Re: [sniffer] New Rulebot F001

[Matt]

Lowest result code wins with Sniffer, 63 is the highest score currently, 
and these rules are going in a place where formerly they were only 
IP's,so you shouldn't need to adjust anything.  I would imagine that 
refinement should improve accuracy in the IP rules, though I don't 
believe that it will be near perfect.


I do however want to voice my general and ongoing concern about 
automation and extracting IP's from spamtraps.  This can be done, but 
one must be very careful to remove legitimate or compromised hosts, and 
most that don't bother to do so are even worse than SpamCop when it 
comes to listing ISP's and the like.


For a good picture of whether a host is spammy, one should also look at 
all of the good traffic, and make sure that there is a huge sample of 
data to work with.  Alternatively, one should be checking for things 
such as the host being legitimate (does it answer with a name that 
matches the reverse DNS or HELO that it gave you, does it have "mail" in 
the name, etc.).  Also, it makes sense to have different qualification 
mechanisms for zombie spam and static spammers since their heuristics 
are quite different and can be targeted more effectively and more 
accurately with mechanisms built to their patterns.


I do fear that automation of this sort, unless it is done in a very 
reserved manner (throwing out what can't be almost absolutely 
confirmed), will result in foreign hosts being caught, and large 
ISP's/E-mail providers much in the same way as they have been.  CBL 
takes the reserved approach and is therefore much, much more accurate 
than SpamCop, yet their results aren't that far off the last I checked.  
CBL primarily targets zombies with their methods, and they do this 
because it is much easier to find a sign of an illegitimate host (that 
also hit a spamtrap).


Matt



Jay Sudowski - Handy Networks LLC wrote:


There's been at least one FP ;)

--
Rule - 861038
NameF001 for Message 2888327: [216.239.56.131]
Created 2006-03-02
Source  216.239.56.131
Hidden  false
Blocked false
Origin  Automated-SpamTrap
TypeReceivedIP
Created By  [EMAIL PROTECTED]
Owner   [EMAIL PROTECTED]
Strength2.08287379496965
False Reports   0

From Users  0

[FPR:B]

The rule is below threshold, and/or badly or broadly coded so it will be
removed from the core rulebase.


My concern with automated IP rule coding is that we use Sniffer because
it's extremely accurate.  Coding rules linked to IPs, particularly IPs
that are used by google or any large ISP to send large amounts of
(mostly legitimate) email is contrary to what Sniffer is great at, which
is tagging spam that no one else is.

Is response code 63 going to be utilized for any other purposes?  If
not, I will let Declude know to weight these responses lower than normal
Sniffer.

- Jay 
-Original Message-

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Monday, March 06, 2006 3:00 PM
To: sniffer@sortmonster.com
Subject: [sniffer] New Rulebot F001

Hello Sniffer folks,

 The first of the new rulebots is coming online.

 Rulebot F001 creates IP rules for sources that consistently fail
 many tests while also reaching the cleanest of our spamtraps.

 The rules will appear in group 63.

 The bot is playing catchup a bit (since there have been few IP rules
 at all since we disabled the old bots).

 The algorithms used in this bot have been tested manually for 2
 weeks with no false positives.

 Expect an increase in your rulebase size while F001 catches up with
 current spamtrap data.

Thanks,

_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


 




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] New rulebase compilers online.

[Matt]

Pete,

Does this mean that you are somehow supporting incremental rule base 
updates, or is it that the compiler is just much faster so we will get 
the same number of updates, but generally get them 40-120 minutes 
earlier in relation to the data that generated them?


Either way, definitely an improvement.  The closer to real-time we can 
get, the better.


Thanks,

Matt



Pete McNeil wrote:


Hello Sniffer Folks,

 I have just completed work to upgrade the rulebase compiler bots.
 They are now significantly more efficient. As a result you will be
 seeing updates more frequently.

 Previous lag was between 40-120 minutes.

 Current lag (sustained) is < 5 minutes.

 More timely updates should equate to lower spam leakage for new
 spam.

 You do not need to take any action on this. This note is for your
 information only.

Thanks,

_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


 




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] New RuleBot F002 Online

[Matt]

Pete,

In light of current and prolonged issues, this seems like a good and 
safe tactic.  I would appreciate it however if maybe you could place the 
rules in another result code since this result code is not as accurate 
as some others are and some of us weight it lower than others.


Thanks,

Matt



Pete McNeil wrote:


Hello Sniffer Folks,

 Rulebot F002 has been placed online.

 This rulebot captures and creates geocities web links from the
 "chatty" campaigns. This is largely a time saver for us humans... we
 will focus our attention more on abstracts for these campaigns now
 that F002 will be capturing the raw links.

 Rules from F002 will produce a 60 result code (Ungrouped).

 The engine is following a standard protocol that we have used for
 months. I expect no false positives from this one.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


 




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] New RuleBot F002 Online

[Matt]

Pete,

I would definitely like to see rules classified for what they are based 
on instead of the content, but certainly I don't expect to see that 
without a major new release.


Rules such as those based phrases, IP's, domains, patterns, and viruses 
all have different accuracies and issues.  If you were also to group 
them in a similar way, we could tag multiple rules for a single message 
so that for instance a phrase and a domain both hit on the same 
message.  My logs show that I average 3 matches for every final result.  
If this becomes a plan, I would proceed very carefully since doing it in 
a way that could cause a lot of cross-over pollution would make comboing 
such things for a higher score unwise.  I would in fact recommend 
creating something like 4 groups;


   1) IP's,
   2) Domains, E-mail addresses & Links,
   3) Patterns (like domain patterns and obfuscation), and
   4) Content.

