24, 2004, at 8:46 AM, Herb Guenther wrote: > >> > >> > >> wow, that is even worse than we are seeing, we are at about 80%, but > >> should really be at about 85% if all were tagged. > >> > >> Here is our last weeks stats, we did not see an increase in volume, > >> so much as the amount gettig thru in the last couple days and > >> continuing today. > >> > >> Herb > >> > >> > >> > >> SPAM Report > >> > >> > >> Statistics are based on the last 6,150,612 email messages received. > >> You are viewing Server 1 Stats View Server 2 stats > >> > >> > >> Statistic > >> 06/17 > >> 06/18 > >> 06/19 > >> 06/20 > >> 06/21 > >> 06/22 > >> 06/23 > >> Weekly Total > >> Daily Avg. > >> > >> Delivered Messages > >> 34,291 > >> 30,762 > >> 22,331 > >> 22,484 > >> 31,245 > >> 33,588 > >> 33,582 > >> 208,283 > >> 25,311 > >> > >> Good Messages > >> 6,493 > >> 5,101 > >> 1,595 > >> 1,721 > >> 6,209 > >> 6,772 > >> 6,170 > >> 34,061 > >> 5,221 > >> > >> Spam Messages > >> 27,798 > >> 25,661 > >> 20,736 > >> 20,763 > >> 25,036 > >> 26,816 > >> 27,412 > >> 174,222 > >> 20,090 > >> > >> Spam Percent > >> 81% > >> 83% > >> 92% > >> 92% > >> 80% > >> 79% > >> 81% > >> 84% > >> 79% > >> > >> Mal Formed Headers > >> 3,845 > >> 4,277 > >> 3,193 > >> 3,555 > >> 4,094 > >> 4,286 > >> 4,459 > >> 27,709 > >> 4,949 > >> > >> Spam Headers > >> 4,544 > >> 4,081 > >> 3,665 > >> 3,367 > >> 4,800 >
FW: RE: [sniffer] Reporting - was: spam leakage up
LOL Some one does not have the spam software configured correctly! John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 24, 2004 12:19 PM > To: [EMAIL PROTECTED] > Subject: RE: RE: [sniffer] Reporting - was: spam leakage up > > MDaemon has indentified your message as spam. It will not be delivered. > > >From : [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject : [***SPAM*** Score/Req: 05.80/04.50] RE: [sniffer] Reporting - was: > spam leakage up > Message-ID: <[EMAIL PROTECTED]> > > Yes, hits=5.8 required=4.5 > tests=IN_REP_TO,MDAEMON_SPAM_BLOCKER,MIME_LONG_LINE_QP, > QUOTED_EMAIL_TEXT,TONER,VACATION_SCAM version=2.55 > * > Start SpamAssassin results 5.80 points, 4.5 required; * -0.5 -- Has a In-Reply-To > header * 3.0 -- Message has been marked by MDaemon's Spam Blocker * 1.7 -- > BODY: Contains "Toner Cartridge" * 1.9 -- BODY: Vacation Offers * -0.5 -- BODY: > Contains what looks like a quoted email text * 0.2 -- RAW: Quoted-printable line > longer than 76 characters End of SpamAssassin results > > : Message contains [1] file attachments This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
FW: RE: [sniffer] Reporting - was: spam leakage up
And another one. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 24, 2004 12:23 PM > To: [EMAIL PROTECTED] > Subject: RE: RE: [sniffer] Reporting - was: spam leakage up > > MDaemon has indentified your message as spam. It will not be delivered. > > >From : [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject : ***SPAM*** Score/Req: 05.56/04.00 - RE: [sniffer] Reporting - was: > spam leakage up > Message-ID: <[EMAIL PROTECTED]> > > Yes, hits=5.6 required=4.0 tests=MDAEMON_SPAM_BLOCKER,TONER, > VACATION_SCAM autolearn=no version=2.63 > * > * 3.5 MDAEMON_SPAM_BLOCKER MDaemon: message marked by Spam Blocker * > 1.3 TONER BODY: Contains "Toner Cartridge" * 0.8 VACATION_SCAM BODY: > Vacation Offers > > : Message contains [1] file attachments --- Begin Message --- Title: ***SPAM*** Score/Req: 05.56/04.00 - RE: [sniffer] Reporting - was: spam leakage up As a new user of Sniffer, I am not familiar with reports available, but I would be interested in learning if there is a way to create reports from the logs or otherwise. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Pete McNeil > Sent: Thursday, June 24, 2004 11:00 AM > To: Aaron Caviglia > Subject: [sniffer] Reporting - was: spam leakage up > > We are working on specs for real-time reporting out of Sniffer and > haven't had a lot of feedback on the XML based format. We were looking > at this format because, in theory anyway, it's easy to port into a > database or even directly into a web page or other format. > > Am I guessing right that the reason we didn't get a lot of feedback is > because not many folks can really use XML data in practice? > > Should we adopt a different format for a "real-time scoreboard" > output file? Tab delimited? CSV? --- perhaps directly to HTML? > > (if HTML then I will continue with the XML concept and use DOM to read > the XML as a data island and format the output - anybody have experience > with this - it seems harder in practice than the examples let on.) > > Any thoughts would be appreciated. > > Thanks, > _M > > (The idea of a "scoreboard" was to create some useful indicators that > could be read in near real-time - without a lot of heavy lifting. At > the time it seemed there was a pressing need for this kind of > functionality. I'm beginning to wonder - I don't want to spend effort > on something that nobody really cares about. There are plenty of other > features planned that we could focus on. I need some feedback. > Thanks!) > > On Thursday, June 24, 2004, 12:02:06 PM, Aaron wrote: > > AC> Thanks Herb but we don't have Coldfusion. > > AC> Looks great tho! > > AC> Aaron > AC> www.vantech.net > > AC> On Jun 24, 2004, at 8:55 AM, Herb Guenther wrote: > > >> I wrote a coldfusion page that parses the logs into a sql database > >> every night, and then the display page you saw. If you have a > >> coldfusion server I would be happy to give you the code. > >> > >> Herb > >> > >> Aaron J.Caviglia wrote: > >> > >> Herb, > >> > >> How did you generate that SPAM report? > >> > >> Thanks, > >> Aaron Caviglia > >> www.vantech.net > >> > >> On Jun 24, 2004, at 8:46 AM, Herb Guenther wrote: > >> > >> > >> wow, that is even worse than we are seeing, we are at about 80%, but > >> should really be at about 85% if all were tagged. > >> > >> Here is our last weeks stats, we did not see an increase in volume, > >> so much as the amount gettig thru in the last couple days and > >> continuing today. > >> > >> Herb > >> > >> > >> > >> SPAM Report > >> > >> > >> Statistics are based on the last 6,150,612 email messages received. > >> You are viewing Server 1 Stats View Server 2 stats > >> > >> > >> Statistic > >> 06/17 > >> 06/18 > >> 06/19 > >> 06/20 > >> 06/21 > >> 06/22 > >> 06/23 > >> Weekly Total > >> Daily Avg. > >> > >> Delivered Messages > >> 34,291 > >> 30,762 > >> 22,331 > >>
RE: [sniffer] Gray Hosting Change Of Status - Request For Comments
I would have to agree with John. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of John Back > Sent: Thursday, June 24, 2004 12:59 PM > To: [EMAIL PROTECTED] > Subject: RE: [sniffer] Gray Hosting Change Of Status - Request For Comments > > Pete, > > Your logic is sound and based the facts presented I am in support of the > gray rule change. > > John Back > Baldwin School > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Thursday, June 24, 2004 3:36 PM > To: [EMAIL PROTECTED] > Subject: [sniffer] Gray Hosting Change Of Status - Request For Comments > > Hello Sniffer Folks, > > We are reviewing a number of statistics with an eye toward reducing > false positives. We have already changed a number of our rule coding > policies where our highest false positive rates are found. > > One of the proposed changes is controversial and I would very much > like your input about this. > > The Gray hosting rule group currently has a Block-First, > White-Rule-Later policy. Rules coded into this group are for the > likes of Constant Contact. > > Some time ago when this policy was drafted the overwhelming > consensus was that most content arriving from these services was > unwanted advertisement spam - therefore it was reasonable to > white-rule legitimate publications as they were identified, > especially since a single white rule would be shared by all > subscribers (thus reducing the work and FP load). > > A recent analysis has shown that the situation has changed somewhat > significantly. In general the following seem true - > > * The gray hosting group typically tags just less than 2% of messages. > > * Of this 2%, approximately half of the hits would be false positives. > > * If this is true then any benefit generated by the group is negated > by the risk. > > * Also, if a given system does find benefit from the group then that > benefit would likely be very small. > > If these points stand up to your comments then the proposal is as > follows: > > - Existing gray-hosting rules with any reported false positives will > be removed from the system. > > - The remaining gray-hosting rules will be moved to the "ungrouped" > group (result 63). > > - No special treatment will exist for future rules that might have > been placed in the gray-hosting group and no special status will be > maintained for previous members of the gray-hosting group. > > - Result code 60 will be reassigned at a later time. > > > > Please let us know what you think about this change. We want to be > sure that we don't cause any trouble. We would like to implement > this policy change as soon as possible depending upon your comments. > > Thanks! > _M > > Pete McNeil (Madscientist) > President, MicroNeil Research Corporation > Chief SortMonster (www.sortmonster.com) > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Effectiveness (lately)