There shouldn't be any crossover of FP's in such a thing, so multiple 
hits would be stronger.


In relation to the placement of RuleBot F002 results, I would just favor 
pretty much anything but the 60 and 63 groups because they are scored 
lower due to FP's on my system, and it has generally been said by others 
that this is the case on theirs as well.  F002 has the appearance of 
being hyper-accurate, and it would help if it was placed in a group with 
other hyper accurate results.  Even placing it in 61 (Experimental) 
would be preferred over 60.


Thanks,

Matt


Pete McNeil wrote:


On Friday, March 10, 2006, 3:41:00 PM, Darin wrote:

DC> Totally agree.  I'd like to see some separation between rules created by
DC> newer rulebots and preexisting rules.  That way if there becomes an issue
DC> with a bot, we can turn off one group quickly and easily.

There is no way to do this without completely reorganizing the result
codes or defeating the competitive ranking mechanisms.

If you feel strongly about it I can move these rule groups to lower
numbers on your local rulebase or make some other numbering scheme -
but I don't recommend it. Moving these rule groups to lower numbers
would cause them to win competitions with other rules where they would
normally not win.

At some point in the future we might renumber the rule groups again,
but I like to avoid this since there are so many folks that just don't
get the message (no matter what we do to publish it) when we make
changes like this and so any large scale changes tend to cause
confusion for very long periods.

For example: I still, on occasion, have questions about the
gray-hosting group which has not existed for quite a long time.

So far there has not been one FP reported on bot F002 and extremely
few on F001 - the vast majority of those associated with the very
first group of listings prior to the last two upgrades for the bot.

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


 




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] Message loop

[Matt]

Pete,

I tried replying to some FP reports and I received back some loop
reports from your gateway:



Failed to deliver to '[EMAIL PROTECTED]'
mail loop: too many hops (too many 'Received:' header fields)






Reporting-MTA: dns; server75.appriver.com

Original-Recipient: rfc822;<[EMAIL PROTECTED]>
Final-Recipient: system;<[EMAIL PROTECTED]>
Action: failed
Status: 5.0.0





Received: from [10.238.11.79] (HELO inbound.appriver.com)
  by server75.appriver.com (CommuniGate Pro SMTP 5.0.6)
  with ESMTP id 204450520 for [EMAIL PROTECTED]; Wed, 19 Apr 2006 16:36:23 -0400
Received: by inbound.appriver.com (CommuniGate Pro PIPE 5.0.6)
  with PIPE id 40116463; Wed, 19 Apr 2006 16:36:22 -0400
Received: from [69.20.119.203] (HELO server70.appriver.com)
  by inbound.appriver.com (CommuniGate Pro SMTP 5.0.6)
  with ESMTP id 40116469 for [EMAIL PROTECTED]; Wed, 19 Apr 2006 16:36:18 -0400
Received: by server70.appriver.com (CommuniGate Pro PIPE 5.0.6)
  with PIPE id 20584892; Wed, 19 Apr 2006 16:31:39 -0400
Received: from [12.6.93.226] (HELO exchange01.apprivercorp.com)
  by server70.appriver.com (CommuniGate Pro SMTP 5.0.6)
  with ESMTP id 20584879 for [EMAIL PROTECTED]; Wed, 19 Apr 2006 16:31:35 -0400
Received: from server75.appriver.com ([207.97.224.142]) by exchange01.apprivercorp.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Wed, 19 Apr 2006 15:32:57 -0500
Received: from [10.238.11.110] (HELO inbound.appriver.com)
  by server75.appriver.com (CommuniGate Pro SMTP 5.0.6)
  with ESMTP id 204446070; Wed, 19 Apr 2006 16:31:35 -0400
Received: by inbound.appriver.com (CommuniGate Pro PIPE 5.0.6)
  with PIPE id 43046685; Wed, 19 Apr 2006 16:31:33 -0400
Received: from [207.97.227.84] (HELO www03.appriver.com)
  by inbound.appriver.com (CommuniGate Pro SMTP 5.0.6)
  with ESMTP id 43046648; Wed, 19 Apr 2006 16:31:27 -0400
Received: from outbound.appriver.com [10.238.11.133] by www03.appriver.com with ESMTP
  (SMTPD32-8.15) id ADFB2787015E; Wed, 19 Apr 2006 16:30:51 -0400
Received: from [10.238.11.92] (HELO server87.appriver.com)
  by outbound.appriver.com (CommuniGate Pro SMTP 5.0.2)
  with SMTP id 75970524 for [EMAIL PROTECTED]; Wed, 19 Apr 2006 16:30:43 -0400
Received: by server87.appriver.com (CommuniGate Pro PIPE 5.0.6)
  with PIPE id 153351626; Wed, 19 Apr 2006 16:30:43 -0400
Received: from [216.88.36.96] (HELO mnr1.microneil.com)
  by server87.appriver.com (CommuniGate Pro SMTP 5.0.6)
  with ESMTP id 153351606 for [EMAIL PROTECTED]; Wed, 19 Apr 2006 16:30:34 -0400
Received: by mnr1.microneil.com (Postfix, from userid 93)
	id 578433F20C0; Wed, 19 Apr 2006 16:30:34 -0400 (EDT)
X-SortMonster-MessageSniffer-Rules: snfrv2r3-v2-3.2
	0-69638-850--m
	0-113972-1237-3710-m
	0-113972-1237-12801-m
	0-113972-1237-23632-m
	0-113972-1237-31312-m
	0-69638-850--f
X-SortMonster-MessageSniffer-Result: 0
Received: from SortMonster.com (unknown [216.88.36.181])
	by mnr1.microneil.com (Postfix) with ESMTP id 0DFE03F20BE
	for <[EMAIL PROTECTED]>; Wed, 19 Apr 2006 16:30:34 -0400 (EDT)
Received: from outbound.appriver.com [207.97.229.125] by SortMonster.com with ESMTP
  (SMTPD32-6.05) id ADE1CCC009A; Wed, 19 Apr 2006 16:30:25 -0400
Received: from [10.238.11.52] (HELO inbound.appriver.com)
  by outbound.appriver.com (CommuniGate Pro SMTP 5.0.2)
  with ESMTP id 75970346 for [EMAIL PROTECTED]; Wed, 19 Apr 2006 16:30:24 -0400
Received: by inbound.appriver.com (CommuniGate Pro PIPE 5.0.6)
  with PIPE id 98719021; Wed, 19 Apr 2006 16:30:22 -0400
Received: from [66.109.52.12] (HELO mailpure.com)
  by inbound.appriver.com (CommuniGate Pro SMTP 5.0.6)
  with ESMTP id 98718972 for [EMAIL PROTECTED]; Wed, 19 Apr 2006 16:30:10 -0400
Received: from [192.168.0.100] [24.29.42.95] by mailpure.com with ESMTP
  (SMTPD32-8.15) id ADD0457300A2; Wed, 19 Apr 2006 16:30:08 -0400
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 19 Apr 2006 16:31:16 -0400
From: Matthew Bramble <[EMAIL PROTECTED]>
Organization: MailPure
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Sniffer FP Support <[EMAIL PROTECTED]>
Subject: Re: hb064pkq - [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: multipart/alternative;
 boundary="040105010502030206010001"
X-MailPure: 
X-MailPure: Spam Score: 0
X-MailPure: Scan Time: 19 Apr 2006 at 16:30:09 EST
X-MailPure: Spool File: D9DD0457300A2541E.SMD
X-MailPure: Server Name: 
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: (Private IP) [192.168.0.100]
X-MailPure: Country Chain: 
X-MailPure: 
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure: 
X-Policy: sortmonster.com
X-Note: This Email was scanned by AppRiver SecureTide
X-Note: Spam Tests Failed: 
X-Country-Path: PRIV

Re: [sniffer]A design question - how many DNS based tests?

[Matt]

I have 46 RBL's configured, though 16 are configured to score 
differently on last hop and prior hops.  I would say that more than 35 
of these are things that I would not like to lose.


I weight most RBL's at around half of my Hold weight in Declude.  False 
positives on my system typically hit about 5 different tests of various 
types before they get enough weight to be blocked.  Sniffer is the test 
most often a part of false positives, being a contributing factor in 
about half of them.  About 3/4 of all FP's (things that are blocked by 
my system) are some form of automated or bulk E-mail.  That's not to say 
that other tests are more accurate; they are just scored more 
appropriately and tend to hit less often, but the FP issues with Sniffer 
have grown due to cross checking automated rules with other lists that I 
use, causing two hits on a single piece of data.  For instance, if SURBL 
has an FP on a domain, it is possible that Sniffer will pick that up too 
based on an automated cross reference, and it doesn't take but one 
additional minor test to push something into Hold on my system.


IMO, the more tests, the better.  It's the best way to mitigate FP's.  I 
don't look to Sniffer as anything more than a contributer to the overall 
score.  Sniffer can't block a message going to my system on it's own due 
to it's weighting.  I think it's more important to be accurate than to 
hit more volume, and handling false positive reports with Sniffer is 
cumbersome for both me and Sniffer.  I would hope that any changes seek 
to increase accuracy above all else.  Sniffer does a very good job of 
keeping up with spam, and it's main issues with leakage are caused by 
not being real-time, but that's ok with me.  At the same time Sniffer is 
the test most often a part of false positives, being a contributing 
factor in about half of them.  About 3/4 of all FP's (things that are 
blocked by my system) are some form of automated or bulk E-mail.  That's 
not to say that other tests are more accurate; they are just scored more 
appropriately and tend to hit less often, but the FP issues with Sniffer 
have grown due to cross checking automated rules with other lists that I 
use, causing two hits on a single piece of data, and the growth of the 
Sniffer userbase which has become more likely to report first-party 
advertising as spam, either manually or through an automated submission 
mechanism.


Matt




Pete McNeil wrote:


Hello Sniffer Folks,

I have a design question for you...

How many DNS based tests do you use in your filter system?

How many of them really matter?

Thanks!

_M

 




#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]FP suggestions

[Matt]

d reverse DNS entries for bulk mailers so
that I can treat them differently on my system.  Some I do block by
default, but others that send a majority of legitimate messages I
balance in my system so that they don't fail technical tests (such as
Declude's BADHEADERS, SPAMHEADERS and HELOBOGUS) since they are not
appropriate for non-zombies, and at least two hits on things like
Sniffer, SURBL and SpamCop are required before something gets blocked. 
The essence of the issue here is that while one mailing might be spam,
it doesn't make sense to paint all of the provider's mailings as spam. 
Sniffer still hits a lot of what passes through my system, but they are
not blocked nearly as often as before.  I recall reporting places like
roving.com, icebase.net, cheetahmail.com and other well known providers
to Sniffer as false positives in the past.  I recognize that Sniffer
has a lot of clients that don't care if such things get blocked, and do
care a lot if spam leaks through, and it is tough to target individual
lists as opposed to the entire provider.  Another subset of this is
third-party tracking services that sometimes get tagged based on the
fact that some of their clients do spam, and then there is the subset
that advertises third-parties with direct links to their domains where
those third-parties have spammed, i.e. Entertainment Books, Omaha
Steaks, University of Phoenix Online, etc.  You clearly pulled those
domains from spam samples, but they cross-contaminate opt-in lists
through advertising links.  Based on past discussions, we may well
differ on our opinions about how to deal with this, but it isn't
workable to continually report such things if they continually get
listed in other ways, and that's why I decided sometime ago to track
these providers myself.