I have also noticed an increase in the amount of spam that got through, mainly on gatewayed domains. I did forward a bunch in the last 18 hours, hopefully that will help. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Thursday, July 29, 2004 8:22 AM > To: Jorge Asch > Subject: Re: [sniffer] Effectiveness (lately) > > On Thursday, July 29, 2004, 10:42:40 AM, Jorge wrote: > > JA> Has something happened lately (in the last 24-48 hours). > > Nothing significant that I can see except for a higher than usual > spike in spam through the evening hours last night. > > JA> Normally, I get small amounts (less than 10 a day) of spam that fail to > JA> be detected by my combination of Message Sniffer and Spam Assasin (most > JA> of the times Message Sniffer is the one that get all the messages that > JA> Spam Assasin fail to detect). > > JA> Bur since 2 days ago, I've been getting about 60-80 daily, that do not > JA> get detected. I've managed to forward them all to [EMAIL PROTECTED], > JA> but I still keep getting duplicate of the same spam I reported 12+ hours > JA> earlier, even tough my rulebase has updated several times already. > > JA> What the reason exactly for this suddent jump in non-detection? Have old > JA> rules been dropped out of the rulebase to get new ones in place? > > I've checked your account. It is up to date and it is set to it's > maximum sensitivity (0.1). Nothing special happened in the last 2 days > except that 3 days ago we had a spam storm and generated 757 rules in > one day. The last two days have been 449 and 441. > > http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp > > Flow rates look ok too, showing a slight increase in capture rates > (not the decrease I would expect if your conditions were systemic). > > http://www.sortmonster.com/MessageSniffer/Performance/FlowRates.jsp > > (We're up to 78.3% spam/ham - likely due to the evening hours being > heavier than usual. There are usually day/night cycles in flow rates > starting almost exactly on 00:00:00 and 12:00:00 hours.) > > Please check your log files for any errors. > > Please also zip up a few examples of the spam that are still getting > through and send them to me at [EMAIL PROTECTED] I will research them to see > if I can find anything special. > > We had another recent case like this that was apparently solved by a > change to the update script(s). You say your rulebase has been updated > though - so that's not likely to be the problem. It may be worth a > closer look though just to be sure. > > Our rulebase update coverage is nearly round the clock with only a few > hours open - so it would be unusual for a spam to go 12+ hours without > a rule unless there was no way to code a rule that was not too risky > for some reason. > > Rules do get dropped periodically - though not for being old. Rules > are dropped from active duty when they stop showing activity - which > is why it is important to submit logs. > > It's possible that a rule may have been removed due to a false > positive report... though it would be extremely rare for such a > removal to cause any significant increase in spam leakage. I will know > more when I see your zipped samples. > > Hope this helps, > _M > > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Effectiveness (lately)
By examples, you do mean names or types of client? John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Thursday, July 29, 2004 8:50 AM > To: John Tolmachoff (Lists) > Subject: Re[2]: [sniffer] Effectiveness (lately) > > On Thursday, July 29, 2004, 11:48:58 AM, John wrote: > > JTL> I have also noticed an increase in the amount of spam that got through, > JTL> mainly on gatewayed domains. I did forward a bunch in the last 18 hours, > JTL> hopefully that will help. > > What's interesting is that we're not seeing the increase in the logs > or in the incoming spam rates - which means that for the most part > these things that are being submitted are being filtered here - at > least in theory. > > Can you list some examples of these gated domains please? > It might help me figure out what we're looking for. > > Thanks, > _M > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Effectiveness (lately)
p7ehr11u20040729151948 D158b005f017cd629.SMD 203 0 Clean 0 0 0 146136 Here is the sniffer log file for the attached message that did not get caught. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Thursday, July 29, 2004 8:50 AM > To: John Tolmachoff (Lists) > Subject: Re[2]: [sniffer] Effectiveness (lately) > > On Thursday, July 29, 2004, 11:48:58 AM, John wrote: > > JTL> I have also noticed an increase in the amount of spam that got through, > JTL> mainly on gatewayed domains. I did forward a bunch in the last 18 hours, > JTL> hopefully that will help. > > What's interesting is that we're not seeing the increase in the logs > or in the incoming spam rates - which means that for the most part > these things that are being submitted are being filtered here - at > least in theory. > > Can you list some examples of these gated domains please? > It might help me figure out what we're looking for. > > Thanks, > _M > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html --- Begin Message --- +ADwAIQ-DOCTYPE HTML PUBLIC +ACI--//W3C//DTD HTML 3.2//EN+ACIAPg- +ADw-HTML+AD4- +ADw-HEAD+AD4- +ADw-META HTTP-EQUIV+AD0AIg-Content-Type+ACI- CONTENT+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-META NAME+AD0AIg-Generator+ACI- CONTENT+AD0AIg-MS Exchange Server version 6.0.6556.0+ACIAPg- +ADw-TITLE+AD4- bvy pain meds cheap +ADw-/TITLE+AD4- +ADw-/HEAD+AD4- +ADw-BODY+AD4- +ADwAIQ--- Converted from text/plain format --+AD4- +ADw-P+AD4APA-FONT SIZE+AD0-2+AD4AYA-england-a,alderdomshjemmenes+AGA-abbattesti?+ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- u'+AGA-s'-a d,+AF8-r+AF4AXw-ugs +ACY-amp+ADs- ne',xt+AF8AYA-day s,hipp+AF4AYA-ing+ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- fletkommandoen+ACY-nbsp+ADs- +ADw-A HREF+AD0AIg-http://www.friendlyrxworld.com+ACIAPg-http://www.friendlyrxworld.com+ADw-/A+AD4APA-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- -Original Message-+ADw-BR+AD4- From: Georgette Ellis +AFsAPA-A HREF+AD0AIg-mailto:lwvi+AEA-dvo.com+ACIAPg-mailto:lwvi+AEA-dvo.com+ADw-/A+AD4AXQA8-BR+AD4- To: rodger rollans+ADs- vern danielson+ADw-BR+AD4- Sent: Sunday, February, 2004 6:33 PM+ADw-BR+AD4- Subject: bvy p+AF8-ain meds cheap+ACY-nbsp+ADsAJg-nbsp+ADsAPA-BR+AD4- +ADw-BR+AD4- opus hild gere+ADw-BR+AD4- If we assume that the aminoglycoside offers more than its additional+ADw-BR+AD4- coverage the combination arm should perform as well or better than the+ADw-BR+AD4- broader spectrum+ACY-nbsp+ADs- lactam monotherapy+ACY-nbsp+ADs- With the former design we did not+ADw-BR+AD4- detect an advantage to the combination while with the latter we found an+ADw-BR+AD4- advantage to monotherapy+ACY-nbsp+ADsAPA-BR+AD4- +ADw-BR+AD4- insospechado12fa+AGA-lica10descorchador,dilecta fustera.+ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- +ADw-/FONT+AD4- +ADw-/P+AD4- +ADw-/BODY+AD4- +ADw-/HTML+AD4 End Message ---
RE: Re[4]: [sniffer] Effectiveness (lately)