Regarding those things that are submitted to Sniffer as spam that I
don't consider to be spam, that's another very tough cookie to crack. 
If one customer reports E-mails from Harry & David to Sniffer as
spam, and I report it as ham...who is right?  I think that this comes
down to having an official definition of spam and communicating it. 
Spamhaus has a definition that isn't workable in the real-world because
it requires affirmative confirmation of being put on a bulk mail list
by companies that you do business with, and as we know, virtually no
one follows this so closely, yet many want these E-mails and everyone
has the ability to unsubscribe.  My definition of spam, like Spamhaus,
is that it is both bulk and unsolicited, however we differ when it
comes to defining unsolicited.  I try to allow any first-party
communications, advertising or otherwise, so long as they are directly
related to the actions that created the relationship (i.e. no
third-party offers), and so long as they honor unsubscriptions without
jumping through hoops (like remembering obscure logins to stop
messages).

There are of course some grey areas around the edges such as lists that
mix opt-ins with harvested/bought lists, but they are fairly rare and I
can't suggest a pure way to deal with such things outside of hard work
and manual review, though I would discourage against collection methods
that can cause pollution such as automated submissions which for
instance can report things like Harry & David because the admin
blacklisted them locally, and then they show up as blocked spam that
Sniffer didn't hit and are submitted.  I think this may be a
contributing factor.  I would prefer that people manually report, and
that they know the rules for what to report (i.e. the spam definition).

I didn't intend to draw you into this discussion within another thread
or at this time, but I do think that Sniffer would benefit from some
more focus on the FP issues.
I hope this helps and I am willing to lend some more ideas or opinions
if you want to bounce some of your own off of me or the list.

Thanks,

Matt

Re: [sniffer]Re[2]: [sniffer]FP suggestions

[Matt]

Pete,

An X-Header would be very, very nice to have.  I understand the issues
related to waiting to see if something comes through, and because of
that, I would maybe suggest moving on your own.

Sniffer doesn't need to be run on every single message in a Declude
system.  Through weight based skipping, many administrators (especially
the ones that could make the most use of this) could skip processing
Sniffer once a certain weight is reached, and in turn that would save
enough load that it should easily make up for needing to re-write the
message to the disk with the modified headers.  On external tests that
allow for weight skipping on my system, I was skipping around 50% of
messages before lightening the load with pre-scanning.

Sniffer could do weight skipping with Declude by accepting the %WEIGHT%
variable in the command line.

SNIFFER-IP        external    063   
"C:\IMail\Declude\Sniffer\customer-code.exe license-code WH=26 WL=-5
CW=%WEIGHT%"    5    0
...etc.

The WH setting says don't run if equal to or greater than, the WL says
don't run if equal to or less than, and the CW passes in the weight
from Declude at the time of calling Sniffer.  It still launches
Sniffer, but it could be stopped immediately before any heavy lifting
is done.

The best solution of course would be for Declude to allow for
weight-based skipping in the config without calling the executable, but
I started asking about that back in the Scott days and I am not holding
out hope for that happening soon considering.  The most realistic
option would seem to then have Sniffer do the heavy lifting of
rewriting itself, and save some CPU and disk I/O by improving
efficiencies with something as simple as weight-based skipping.  I'm
pretty sure the net result would be less CPU and disk I/O overall if
both were done.

Another alternative may be to create a separate executable (with
weight-based skipping) that would only deal with adding headers from
the text file that Sniffer drops in the directory.  There would be less
benefit overall to keeping this all in one app, but it would target the
primary need.  This could easily be written by one of us in _vbscript_ as
a proof of concept.  I have considered doing this before, but it isn't
at the top of my priorities.

BTW, you could maybe even encode links in the headers for FP reporting
through a Web interface, completely removing the forwarding mechanism
from the mix, though you wouldn't have the opportunity to see the
messages which may not be good as a whole.

Matt





Pete McNeil wrote:

  Hello Scott,

Wednesday, June 7, 2006, 10:08:58 AM, you wrote:

  
  
  
 
For me the pain of false positives submissions is  the research
that happens when I get a "no rule found" return.
 
 
 
I then need to find the queue-id of the original  message and then
find the appropriate Sniffer log and pull out the log lines  from
there and then submit it. Almost always in these cases, a rule is  removed.
 
 
 
If this process could be improved that would really  be a time saver.

  
  
This depends on the email system you are using. On some systems
(MDaemon, and postfix, for example) X- headers from SNF can be emitted
into the message. When we see these we can identify the rules directly
without asking for the extra research.

It would be nice if Declude would offer a mechanism to pick up the
optional .xhdr file SNF can generate and include it in the X headers
that it already adds to the message.

I know this begs the question, why not have SNF add the headers for
SmarterMail and IMail platforms, and the reason is that it would
require writing an additional copy of the message to disk. Since these
systems tend to be io bound already (Declude/IMail anyhow) the
performance penalty would be prohibitive. If Declude picks up .xhdr
from SNF directly then it can be included in the ONE rewrite Declude
makes anyway.

I've asked them about this and other improved integration
opportunities for a while now (many months), and I get favorable
responses, but no action so far. I guess we will see :-)

_M

  

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

[Matt]

Pete,

Since the %WEIGHT% variable is added by Declude, it might make sense to
have a qualifier instead of making the values space delimited.  Errors
in Declude could cause values to not be inserted, and not everyone will
want to skip at a low weight.  I haven't seen any bugs with %WEIGHT%
since shortly after it was introduced, but you never know.  I have seen
some issues with other Declude inserted variables though.

One other thing that I came across with the way that Declude calls
external apps...you can't delimit the data with things like quotes. 
There is no mechanism for escaping a functional quote from a quote that
should appear in the data that you pass to it...so don't use quotes as
delimiters :)

Matt



Pete McNeil wrote:

  Hello Matt,

Wednesday, June 7, 2006, 3:37:36 PM, you wrote:

  
  
   
 Pete,
 
 An X-Header would be very, very nice to have.  I understand the
issues related to waiting to see if something comes through, and
because of that, I would maybe suggest moving on your own.

  
  
I've got it on the list to have a message rewriting option... it's
just not as high as some others. I hadn't thought about the weight
gating utility - though that seems like something that would be useful
in general for external tests...

"weightgate -5 %WEIGHT% 20 " 5 0

 is executed if %WEIGHT% is in the range [-5,20]
and the exit code of  is returned.

That seems like a pretty simple utility to knock out - perhaps I will
;-)

Also, on the FP reporting links idea, that would break the process -
it's important for us to see the message for many reasons, and it's
important for the FP resolution process to be interactive.

_M


  

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

[Matt]

Pete,

I think that you just broke Scott's record with his two hour feature
request with your own a two hour program :)

Anyone remember those days???

Thanks,

Matt



Pete McNeil wrote:

  Hello Matt,

Wednesday, June 7, 2006, 4:22:05 PM, you wrote:

  
  
   
 Pete,
 
 Since the %WEIGHT% variable is added by Declude, it might make
sense to have a qualifier instead of making the values space
delimited.

  
  
I don't want to mix delimiters... everything so far is using spaces,
so it makes sense to continue that way IMO.

  
  
  Errors in Declude could cause values to not be inserted,
and not everyone will want to skip at a low weight.  I haven't seen
any bugs with %WEIGHT% since shortly after it was introduced, but
you never know.  I have seen some issues with other Declude inserted variables though.

  
  
Well, errors are always a possibility, but in this case it _should_ be
reasonably safe. For example, if this is used to gate SNF, then a
missing %WEIGHT% would result in trying to launch a program with the
same name as the authentication string, and it is highly unlikely that
would be found, so the result would be the "program not found" error
code. That's not perfect because it's a nonzero result, but it is safe
in that it is not likely to launch another program.

  
  
 One other thing that I came across with the way that Declude calls
external apps...you can't delimit the data with things like quotes. 
There is no mechanism for escaping a functional quote from a quote
that should appear in the data that you pass to it...so don't use
quotes as delimiters :)

  
  
Not a problem...

I just whipped together a utility called WeightGate.exe that can be
downloaded here (for now):

http://www.messagesniffer.com/Tools/WeightGate.exe

Suppose you wanted to use it in Declude to skip running SNF if your
weight was already ridiculously low (perhaps white listed) or already
so high that you want to save the extra cycles. Then you might do
something like this:

SNF external nonzero "c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0

(hopefully that didn't wrap, and if it did you will know what I meant ;-)

To test this concept out you might first create a copy of
WeightGate.exe callled ShowMe.exe (case matters!) and then do
something like this:

SNF external nonzero "c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0

The result of that would be the creation of a file c:\ShowMe.log that
contained all of the parameters ShowMe.exe was called with -- that way
you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS
returns zero, so this _should_ be safe ;-)

If you run WeightGate on the command line without parameters it will
tell you all about itself and it's alter ego ShowMe.exe.

That description goes like this (I may fix the typo(s) later):

WeightGate.exe
(C) 2006 ARM Research Labs, LLC.

This program is distributed AS-IS, with no warranty of any kind.
You are welcome to use this program on your own systems or those
that you directly support. Please do not redistribute this program
except as noted above, however feel free to recommend this program
to others if you wish and direct them to our web site where they
can download it for themselves. Thanks! www.armresearch.com.

This program is most commonly used to control the activation of
external test programs from within Declude (www.declude.com) based
on the weigth that has been calculated thus far for a given message.

As an added feature, if you rename this program to ShowMe.exe then
it will emit all of the command line arguments as it sees
them to a file called c:\ShowMe.log so that you can use it
as a debugging aid.

If you are seeing this message, you have used this program
incorrectly. The correct invocation for this program is:

WeightGate , ,... 

Where:
   = a number representing the lowest weight to run .
   = a number representing the actual weight to evaluate.
   = a number representing the highest weight to run .
   = the program to be activated if  is in range.
  ,  = arguments for .

If  is in the range [,] then WeightGate will run
 and pass all of , ,...  to it. Then
WeightGate will collect the exit code of  and return it as
WeightGate's exit code.

If WeightGate gets the wrong number of parameters it will display
this message and return FAIL_SAFE (zero) as it's exit code.

If  is not in range (less than  or greater than )
then WeightGate will NOT launch  and will return FAIL_SAFE
(zero) as it's exit code.

As a deubgging aid, I was called with the following arguments:

arg[0]  = WeightGate

  

Re: [sniffer]FP suggestions

[Matt]

Darin,

Outlook will strip many of the headers when forwarding.  Outlook
Express needs to forward the messages using "Forward As Attachment" in
order to insert the full original headers.  Thunderbird/Netscape Mail
will work just by forwarding.  If you paste the full source in a
message, you should send as plain text.