Would the new attached fall under the same rule? John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Thursday, July 29, 2004 9:56 AM > To: John Tolmachoff (Lists) > Subject: Re[4]: [sniffer] Effectiveness (lately) > > On Thursday, July 29, 2004, 12:21:53 PM, John wrote: > > JTL> p7ehr11u 20040729151948 D158b005f017cd629.SMD 203 0 > JTL> Clean0 0 0 146136 > > JTL> Here is the sniffer log file for the attached message that did not get > JTL> caught. > > You may simply not have this rule yet. > The rule for this particular spam was just coded today: > > New Rule Only Violation > Rule ID - 155448 > Created - 2004-07-29 > In Account - [EMAIL PROTECTED] > Logged In As - [EMAIL PROTECTED] > From Source - .friendlyrxworld.com > Rule Type - Domain > Hidden - false > Blockled - false > Origin - Spam Trap > Original Rule Name - overnight pharmacy > Current Strength - 0.0 > False Reports - 0 > From Users - 0 > > > Rule belongs to following groups > [299] Snake Oil > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html --- Begin Message --- +ADwAIQ-DOCTYPE HTML PUBLIC +ACI--//W3C//DTD HTML 3.2//EN+ACIAPg- +ADw-HTML+AD4- +ADw-HEAD+AD4- +ADw-META HTTP-EQUIV+AD0AIg-Content-Type+ACI- CONTENT+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-META NAME+AD0AIg-Generator+ACI- CONTENT+AD0AIg-MS Exchange Server version 6.0.6556.0+ACIAPg- +ADw-TITLE+AD4-Re: sharper vision+ADw-/TITLE+AD4- +ADw-/HEAD+AD4- +ADw-BODY+AD4- +ADwAIQ--- Converted from text/plain format --+AD4- +ADw-P+AD4APA-FONT SIZE+AD0-2+AD4AXw-flsyslogdappliceringerslitigone.+ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- p+AGA-h+AH4--arm from e'u-ropean +ACY-amp+ADs- 0v-+AGA-er+AH4-ni+AGAAXw-ght shi+AF4-'ppi,+AGA-ng+ADw-BR+AD4- +ADw-BR+AD4- askepottens,+ACY-nbsp+ADs- +ADw-A HREF+AD0AIg-http://www.friendlyrxworld.com+ACIAPg-http://www.friendlyrxworld.com+ADw-/A+AD4APA-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- -Original Message-+ADw-BR+AD4- From: Oliver Nelson +AFsAPA-A HREF+AD0AIg-mailto:idjdaixhg+AEA-ujptdies.com+ACIAPg-mailto:idjdaixhg+AEA-ujptdies.com+ADw-/A+AD4AXQA8-BR+AD4- To: edmond cote+ADs- enoch fisk+ADs- brian meadows+ADs- saul lillard+ADw-BR+AD4- Sent: Wednesday, May, 2004 8:4 AM+ADw-BR+AD4- Subject: sharper vision+ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- oslanjanja heptifili dvalin+ADw-BR+AD4- Forty four trials compared a broad spectrum usually novel+ACY-nbsp+ADs- lactam with a+ADw-BR+AD4- +ACY-quot+ADs-routine+ACY-quot+ADs- combination regimen+ACY-nbsp+ADs- Rates of appropriate antibiotic treatment+ADw-BR+AD4- with combination therapy and monotherapy were similar when reported+ACY-nbsp+ADsAPA-BR+AD4- I An unconscionable time a-dying - there is the picture (+ACY-quot+ADs-I am afraid,+ADw-BR+AD4- gentlemen,+ACY-quot+ADs-) of your life and of mine. The sands run out, and the hours are+ADw-BR+AD4- +ACY-quot+ADs-numbered and imputed,+ACY-quot+ADs- and the days go by+ADs- and when the last of these finds+ADw-BR+AD4- us, we have been a long time dying, and what else? The very length is+ADw-BR+AD4- something, if we reach that hour of separation undishonoured+ADs- and to have+ADw-BR+AD4- lived at all is doubtless (in the soldierly _expression_) to have served.+ADw-BR+AD4- untosa60timpanizarse02protervia,herejote tozalbo.+ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- +ADw-BR+AD4- +ADw-/FONT+AD4- +ADw-/P+AD4- +ADw-/BODY+AD4- +ADw-/HTML+AD4 End Message ---
RE: Re[6]: [sniffer] Effectiveness (lately)
Should I continue to forward spam that is not caught then? I problem I have, is on the gatewayed domains, which are running Exchange, Exchange strips out the Header that Declude puts in, making it difficult to see what happened and caught by what tests. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Thursday, July 29, 2004 10:52 AM > To: John Tolmachoff (Lists) > Subject: Re[6]: [sniffer] Effectiveness (lately) > > On Thursday, July 29, 2004, 1:23:11 PM, John wrote: > > JTL> Would the new attached fall under the same rule? > > Yes. It looks like the same domain is involved. > I've launched a compile of your rulebase - you should be updated very > quickly. > > In this case it seems that you started receiving these a few days > before we got our first copy. > > _M > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[6]: [sniffer] Effectiveness (lately)
Let me clarify. On the spam that is gotten through, but is to a non-existent user, which then Exchange creates a NDR and attaches the spam to it, of which I get a copy of the NDR, if I look at the headers of that spam message that is now attached to the NDR, the header lines for all other servers as well as the Declude header lines have been striped. E-mail that a valid user receives does indeed have the headers. (I just checked.) John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Landry William > Sent: Thursday, July 29, 2004 12:17 PM > To: '[EMAIL PROTECTED]' > Subject: RE: Re[6]: [sniffer] Effectiveness (lately) > > > That's strange, our Exchange server does not strip off any of the Declude > headers. > > Bill > > -Original Message- > From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 29, 2004 11:52 AM > To: [EMAIL PROTECTED] > Subject: RE: Re[6]: [sniffer] Effectiveness (lately) > > > Should I continue to forward spam that is not caught then? > > I problem I have, is on the gatewayed domains, which are running Exchange, > Exchange strips out the Header that Declude puts in, making it difficult to > see what happened and caught by what tests. > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On > > Behalf Of Pete McNeil > > Sent: Thursday, July 29, 2004 10:52 AM > > To: John Tolmachoff (Lists) > > Subject: Re[6]: [sniffer] Effectiveness (lately) > > > > On Thursday, July 29, 2004, 1:23:11 PM, John wrote: > > > > JTL> Would the new attached fall under the same rule? > > > > Yes. It looks like the same domain is involved. > > I've launched a compile of your rulebase - you should be updated very > > quickly. > > > > In this case it seems that you started receiving these a few days > > before we got our first copy. > > > > _M > > > > > > > > > > This E-Mail came from the Message Sniffer mailing list. For information > and > > (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > --- > This message and any included attachments are from Siemens Medical Solutions > USA, Inc. and are intended only for the addressee(s). > The information contained herein may include trade secrets or privileged or > otherwise confidential information. Unauthorized review, forwarding, printing, > copying, distributing, or using such information is strictly prohibited and may > be unlawful. If you received this message in error, or have reason to believe > you are not authorized to receive it, please promptly delete this message and > notify the sender by e-mail with a copy to [EMAIL PROTECTED] > > Thank you > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[8]: [sniffer] Effectiveness (lately)
That is besides the point. Any yes, I am going to be implementing that as soon as I have the time too. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Sanford Whiteman > Sent: Thursday, July 29, 2004 1:55 PM > To: John Tolmachoff (Lists) > Subject: Re[8]: [sniffer] Effectiveness (lately) > > > Let me clarify. On the spam that is gotten through, but is to a > > non-existent user, which then Exchange creates a NDR and attaches > > the spam to it, of which I get a copy of the NDR, if I look at the > > headers of that spam message that is now attached to the NDR, the > > header lines for all other servers as well as the Declude header > > lines have been striped. > > Sounds like a job for exchange2aliases... > > --Sandy > > > > Sanford Whiteman, Chief Technologist > Broadleaf Systems, a division of > Cypress Integrated Systems, Inc. > e-mail: [EMAIL PROTECTED] > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Rule Strengths
(Moved to list) Thanks, got it. This is my current lines, do I need to add others, or are the rules within these codes? (I hold at 25 and delete at 35) Is there a full list of codes on the web site? SNIFFER-TRAVEL external 04715 0 SNIFFER-INSURANCE external 04815 0 SNIFFER-AV-PUSH external 04915 0 SNIFFER-WAREZ external 05025 0 SNIFFER-SPAMWAREexternal 05130 0 SNIFFER-SNAKEOILexternal 05225 0 SNIFFER-SCAMS external 05330 0 SNIFFER-PORNexternal 05430 0 SNIFFER-MALWARE external 05520 0 SNIFFER-ADVERTISING external 05615 0 SNIFFER-SCHEMES external 05725 0 SNIFFER-CREDIT external 05825 0 SNIFFER-GAMBLINGexternal 05925 0 SNIFFER-GREYMAILexternal 06010 0 SNIFFER-OBFUSCATION external 06115 0 SNIFFER-EXPERIMENTALexternal 06220 0 SNIFFER-GENERAL external 06320 0 John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > Subject: Re[2]: Rule Strengths > > On Saturday, July 31, 2004, 1:57:19 PM, John wrote: > > JT> OK, I am willing to try that on this server, as the volume is low. > > JT> How do I change it? > > You ask and I make the change. > I've ordered a recompile of your rulebase. > > Thanks, > _M > > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Rule Strengths