I have many FP's that come back as having no rules found, but these are
more likely to be from rules that were already removed.  So I wouldn't
jump to a conclusion that the rule was not found because of formatting
unless you are not sending the full unadulterated original message
source.  I would imagine that it would mostly be IP rules that aren't
found when not forwarding the full original source.

Matt




Darin Cox wrote:

  
It is unclear - we receive FPs that have traveled through all sorts of
clients, quarantine systems, changed hands various numbers of times,
or not (to all of those)... Right now I don't want to make that
research project a high priority.

  
  
Understood.

  
  
That's true it wouldn't change, but submitting the message directly
would not be correct - the dialogue is with you, and in any case,
additional trips through the mail server also modify parts of the
header and sometimes parts of the message (tag lines, disclaimers,
etc)...

  
  
Hmmm... with attaching the original message, I guess it still makes more
sense to deliver to us first for now.  Just looking for an alternative that
gets you the message as close as possible to the original form as possible.
Maybe we'll write a script to copy and forward the D*.SMD file as an
attachment to you for FPs at some point in the future.




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  

Re: [sniffer]WeightGate source, just in case...

[Matt]

Pete,

Just two more cents for the masses...

If people use this for two different external tests in Declude, they 
need to create two differently named executables because Declude will 
assume the calling executable to be part of the same test and only run 
it once (or possibly create an error depending on one's configuration).  
This may not be necessary if you have different test types defined, i.e. 
nonzero, weight, external, and bitmask, but better safe than sorry.


Also, I noted that the Subjects on this list are being repeated.  I saw 
that you changed to a new server, but I also noted that there is no 
space after "[sniffer]" in the Subject and thought that maybe this is 
what is throwing things off.  Maybe adding that space will correct the 
issue???


Matt



Pete McNeil wrote:


Hello Sniffer Folks,

   The WeightGate utility I posted was done in a real hurry, so I
   thought I'd post source here just in case anybody wants to review
   it and in case of any trouble ;-) Also for any educational value
   it may have for others interested in writing similar kinds of
   utilities.

   Source attached in HTML form.

   Thanks,

   _M

 

 




#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer][Fwd: Re: [sniffer]FP suggestions]

[Matt]

Darin,

Thunderbird and Netscape just takes the full original source and 
attaches it as a message/rfc822 attachment.  I forwarded this message 
back to the list by just pressing "Forward".  I'm pretty sure that 
Outlook Express works simply by just pressing Forward As Attachment, or 
at least it gives me enough of the original, including the full headers, 
to determine how to block the spam.  I have been telling Outlook users 
to copy and paste the headers into a forwarded message.


Please excuse me for wanting more detail about the Outlook attachment 
trick, but would you mind attaching this message to a response so that I 
could look at the headers and such?


There was a discussion about Outlook's behavior with Scott some time 
ago.  Apparently Microsoft was pressured by customers to remove headers 
when forwarding because they felt that they were a security/privacy 
risk.  No one told them that Outlook was a security/privacy risk on it's 
own :)  ...but that's another story.  I would probably feel different if 
I had the need for groupware though, but digs at Microsoft are 
irresistible sometimes.


Matt
--- Begin Message ---



Of course I'm sending the full message as an 
attachment.  You can do that with Outlook by attaching and item, then 
browsing your mail folders for the message to attach.  And yes, that's how 
you do it with Outlook Express as well.  I don't use Thunderbird or 
Netscape mail, but I would assume you still need to attach the original message 
to avoid the headers being lost.
 
What I was referring to was a little more involved 
than that... namely the possibility of it not matching a rule because the 
attachment was encoded differently.  For example, I've seen mail go 
through that baes64 encoded an attached email that was not originally 
base64 encoded.
 
From Pete's responses, it sounded like "no rule 
found" really did mean no rule was matched.  Especially since he has a 
separate code for "rule already removed".  FPs we send are always from same 
day, or, at the very least, within 24 hours.
Darin.
 
 
- Original Message - 
From: Matt 
To: Message Sniffer Community 
Sent: Wednesday, June 07, 2006 11:46 PM
Subject: Re: [sniffer]FP suggestions
Darin,Outlook will strip many of the headers when 
forwarding.  Outlook Express needs to forward the messages using "Forward 
As Attachment" in order to insert the full original headers.  
Thunderbird/Netscape Mail will work just by forwarding.  If you paste the 
full source in a message, you should send as plain text.I have many FP's 
that come back as having no rules found, but these are more likely to be from 
rules that were already removed.  So I wouldn't jump to a conclusion that 
the rule was not found because of formatting unless you are not sending the full 
unadulterated original message source.  I would imagine that it would 
mostly be IP rules that aren't found when not forwarding the full original 
source.MattDarin Cox wrote: 

  It is unclear - we receive FPs that have traveled through all sorts of
clients, quarantine systems, changed hands various numbers of times,
or not (to all of those)... Right now I don't want to make that
research project a high priority.

Understood.

  
  That's true it wouldn't change, but submitting the message directly
would not be correct - the dialogue is with you, and in any case,
additional trips through the mail server also modify parts of the
header and sometimes parts of the message (tag lines, disclaimers,
etc)...

Hmmm... with attaching the original message, I guess it still makes more
sense to deliver to us first for now.  Just looking for an alternative that
gets you the message as close as possible to the original form as possible.
Maybe we'll write a script to copy and forward the D*.SMD file as an
attachment to you for FPs at some point in the future.