I am still seeing a large amount of this new type of spam getting through. John Tolmachoff Engineer/Consultant/Owner [EMAIL PROTECTED] 626-737-6003 Fax 626-737-6004 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Saturday, July 31, 2004 1:48 PM > To: John Tolmachoff (Lists) > Subject: Re[2]: [sniffer] Rule Strengths > > On Saturday, July 31, 2004, 3:32:46 PM, John wrote: > > JTL> (Moved to list) > > JTL> Thanks, got it. > > JTL> This is my current lines, do I need to add others, or are the rules within > JTL> these codes? (I hold at 25 and delete at 35) > > JTL> Is there a full list of codes on the web site? > > JTL> SNIFFER-TRAVEL external 04715 0 > JTL> SNIFFER-INSURANCEexternal 04815 0 > JTL> SNIFFER-AV-PUSH external 04915 0 > JTL> SNIFFER-WAREZexternal 05025 0 > JTL> SNIFFER-SPAMWARE external 05130 0 > JTL> SNIFFER-SNAKEOIL external 05225 0 > JTL> SNIFFER-SCAMSexternal 05330 0 > JTL> SNIFFER-PORN external 05430 0 > JTL> SNIFFER-MALWARE external 05520 0 > JTL> SNIFFER-ADVERTISING external 05615 0 > JTL> SNIFFER-SCHEMES external 05725 0 > JTL> SNIFFER-CREDIT external 05825 0 > JTL> SNIFFER-GAMBLING external 05925 0 > JTL> SNIFFER-GREYMAIL external 06010 0 > JTL> SNIFFER-OBFUSCATION external 06115 0 > JTL> SNIFFER-EXPERIMENTAL external 06220 0 > JTL> SNIFFER-GENERAL external 06320 0 > > It looks like you have it covered. > > There is a complete list here that we keep up to date: > > <http://www.sortmonster.com/MessageSniffer/Help/ResultCodesHelp.html> > > I note a few discrepancies. > > 56 you have as Advertising - ?? This has always been ink & toner and > printing supplies... perhaps that's what you mean. There is no general > advertising rule group - most spam is some kind of advertisement. > > 60 is now Experimental IP rules. The gray hosting rule group has been > retired and subsequent to that the Experimental IP rules were split > away from the Experimental Abstract rules. Further, the processes we > use to generate Experimental IP rules have changed quite a bit so that > this rule group is much less prone to false positives than before and > should continue to improve. Most IP rules are now added automatically > through verification with other services and our own automated tests > and then verified by a human. All Experimental IP rules still fall > under the "One FP Gone" strategy where we eliminate these rules from > the core on the first legitimate false positive report. (Eliminated IP > rules prevent the IP from being added again except by manual > override.) > > I recommend that since your current EXPERIMENTAL weight is 20 and this > group used to contain the EXP-IP rules which are now in group 60, you > should rename your SNIFFER-GRAYMAIL to SNIFFER-EXP-IP and raise it's > weight to 20. > > I recommend that you rename your SNIFFER-EXPERIMENTAL to > SNIFFER-EXP-ABST. You could probably raise this group to a weight of > 25 since it no longer contains the EXP-IP rules. > > Hope this helps, > _M > > > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Rule Strengths
Do you want me to just keep sending them to [EMAIL PROTECTED] What worries me is even though these are to non-existent users, (yes Sandy, I have going to use ldap2aliases, I am working on a problem getting a recipient policy to work on one group that needs 2 sets,) I wonder how much of this is getting to actual users. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Wednesday, August 04, 2004 9:04 AM > To: John Tolmachoff (Lists) > Cc: [EMAIL PROTECTED] > Subject: Re[4]: [sniffer] Rule Strengths > > On Tuesday, August 3, 2004, 12:18:43 PM, John wrote: > > JTL> I am still seeing a large amount of this new type of spam getting through. > > I haven't forgotten you. > I'm thinking. > If you have any ideas please let me know. > Thanks, > > _M > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[6]: [sniffer] Rule Strengths
> You know what... if these are non-existent users then you have an > opportunity to create spamtraps and automate your submissions. If you > are sure that these addresses were never legitimate then you can > create aliases for them and redirect those aliases to a collection > point on our system. This will put those messages directly into our > spam processing queue with the minimum lag. > > I'm not sure if you already have any spamtraps set up with us - I'm > thinking not - but if you're interested in setting this up let me know > and I will create a unique collection point for you to use. At the > very least this will reduce the lag. Sounds like a good idea. Once I get the alises set up, what I can do is for former employees of the client, I can set up a user with a 1kb mail box size, then use the nobody to catch all those and send to a spam trap or such. Hopefully, I will be ready by the end of the week. John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[8]: [sniffer] Rule Strengths
Thanks. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Wednesday, August 04, 2004 10:14 AM > To: John Tolmachoff (Lists) > Subject: Re[8]: [sniffer] Rule Strengths > > On Wednesday, August 4, 2004, 1:04:59 PM, John wrote: > > JTL> Once I get the alises set up, what I can do is for former employees of the > JTL> client, I can set up a user with a 1kb mail box size, then use the nobody to > JTL> catch all those and send to a spam trap or such. > > A few words of caution... Old employee mailboxes were once legitimate. > This means that they may get legitimate messages - so you must be very > careful... It's good to let these go for a good long time before > putting them in place as any kind of spamtrap... You also want to > avoid creating a spamtrap than anyone can easily predict because it > can be poisoned. > > That said, if the traffic in these accounts is all spam - then they > are good candidates. > > In our system we will review every message that gets past the filter > so you should be safe if the occasional legitimate message shows up - > that will just force us to use "abuse" rules rather than spamtrap > rules. > > Another thought about the nobody alias. We've had some experience with > this--- having set up the nobody alias on a few systems and then > watched them fill up with dictionary attacks, we were then able to > turn on a few specific addresses from the attacks as spamtraps and > turn off the nobody alias. > > If you keep the nobody alias on you will most certainly see a growing > spam load - you may not want this. > > Here's a helpful reference. > > <http://www.sortmonster.com/MessageSniffer/Help/SpamTrapHelp.html> > > I will send you a collection point address off list. > _M > > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Test ordering/precedence
Matt Matt Matt. Then everyone would have to make sure they made the relevant changes on their systems. As we have seen on the Declude Junkmail list, there will always be those who set up their systems and then forget about them. Making a change like that would cause problems. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, September 18, 2004 5:28 PM To: [EMAIL PROTECTED] Subject: [sniffer] Test ordering/precedence Pete, Given some of the recent changes in the result codes for Sniffer, I thought I would inquire about the precedence of the result codes and how these can affect systems. On my system I have weighted the result codes differently and overall, I would consider the following order to be suggestive of the order of reliability from the most reliable to the least reliable. Note that this is not scientific, but instead based on doing review and tests that hit less often could appear higher in terms of stated reliability though I have considered this in making the list: 1. SNIFFER-INK(56) SNIFFER-CASINO(59) SNIFFER-INSURANCE(48) SNIFFER-MEDIA(50) SNIFFER-GETRICH(57) SNIFFER-DEBT(58) SNIFFER-PHARMACY(52) 2. SNIFFER-AVSOFT(49) SNIFFER-PHISHING(53) 3. SNIFFER-TRAVEL(47) SNIFFER-PORN(54) 4. SNIFFER-SPAMWARE(51) SNIFFER-OBFUSCATION(61) SNIFFER-MALWARE(55) 5. SNIFFER-EXPERIMENTAL(62) 6. SNIFFER-GENERAL(63) 7. SNIFFER-IP(60) I'm not sure exactly how Sniffer orders the precedence of the result code, but I would like to recommend that you give some consideration to reviewing such things in light of recent changes and also maybe consider allowing us to customize the precedence as a part of our rulebase. Thanks, Matt -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [sniffer] Imail