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  
--- End Message ---
#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]

[Matt]

Darin,

Thunderbird allows you to choose the default forwarding method as
either inline or as attachment.  It might actually default to inline, I
can't remember, but whenever it does message/rfc822 attachments, it is
as a whole unlike some other clients that edit it down to the bare
minimum of what the consider to be useful like addressing, subject date
and MIME stuff if appropriate.  I'm definitely guilty of being a
Netscape diehard, and I'm very happy that the Mozilla project brought
things back to life again.

I fully understand the attachment trick with Outlook thanks to the
confirmations.  This will be easier than having people cut and paste
the headers in.  This doesn't happen much, but there is nothing worse
than getting a spam report without header info.

I also understand the encoding issues with forwarding in Outlook/OE. 
It's a shame that this happens.  Maybe having a copy of Thunderbird
around for this purpose might fit in where this is an issue.  Sounds
like adding Sniffer headers would be the best solution for this issue
on a wider basis since you definitely can't convince every admin not to
submit using Outlook/OE.

Soon I'm going to code up my Sniffer FP reports to be automatically
triggered when a message is reprocessed from my spam review system, so
I won't have to even bother with the source any more.  That should only
take a couple of hours, and it would be time well spent.  I always fix
issues and whitelist locally where appropriate, but I also report to
Sniffer for the benefit of all in addition to making sure that a FP
rule will not tag something outside of the scope of what I whitelisted,
and I have to report in order to be able to see what the content of the
rule was.  Customers do most of the reprocessing now, I just do the
back end stuff.

Matt



Darin Cox wrote:

  
Thunderbird and Netscape just takes the full original source and
attaches it as a message/rfc822 attachment.  I forwarded this message
back to the list by just pressing "Forward".

  
  
Interesting that they include the headers with a simple forward, without
specifying forward as attachment.  I haven't ever seen that behaviour before
in a mail client.  Seems like a few forwards would create a very bloated
message with all of the old headers.

  
  
I'm pretty sure that
Outlook Express works simply by just pressing Forward As Attachment, or
at least it gives me enough of the original, including the full headers,
to determine how to block the spam.

  
  
Yes it does.  However you've missed the point.  The issue is not how to get
the headers.  It is how to keep an email client from encoding the message
and headers differently, so that Sniffer can properly identify the rule that
caught the message.

  
  
Please excuse me for wanting more detail about the Outlook attachment
trick, but would you mind attaching this message to a response so that I
could look at the headers and such?

  
  
Sorry, I don't use Outlook.  But I can tell you the steps to take in Outlook
2003 (other versions are almost exactly the same).  I have my Outlook users
follow these with no problem.

1. Create a new email message
2. Click the arrow beside the paperclip icon, select item instead of file
from the dropdown
3. Browse mailboxes from the popup dialog to select the message to attach.
4. Viola, original message and headers attached.

  
  
There was a discussion about Outlook's behavior with Scott some time
ago.  Apparently Microsoft was pressured by customers to remove headers
when forwarding because they felt that they were a security/privacy
risk.  No one told them that Outlook was a security/privacy risk on it's
own :)  ...but that's another story.  I would probably feel different if
I had the need for groupware though, but digs at Microsoft are
irresistible sometimes.

  
  
I don't remember that discussion, and am not sure we're talking about the
same thing.  If you attach the original message via the steps above, you get
the full original message, headers and body.  We have a number of customers
who send spam reports this way, mostly on Outlook 2002 and 2003.

Darin



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  

[sniffer] Re: [sniffer]Re[2]: [sniffer]WeightGate source, just in case...

[Matt]

Pete,

My understanding was that Declude treats different arguments to an
executable as just being other forms of that executable so it only
processes it once.  I'm not positive one way or another.  It's worth
testing though.

Matt



Pete McNeil wrote:

  Hello Matt,

Wednesday, June 7, 2006, 11:52:56 PM, you wrote:

  
  
Pete,

  
  
  
  
Just two more cents for the masses...

  
  
  
  
If people use this for two different external tests in Declude, they 
need to create two differently named executables because Declude will 
assume the calling executable to be part of the same test and only run
it once (or possibly create an error depending on one's configuration).
This may not be necessary if you have different test types defined, i.e.
nonzero, weight, external, and bitmask, but better safe than sorry.

  
  
I think this might not be correct. IIRC, the design spec for that
feature was that if the command line was different in the test then it
would be executed again and if the command line was identical it would
not.

This was to allow for calling the same program with different
parameters.

I'm pretty sure that's how it works --- it might be worth a few tests
if you're sure it's not that way, but I strongly suspect that if one
of the parameters are different in the test line (inside the quotes)
then it will be executed again as a different test.

  
  
Also, I noted that the Subjects on this list are being repeated.  I saw
that you changed to a new server, but I also noted that there is no 
space after "[sniffer]" in the Subject and thought that maybe this is 
what is throwing things off.  Maybe adding that space will correct the
issue???

  
  
It does look a little weird. Sometimes it's normal though. I'll see if
I can identify anything odd in the settings.

_M

  

[sniffer] Re: New SPAM pain

[Matt]

Pete surely won't mind after you post your observations :)

Matt



Darrell ([EMAIL PROTECTED]) wrote:

If Pete doesn't mind I will post my observations in regards to the
product.  I run both products (CommTouch and Sniffer). 
Darrell
  
---
  
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers. 
  
  
John Shacklett writes: 
  I'm dying to start a thread and talk about
Sniffer's stance on CommTouch,

but I can resist. 
Instead, I would like to point out that eight clearly spam messages
have

made it through to my Inbox [or Outlook Junk Folder] so far this week
that

appear to have skinned clear through Sniffer. First ones I've seen in
> >Are we undergoing a new phase or campaign that I can make
adjustments for? 