What is the bug? John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Computer House Support > Sent: Thursday, October 28, 2004 11:44 AM > To: [EMAIL PROTECTED] > Subject: [sniffer] Imail > > Hello Sniffer folks, > > Want to know why I have not renewed my Ipswitch Support Agreement? > > Here is their response to a serious bug that I reported. (Which has yet to > be fixed). > > > Mike, > Our Development Team has looked into this issue and has verified it as a > defect that was introduced in Imail v8.1. Changes to this functionality > would take an extended period of time; this is the reason we do not have any > current plans to address this. > > Best Regards, > Daniel J Whitaker > Messaging Support Team > Ipswitch, Inc. > > > > Michael Stein > Computer House > www.computerhouse.com > (609) 652-3222 > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
> Well, still no problems so far so I'll write it up to . solar spots, pick whatever you want>. > It seems it was a one time thing. You must be referring to the RAW law. John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
> > > Well, still no problems so far so I'll write it up to . > > solar spots, pick whatever you want>. > > > It seems it was a one time thing. > > > > You must be referring to the RAW law. > > RAW? Random Answer Whatchamacallit? Random Acts of Weirdness The RAW law, Keyboard Virus and the PEBKAC phenomenon are the 3 most common reasons for problems. The PEBKAC phenomenon: Problem Exists Between Keyboard And Chair SAFTEY DISCLAIMER: The forgoing information is considered entertainment in nature and is not meant to represent or describe any person living or dead in the past, present or future. It is meant to create something odd in the IT Industry, a smile. Any one else in the US working Thursday and Friday? I am! :s John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Not Getting Updates
What you should be doing is forwarding but leaving a copy. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Scott Fosseen > Sent: Sunday, November 28, 2004 4:56 PM > To: [EMAIL PROTECTED] > Subject: Re: [sniffer] Not Getting Updates > > Pete, > > I forward all my messages from '[EMAIL PROTECTED]' to trigger my update. If > my renewal notice is sent from the same address I will not receive it. Can you send > me a update notification email or let me know what else to create the rule on. > > I could turn off the rule for a little while but then I will miss an update. > > Thanks. > -- Original Message -- > From: Pete McNeil <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Sun, 28 Nov 2004 18:08:46 -0500 > > >On Sunday, November 28, 2004, 6:01:39 PM, Richard wrote: > > > >RF> I just noticed that I am no longer getting updated emails for the sniffer to > >RF> trigger the automatic update.. The last one was on Nov 11...Customers had > >RF> told me they were getting more spam but I just thought we were getting > >RF> hammered with more.. > > > >Hi Richard, > > > >According to our records your license expired on 2004-11-01. > >You should have received an renewal notice by email about a month > >before that. > > > >Last License Compile: 11/11/2004 22:37:00 (GMT) > > > >I will launch a compile of your rulebase. > > > >Please complete a renewal as soon as possible. I am on duty through > >the evening. I will be sure to re-enable your account as soon as the > >renewal comes through. > > > >Hope this helps, > >_M > > > > > > > > > >This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > >--- > >[This E-mail scanned for viruses by Declude Virus on the server aea8.k12.ia.us] > > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Recent SPAM
I forwarded some yesterday to spam@ and then attached them and sent to [EMAIL PROTECTED] John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Tuesday, November 30, 2004 9:56 AM > To: Chuck Schick > Subject: Re[2]: [sniffer] Recent SPAM > > On Tuesday, November 30, 2004, 12:45:27 PM, Chuck wrote: > > CS> Yes, > > CS> I have seen three pieces of spam over and over again - two for drugs and one > CS> porn. I am running the latest version, rules are up to date, no on the log > CS> files, I am forwarding the emails to [EMAIL PROTECTED] > > CS> I was thinking about raising this issue so I am glad someone else is seeing > CS> the same thing. > > Please zip up some examples of these three spam and send them to me at > [EMAIL PROTECTED] I will see if I can identify anything special about them and > create some rules. > > Thanks, > _M > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Few questions
> Thanks! > Robbie Garrett > It Manager, Network Administrator > Zellem Printing > www.zellemprinting.com 1. Turn of read receipts 2. Fix your DNS problems: http://www.dnsreport.com/tools/dnsreport.ch?domain=zellemprinting.com 3. Fix your SMTP receiving service. It is not accepting the very read receipt you requested. SMTP (00924b5a0032cb27) >RCPT To:<[EMAIL PROTECTED]> SMTP (00924b5a0032cb27) 250 <[EMAIL PROTECTED]>, Recipient ok SMTP (00924b5a0032cb27) >DATA SMTP (00924b5a0032cb27) 354 Enter mail, end with . SMTP (00924b5a0032cb27) >. SMTP (00924b5a0032cb27) 554 Recipient unknown SMTP (00924b5a0032cb27) ERR undeliverable 554 Recipient unknown John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Few questions
ATTENTION ROB OF ZELLMAN PRINTING: Turn off read receipts. Fix the problem with your server rejecting replies to the very read receipts you request. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of ~ ROB @ ZELLEM ~ > Sent: Wednesday, December 15, 2004 1:25 PM > To: [EMAIL PROTECTED] > Subject: Re: Re[2]: [sniffer] Few questions > > hey guys.. > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Sniffer updates...
Title: Message Joe, I will back up Matt’s comments. Declude has/is indeed suffering from less than honest/moral individuals/companies and they are correct in taking steps to protect their products and company. Only the method they are using is being questioned. Believe me, those of us heavily involved in Imail/Declude are monitoring this issue and voicing our opinions, both publicly and privately. Lets not throw out the baby with the bath water. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, December 22, 2004 7:23 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Sniffer updates... Joe, In their defense, I don't think that they necessarily knew any better than to have approached it this way. I don't necessarily get that the new ownership has worked from the IT side of the business before and understands security and trust as a corporate administrator would, in fact Barry comes from the marketing side of the business and I'm afraid that this is a bit of trial-by-fire. I expect (hope) that he will get the message and change their ways before this will be released in final format. Scott didn't have the resources to enforce licensing, and as a business, this is critical to their success. I have no qualms with that goal. They didn't intend to violate privacy or functionality, they just overlooked it. The whole IMail debacle is a different story. Most everyone using Declude on that platform will eventually be switching, and Declude has been more than fair by offering free migrations of their license to a different platform, starting with SmarterMail which is very reasonably priced and seemingly quite responsive to their customers. Matt Joe Wolf wrote: I'm currently using Sniffer via Imail and Declude. We all know that Ipswitch has lost their mind and is abandoning the small ISP, and now it seems that Declude has lost their way. The new version of Declude is tied to a single MAC address. That counts me out since I run multiple NIC's in the same machine and am multi-homed. Their spyware "phone home" system is a violation of our security policies as well. That leads me to Sniffer. I love the product. Does anyone have a complete list of mail servers that have direct support for Sniffer? The Imail / Declude thing is too much to deal with and I'm going to make a change. Thanks, Joe -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [sniffer] Sniffer updates...
Title: Message In defense of Declude, I can clearly say with knowledge they have had a MAJOR problem with “customers” stealing their product. I will not go into any detail of what I know, but suffice it to say I was flabbergasted and shocked when I was told the estimated amount. Scott is doing what he does best, work on the product and support it. What the new owners of the company are doing is trying to bring control and administration to the company as a whole. Declude has gone way beyond where it was at 3 ½ years ago when I became involved in e-mail, and to Scott’s credit the company became more than what he could handle. I am confidant that as time progresses, the inherent bugs of what the management of Declude is trying to accomplish while working with the Declude community as a whole will be ironed out for the benefit of all. Declude is in a time period of major change, for the good, which began earlier this year. Let’s work with them, not against them. After all, patience is a virtue. And that is something which society as a whole is lacking in today’s environment. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf Sent: Wednesday, December 22, 2004 2:20 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Sniffer updates... John, I've always respected your opinions. I've respected Scott at Declude as well, but I don't think he has much to say about what happens there anymore. The powers to be at Declude obviously look at their customers as theives trying to steal their product. I have installed a version of Declude that is not covered under by any current service policy in attempts to solve a problem. When I discovered the old version of Declude was not the problem I reverted back. My attempt was rewarded with a threatening email message. I looked at it quite differently. I have no need or want for the new Declude "features", but if the old version I purchased was defective I am due version that worked as advertised. It was up to me to find that out. I'm perfectly happy with the old version, and I expect it to work as advertised. Their attitude is a spin off of the Ipswitch attitude to move on to new versions without ever fixing the old ones. For example, the new version of Declude (2.0) lists 10 new features. Of those 10, four are listed as "fixes" for older versions. I know I'm in the minority but I believe it is Declude's responsibility to provide a fully functional 1.x verson to those who purchased it. The 2.0 should only include new features, not fixes from previous versions. If I wanted to purcase 2.0 for the new features that would be fine, but to be forced to purchase a new version or service agreement to get fixes for problems in a version you already purcased is just plain wrong. What if that mentality were to be accepted in the automobile business? You buy a new car and the air conditioner doesn't work. You're told that instead of the 2004 model you purchased you should pay to upgrade to a 2005 model because we finally got the air conditioner working for 2005. Doesn't matter that your 2004 was advertised with air conditioning or not. I've had it with that kind of attitude. I want a simple, efficient mail server that does exactly what is advertised. Nothing more, nothing less. As for Sniffer. I've had no complaints with it at all. Seems to do exactly what I was told it would do. Thanks to everyone for their input! -Joe - Original Message - From: John Tolmachoff (Lists) To: [EMAIL PROTECTED] Sent: Wednesday, December 22, 2004 9:58 AM Subject: RE: [sniffer] Sniffer updates... Joe, I will back up Matt’s comments. Declude has/is indeed suffering from less than honest/moral individuals/companies and they are correct in taking steps to protect their products and company. Only the method they are using is being questioned. Believe me, those of us heavily involved in Imail/Declude are monitoring this issue and voicing our opinions, both publicly and privately. Lets not throw out the baby with the bath water. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, December 22, 2004 7:23 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Sniffer updates... Joe, In their defense, I don't think that they necessarily knew any better than to have approached it this way. I don't necessarily get that the new ownership has worked from the IT side of the business before and understands security and trust as a corporate administrator would, in fact Barry comes
RE: [sniffer] Triggered rulebase update instructions
Matt, you think too much. ;) (From one who needs to implement better scripts, including a triggered script for Sniffer.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, December 28, 2004 10:17 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Triggered rulebase update instructions Bill, I think that this is overwhelmingly much better (the whole thing), but I have a few suggestions to add. 1) The commenting in the CMD file seemed a bit excessive and that made it a little hard to follow. It might be nice to arrange all of the tweakable variables in a single section instead of separating each one out, and then block coding the main program with a standard amount of commenting. I think that would make the script more readable for both programmers as well as beginners. 2) I personally find it to be a bit messy to have everything running from within my Sniffer directory. After all of the other CMD files, old rulebases, service related files, logs, etc., it's not obvious what is needed or not. I would suggest coding this up with a default directory structure of using a subdirectory called "updates". This would require a separation of variables for the updates directory and the destination directory I believe. 3) I think it would be a good idea to consider a different default directory structure. With Sniffer evolving to support other platforms, IMail effectively abandoning us, and Declude moving to SmarterMail and possibly others, I could very well see Sniffer establishing a non-dependant directory structure. I would suggest that the default recommendation become "C:\Sniffer", which might also necessitate a change in some of Pete's other documentation. Keep in mind that it is confusion and convolution that contributes to the lack of efficient rulebase downloads and not the lack of resources or help. IMO, things would benefit from standardization of this sort, and it should all be done with purpose. 4) Since this setup is targeted specifically at IMail, I would recommend that different packages be provided for different platforms, and these should probably be in separate zip's so that one doesn't get all sorts of extra stuff. This could be "Rulebase_Updater_IMail.zip", but there should also be a Linux, MDaemon and SmarterMail updater added to the list. 5) I'm thinking that including the notification process within this script might be too much. The primary goal is to get people to use the automated system and compressed files, and this adds complexity to the setup. My thought here would be to create a "chaining" option that could be used to kick off any script, not necessarily IMail1.exe. You could then include this separate notification script in the package and have it configured from within that file, leaving only the optional chaining command within the primary script and stripping out the rest of the stuff. I do know that from interface design there is a basic tenet where you don't want to overwhelm the viewer/visitor, otherwise they retain even less than they would with a smaller group of things. Programming is often at odds with this tenet, which is fine for programmers because the functionality necessitates complication, but the issue being addressed here is really ease of use for the lowest common denominator, and the primary goal is just the downloads. You should consider that this whole thing will be used by people with very little administration experience, no programming experience, and in some cases, English will be a second language to them (or only translated by a tool of some sort). Most of this stuff is somewhat minor taken in isolation from each other, but I believe that it could be a bit tighter in one way or another for a better result. I'll volunteer my own services if you would like for me to provide examples of any one of these things, but I'll wait for your direction before doing so. I think the most important thing would be for Pete to provide some guidance for the preferred directory structure (independent of the app), so that this could be used for the default settings in this and other scripts. Matt Landry William wrote: Attached is an updated instructions file to fix some typos and missedinformation. I'll send out another update after receiving feedback fromothers. Bill ---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and m
RE: [sniffer] Triggered rulebase update instructions
Title: Message Sure. I guess that means I have to work now? ;) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Tuesday, December 28, 2004 11:34 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Triggered rulebase update instructions John, since you have not implemented a trigger program alias yet, would you be willing to test the setup instructions and provide feedback? Bill -Original Message----- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 10:30 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Triggered rulebase update instructions Matt, you think too much. ;) (From one who needs to implement better scripts, including a triggered script for Sniffer.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, December 28, 2004 10:17 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Triggered rulebase update instructions Bill, I think that this is overwhelmingly much better (the whole thing), but I have a few suggestions to add. 1) The commenting in the CMD file seemed a bit excessive and that made it a little hard to follow. It might be nice to arrange all of the tweakable variables in a single section instead of separating each one out, and then block coding the main program with a standard amount of commenting. I think that would make the script more readable for both programmers as well as beginners. 2) I personally find it to be a bit messy to have everything running from within my Sniffer directory. After all of the other CMD files, old rulebases, service related files, logs, etc., it's not obvious what is needed or not. I would suggest coding this up with a default directory structure of using a subdirectory called "updates". This would require a separation of variables for the updates directory and the destination directory I believe. 3) I think it would be a good idea to consider a different default directory structure. With Sniffer evolving to support other platforms, IMail effectively abandoning us, and Declude moving to SmarterMail and possibly others, I could very well see Sniffer establishing a non-dependant directory structure. I would suggest that the default recommendation become "C:\Sniffer", which might also necessitate a change in some of Pete's other documentation. Keep in mind that it is confusion and convolution that contributes to the lack of efficient rulebase downloads and not the lack of resources or help. IMO, things would benefit from standardization of this sort, and it should all be done with purpose. 4) Since this setup is targeted specifically at IMail, I would recommend that different packages be provided for different platforms, and these should probably be in separate zip's so that one doesn't get all sorts of extra stuff. This could be "Rulebase_Updater_IMail.zip", but there should also be a Linux, MDaemon and SmarterMail updater added to the list. 5) I'm thinking that including the notification process within this script might be too much. The primary goal is to get people to use the automated system and compressed files, and this adds complexity to the setup. My thought here would be to create a "chaining" option that could be used to kick off any script, not necessarily IMail1.exe. You could then include this separate notification script in the package and have it configured from within that file, leaving only the optional chaining command within the primary script and stripping out the rest of the stuff. I do know that from interface design there is a basic tenet where you don't want to overwhelm the viewer/visitor, otherwise they retain even less than they would with a smaller group of things. Programming is often at odds with this tenet, which is fine for programmers because the functionality necessitates complication, but the issue being addressed here is really ease of use for the lowest common denominator, and the primary goal is just the downloads. You should consider that this whole thing will be used by people with very little administration experience, no programming experience, and in some cases, English will be a second language to them (or only translated by a tool of some sort). Most of this stuff is somewhat minor taken in isolation from each other, but I believe that it could be a bit tighter in one way or another for a better result. I'll volunteer my own services if you would like for me to provide examples of any one of these things, but I'll wait for your direction before doing so. I think the most important thing would be for Pete to provide some guid
RE: [sniffer] Triggered rulebase update instructions
Title: Message Were might the wget and gzip files be? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Tuesday, December 28, 2004 11:34 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Triggered rulebase update instructions John, since you have not implemented a trigger program alias yet, would you be willing to test the setup instructions and provide feedback? Bill -Original Message----- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 10:30 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Triggered rulebase update instructions Matt, you think too much. ;) (From one who needs to implement better scripts, including a triggered script for Sniffer.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, December 28, 2004 10:17 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Triggered rulebase update instructions Bill, I think that this is overwhelmingly much better (the whole thing), but I have a few suggestions to add. 1) The commenting in the CMD file seemed a bit excessive and that made it a little hard to follow. It might be nice to arrange all of the tweakable variables in a single section instead of separating each one out, and then block coding the main program with a standard amount of commenting. I think that would make the script more readable for both programmers as well as beginners. 2) I personally find it to be a bit messy to have everything running from within my Sniffer directory. After all of the other CMD files, old rulebases, service related files, logs, etc., it's not obvious what is needed or not. I would suggest coding this up with a default directory structure of using a subdirectory called "updates". This would require a separation of variables for the updates directory and the destination directory I believe. 3) I think it would be a good idea to consider a different default directory structure. With Sniffer evolving to support other platforms, IMail effectively abandoning us, and Declude moving to SmarterMail and possibly others, I could very well see Sniffer establishing a non-dependant directory structure. I would suggest that the default recommendation become "C:\Sniffer", which might also necessitate a change in some of Pete's other documentation. Keep in mind that it is confusion and convolution that contributes to the lack of efficient rulebase downloads and not the lack of resources or help. IMO, things would benefit from standardization of this sort, and it should all be done with purpose. 4) Since this setup is targeted specifically at IMail, I would recommend that different packages be provided for different platforms, and these should probably be in separate zip's so that one doesn't get all sorts of extra stuff. This could be "Rulebase_Updater_IMail.zip", but there should also be a Linux, MDaemon and SmarterMail updater added to the list. 5) I'm thinking that including the notification process within this script might be too much. The primary goal is to get people to use the automated system and compressed files, and this adds complexity to the setup. My thought here would be to create a "chaining" option that could be used to kick off any script, not necessarily IMail1.exe. You could then include this separate notification script in the package and have it configured from within that file, leaving only the optional chaining command within the primary script and stripping out the rest of the stuff. I do know that from interface design there is a basic tenet where you don't want to overwhelm the viewer/visitor, otherwise they retain even less than they would with a smaller group of things. Programming is often at odds with this tenet, which is fine for programmers because the functionality necessitates complication, but the issue being addressed here is really ease of use for the lowest common denominator, and the primary goal is just the downloads. You should consider that this whole thing will be used by people with very little administration experience, no programming experience, and in some cases, English will be a second language to them (or only translated by a tool of some sort). Most of this stuff is somewhat minor taken in isolation from each other, but I believe that it could be a bit tighter in one way or another for a better result. I'll volunteer my own services if you would like for me to provide examples of any one of these things, but I'll wait for your direction before doing so. I think the most important thing would be for Pete to provide some guidance for
RE: [sniffer] Triggered rulebase update instructions
Title: Message Never mind, I reread your original post and then checked my server and already had them installed. Now I just wait for the next update to occur. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, December 29, 2004 12:23 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Triggered rulebase update instructions Were might the wget and gzip files be? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Tuesday, December 28, 2004 11:34 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Triggered rulebase update instructions John, since you have not implemented a trigger program alias yet, would you be willing to test the setup instructions and provide feedback? Bill -Original Message----- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 10:30 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Triggered rulebase update instructions Matt, you think too much. ;) (From one who needs to implement better scripts, including a triggered script for Sniffer.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, December 28, 2004 10:17 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Triggered rulebase update instructions Bill, I think that this is overwhelmingly much better (the whole thing), but I have a few suggestions to add. 1) The commenting in the CMD file seemed a bit excessive and that made it a little hard to follow. It might be nice to arrange all of the tweakable variables in a single section instead of separating each one out, and then block coding the main program with a standard amount of commenting. I think that would make the script more readable for both programmers as well as beginners. 2) I personally find it to be a bit messy to have everything running from within my Sniffer directory. After all of the other CMD files, old rulebases, service related files, logs, etc., it's not obvious what is needed or not. I would suggest coding this up with a default directory structure of using a subdirectory called "updates". This would require a separation of variables for the updates directory and the destination directory I believe. 3) I think it would be a good idea to consider a different default directory structure. With Sniffer evolving to support other platforms, IMail effectively abandoning us, and Declude moving to SmarterMail and possibly others, I could very well see Sniffer establishing a non-dependant directory structure. I would suggest that the default recommendation become "C:\Sniffer", which might also necessitate a change in some of Pete's other documentation. Keep in mind that it is confusion and convolution that contributes to the lack of efficient rulebase downloads and not the lack of resources or help. IMO, things would benefit from standardization of this sort, and it should all be done with purpose. 4) Since this setup is targeted specifically at IMail, I would recommend that different packages be provided for different platforms, and these should probably be in separate zip's so that one doesn't get all sorts of extra stuff. This could be "Rulebase_Updater_IMail.zip", but there should also be a Linux, MDaemon and SmarterMail updater added to the list. 5) I'm thinking that including the notification process within this script might be too much. The primary goal is to get people to use the automated system and compressed files, and this adds complexity to the setup. My thought here would be to create a "chaining" option that could be used to kick off any script, not necessarily IMail1.exe. You could then include this separate notification script in the package and have it configured from within that file, leaving only the optional chaining command within the primary script and stripping out the rest of the stuff. I do know that from interface design there is a basic tenet where you don't want to overwhelm the viewer/visitor, otherwise they retain even less than they would with a smaller group of things. Programming is often at odds with this tenet, which is fine for programmers because the functionality necessitates complication, but the issue being addressed here is really ease of use for the lowest common denominator, and the primary goal is just the downloads. You should consider that this whole thing will be used by people with very little administration experience, no programming experience, and in some cases, English will be a se
RE: [sniffer] Triggered rulebase update instructions
Title: Message Seems to have worked good so far. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, December 29, 2004 12:30 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Triggered rulebase update instructions Now I just wait for the next update to occur. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry William Sent: Tuesday, December 28, 2004 11:34 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Triggered rulebase update instructions John, since you have not implemented a trigger program alias yet, would you be willing to test the setup instructions and provide feedback? Bill ---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you
[sniffer] 2 FYIs
Bill's update script: This has been working great, with the download size aprox 1.8MB (rule base file is about 6.25MB) and time to download about 25 seconds. Thanks for the work Bill. Rule base changes: Thanks to Pete for the hard work, the rule base size has now changed from about 17MB to about 6.25MB. I am on maximum rules so my rule file is larger. John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] The next round in the SPAM war?
Hijack keeps track of the number of recipients per originating IP. So, an e-mail to a list as it is received by Imail will have only one recipient, the list address. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: Thursday, February 03, 2005 9:48 AM > To: Mike Wiegers > Subject: Re[2]: [sniffer] The next round in the SPAM war? > > Hi, > > How does hijack handle listserv's? > > Thanks, > Andrew Baldwin > > [EMAIL PROTECTED] > http://www.thumpernet.com > 315-282-0020 > > Thursday, February 3, 2005, 12:21:54 PM, you wrote: > > > The item that works for this is Decludes HiJack. > > > http://www.declude.com/SearchResults.asp?Cat=10 > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > On Behalf Of Shaun Sturby, MCSE Optrics Engineering > > Sent: Thursday, February 03, 2005 10:09 AM > > To: sniffer@SortMonster.com > > Subject: [sniffer] The next round in the SPAM war? > > > Just an FYI and another good reason to have a service like Sniffer. > > > From: News.com.com > > According to the SpamHaus Project--a U.K.-based antispam compiler of > > blacklists that block 8 billion messages a day--a new piece of malicious > > software has been created that takes over a PC. This "zombie" computer is > > then used to send spam via the mail server of that PC's Internet service > > provider. This means the junk mail appears to come from the ISP, making it > > very hard for an antispam blacklist to block it. > > > Antispam company MessageLabs confirmed Linford's findings. > > > More at the following URL. > > > http://news.com.com/Experts+Zombie+trick+set+to+send+spam+sky-high/2100- > 7349 > > _3-5560664.html?tag=nefd.top > > > Shaun Sturby, MCSE > > Manager - Technical Services > > > Optrics Engineering - Solution Partners & Network Specialists > > Email: [EMAIL PROTECTED] Website: www.Optrics.com > > United States: 1740 S 300 West #10 Clearfield, UT, 84015 > > Phone: 1-877-430-6240 Fax: (801) 705-3150 > > Canada: 6810 104 St. Edmonton, AB Canada T6H 2L6 > > Phone: 1-877-463-7638 Fax: (780) 432-5630 > > Optrics Engineering and FundSoft are divisions of Optrics Inc. > > > _ > > > Anti-virus & Anti-SPAM control solutions provided by www.Optrics.com > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information and (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Sniffer Weighting
Yes, different weights for different return codes, and configured as different test. (But with same parameters.) John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Goran Jovanovic > Sent: Monday, February 07, 2005 10:24 PM > To: sniffer@SortMonster.com > Subject: [sniffer] Sniffer Weighting > > > Hi, > > In the licensed version of sniffer you get back what error code/reason > sniffer failed the message. Do folks general weight the different > reasons with different weights or do you just do a blanket weight? > > The sniffer docs suggest that the weighting should be 7 if you are > tagging at 10 (in Declude's weighting system). > > Looking for other people's experience. > > Thanx > > > > Goran Jovanovic > The LAN Shoppe > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Lists Ping?
Your ping was not received. You must have done something wrong. No one is here. No one is home. :\ John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Marc Catuogno > Sent: Thursday, February 10, 2005 9:35 AM > To: sniffer@SortMonster.com > Subject: [sniffer] Lists Ping? > > Is it just me or are all the lists (Imail, Declude V and JM and this one > offline??) > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Tuesday, February 08, 2005 5:18 PM > To: Bill Green dfn Systems > Subject: Re: [sniffer] ERROR message in snifferp Command Prompt window > > On Tuesday, February 8, 2005, 3:20:25 PM, Bill wrote: > > BGdS> I have started seeing this line repeated in the persistent sniffer > command > BGdS> window. > > BGdS> ERROR_LOGFILE: Bad Lock During Logging > BGdS> c:\imail\declude\sniffer\"mycode".log > > BGdS> It looks like the error has been happening once a day for about a > week. > BGdS> Other than the message all seems to be working well. Where should I > look for > BGdS> the cause? > > The first clue I can see is that it happens once per day... Chances > are there is a scheduled process interfering with the log file, the > storage system in general (perhaps some backups or other IO intensive > operation). > > Locking is a very lightweight mechanism in SNF because most operations > are synchronized and sequential. If you are only seeing one of these > per day then there is no cause to worry - but do keep an eye on it so > that it doesn't get worse without you knowing it. > > A bad lock is probably a stale lock file --- The protocol would be to > simply ignore the lock after waiting the appropriate amount of time. > > In theory, no lock should be required to write to the log file because > it is opened in "append" mode. Unfortunately on Win32 based systems > this doesn't mean what it should. That is, write operations are not > 'atomic' --- so if more than one process tries to append to the log > file at once the result is unpredictable corruption. > > The locking mechanism we're using here (creating a lock semaphore > file) is only intended to synchronize access to the file since Win32 > doesn't. The fact that one process will wait - even if the lock fails > - usually accomplishes this task. If the process were to fail and two > processes wrote (append) to the log file at once then it is possible, > but not certain, that log corruption would occur -- which is not > strictly vital for the odd record here and there. > > Hope this helps, > > _M > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > --- > [This E-mail scanned for viruses by Declude Virus] > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Moving Sniffer to Declude/SmarterMail
> One thing we did whilst in the middle of this was to move all the log and > spool files to a standalone disk instead of the RAID5 array for the main > server, and we have seen a real reduction in the physical disk queue > lengths, which, under significant load, helps. Worth knowing. > > > Nick It is a well known and published fact (on the Imail list) that RAID5 should never ever be used for the spool directory or any other directory that has a high write activity. This is basic physics. RAID5 should really only be used for high read activity only, such as databases where most of the writing is done to transaction (log) files and at spaced intervals those transactions are committed to the database. RAID1 or even RAID0+1 is best for the spool and logs. John Tolmachoff Engineer/Consultant/Owner eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Moving Sniffer to Declude/SmarterMail
> Now does anyone know how much overhead Windows 2000/2003 software RAID 1 > on dynamic disks produces over hardware level RAID 1? > > I am assuming it would be substantial. I have never noticed an issue, and I would only assume there would be an issue in higher end databases or where the CPU was already being tasked and near or at saturation by other processes. John Tolmachoff Engineer/Consultant/Owner eServices For You > - This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Latest medication campaign
I am seeing a lot of these get through John T eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Latest medication campaign
Something I noticed about these. They are all using RE: or FW: and in the body they have the original message line. SpamCheck had a line the CheckWords giving negative 25 to that line. As such, SpamCheck was giving an overall weight of -19 which was taking away from everything else the message was failing. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Wednesday, April 13, 2005 10:36 AM > To: sniffer@SortMonster.com > Subject: RE: [sniffer] Latest medication campaign > > On the weekend and since, I saw a lot of them get through but Sniffer > was dutifully catching them, unfortunately, they also served to > highlight Sniffer hyperaccuracy because those messages just weren't > reaching my HOLD weight. > > Check out the Message Sniffer change rates for the last few days: > > http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp > > Something is definitely going on. On Sunday, the blue line was almost > the entire New Rule group. > > It started me thinking about making Sniffer my hold weight, and then > only applying counterweights. > > Meanwhile, I've added SURBL-ish testing with a tiny Declude weight, but > with a combo of the new test and any Sniffer hit, that seems to have > made the difference. I've only seen 1 undeliverable end up in the > postmaster box, and I've fixed why that happened (I set my skipweight > for various Declude filter text tests too low, so they weren't getting > run when the weight was close to my HOLD weight). > > So now it's back to the server room for me. > > Andrew 8) > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Wednesday, April 13, 2005 10:16 AM > To: sniffer@SortMonster.com > Subject: [sniffer] Latest medication campaign > > > I am seeing a lot of these get through > > John T > eServices For You > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Integration with today's new ORF version:
Yes, I just got that notice as well. This is great. You could have ORF calling F-Prot and MessageSniffer as the MX boxes and then had to Imail\Declude. That will take a big chunk of the processing resources needed on the Imail box. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, September 05, 2005 6:27 AM To: sniffer@SortMonster.com Subject: [sniffer] Integration with today's new ORF version: http://www.vamsoft.com/orf/agentdefs.asp It says to contact vendor. Here I am . Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206
RE: [sniffer] False positive
I also have sent some false positives in the last 2 weeks with no response, the lastest being at 09/10/05 at 9:49 AM PDT. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Friday, September 09, 2005 5:08 AM > To: Ali Resting > Subject: Re: [sniffer] False positive > > On Friday, September 9, 2005, 2:17:31 AM, Ali wrote: > > AR> Hi Peter, > > AR> I have submited 3 email to [EMAIL PROTECTED] with all the required > AR> fields as per you instaructions on the website, I have not received any > AR> feedback whether this request has been effected. > > I cleared the false positives queue last night. I don't see any > messages in there from you today. You should have received a response > for each submission. I will review my responses and get back to you > off list. > > Thanks, > > _M > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] False positive
Pete, other than database update e-mails, I see know e-mails from "@microneil.com" or [EMAIL PROTECTED] in the last 2 days received by my server. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Tuesday, September 13, 2005 4:45 AM > To: John Tolmachoff (Lists) > Subject: Re[2]: [sniffer] False positive > > I have your response in my sent folder. > > I will send it again.. > > _M > > On Monday, September 12, 2005, 8:37:52 PM, John wrote: > > JTL> I also have sent some false positives in the last 2 weeks with no response, > JTL> the lastest being at 09/10/05 at 9:49 AM PDT. > > JTL> John T > JTL> eServices For You > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] > JTL> On > >> Behalf Of Pete McNeil > >> Sent: Friday, September 09, 2005 5:08 AM > >> To: Ali Resting > >> Subject: Re: [sniffer] False positive > >> > >> On Friday, September 9, 2005, 2:17:31 AM, Ali wrote: > >> > >> AR> Hi Peter, > >> > >> AR> I have submited 3 email to [EMAIL PROTECTED] with all the required > >> AR> fields as per you instaructions on the website, I have not received > JTL> any > >> AR> feedback whether this request has been effected. > >> > >> I cleared the false positives queue last night. I don't see any > >> messages in there from you today. You should have received a response > >> for each submission. I will review my responses and get back to you > >> off list. > >> > >> Thanks, > >> > >> _M > >> > >> > >> > >> This E-Mail came from the Message Sniffer mailing list. For information > JTL> and > >> (un)subscription instructions go to > >> http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > JTL> This E-Mail came from the Message Sniffer mailing list. For > JTL> information and (un)subscription instructions go to > JTL> http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html