-- 

John  
 


#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to
<[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to
<[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>

  
  
  
#
  
This message is sent to you because you are subscribed to
  
 the mailing list .
  
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
  
To switch to the DIGEST mode, E-mail to
<[EMAIL PROTECTED]>
  
To switch to the INDEX mode, E-mail to
<[EMAIL PROTECTED]>
  
Send administrative queries to  <[EMAIL PROTECTED]>
  
  
  
  

[sniffer] Re: Significant increase in false positives

[Matt]

Pete,

Would you please clarify this a bit.  Declude of course doesn't record
the rule in the headers, so this is difficult to figure out.  Knowing
the pattern may help identify the problematic messages.  Also knowing
the start time and end time of the rule would also help.

I would be nice too if you talked with Declude about allowing for the
insertion of headers, or even if you did this on your own.  I believe
the D* file may be editable when the external app is launched.  That
would make recovery of this so much easier for me (minutes instead of
hours of work).

Thanks,

Matt



Pete McNeil wrote:

  
  
  
  
  Hello Darin,
  
  
  Monday, October 16, 2006, 5:17:26 PM, you wrote:
  
  
  
  

  

>


Anyone else seeing a sudden increase in
FPs?  We normally report a few each day, but we're seeing a 10x
increase in FPs for the past three days.

  

  
  
  
  
  Not sure if this is it, but there was an image segment rule that
went in over the weekend and resulted in an unusual number of false
positives today. The rule was removed. IIRC the rule id was: 1174356
  
  
  Hope this helps,
  
  
  _M
  
  
  -- 
  Pete McNeil
  Chief Scientist,
  Arm Research Labs, LLC.
  #

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>




  

[sniffer] Re: Significant increase in false positives

[Matt]

There is no doubt that having Declude handle xhdr files would be
optimal.  I might add that an option to exclude the header on non-hits
would also be wise.  David Barker appears open to some feature requests
of late, and I would think that you could make this happen.  Not
everyone has capacity limitations, so the internal functionality would
probably suit the needs of many of your users also, and cover all
non-SA systems instead of just Declude.

Regarding this rule, the binary segment is non-searchable.  My only
solution would be to write some _vbscript_ that parsed the Sniffer log
for hits and move the files from my CopyFile directory back into
Declude's Proc.  I'm guessing that someone could also do some grepping
for this, but that ain't a strength of mine.  I could do this in
minutes though if I had headers to search on.  Thankfully this rule
only hit about 1,000 times this weekend as a final match (I'm ignoring
those that weren't final matches since those would have hit anyway). 
My gateway gets rid of most image spams, so I would expect a comparably
higher rate for others.

Regarding false positives in general.  I don't expect Sniffer to be
perfect due to the way that rules are generated, but I have two
suggestions.

1) One would be to test all new rules on a small sub-set of E-mail that
covers the most common patterns such as attachments and E-mail/webmail
clients with various formats including forwards and replies.  This
would likely stop the worst of the worst in terms of FP issues like the
one earlier this year that was hitting on most base64 code.  I envision
hundreds of test messages and not thousands, so this should be
practical.

2) The second suggestion is one that I have mentioned many times before
in private involving being able to tag messages on multiple types of
hits for a stronger result.  The separation would need to be on the
type rule so that all rule types would be isolated from one another. 
For instance, phrase, pattern, IP and domain rules could be put in
different codes and allowed to be scored in combination.  It would also
be equally as important to treat rules from user submissions different
from those generated from spam traps since these rules are not nearly
as universal.  I currently average just under 3 matches per message
that Sniffer hits, and I would imagine that there is a lot of mixing
between these types.  This would allow many that are scoring Sniffer
lower than our block weight to then score these multiple classification
hits higher.  This wouldn't be useful though unless it was seperated by
types like I listed since I often find multiple hits under the current
rulebase format.

Thanks,

Matt





Pete McNeil wrote:

  
  
  
  
  Hello Matt,
  
  
  Monday, October 16, 2006, 10:03:04 PM, you wrote:
  
  
  
  

  

>


Pete,


Would you please clarify this a bit.
 Declude of course doesn't record the rule in the headers, so this is
difficult to figure out.  Knowing the pattern may help identify the
problematic messages.  Also knowing the start time and end time of the
rule would also help.

  

  
  
  
  
  The rule was coded for a binary segment in an image file. Here is
the rule information:
  
  
  
  

  



  

  
  Rule - 1174356
  


  
  Name 
  
  
  image spam binary segment as text

!1AQaq"2
  


  
  Created 
  
  
  2006-10-14
  


  
  Source 
  
  
  !1AQaq"2
  


  
  Hidden 
  
  
  false
  


  
  Blocked 
  
  
  false
  


  
  Origin 
  
  
  Spam Trap
  


  
  Type 
  
  
  Simple Text
  


  
  Created By 
  
  
  [EMAIL PROTECTED]
  


  
  Owner 
  
  
  [EMAIL PROTECTED]
  


  
  Strength 
  
  
  3.20638481603822
  


  
  False Re

[sniffer] Re: Increase in spam

[Matt]

I have a moderately large number of domains and accounts that I
protect, and in the past, whenever someone indicated an increase in
spam, my system was always at normal levels and I chalked it up to some
change on the end of the one reporting the issue (such as a nobody
alias or being baptized by a brute force /dictionary spam attack). 
Over the last two weeks though, my connection traffic to my gateway is
up about 90%, and what gets through my gateway to Declude has risen
around 20%, yet there has been no noticeable increase in good E-mail. 
I'm guessing that one of the zombie spammers has become more
aggressive, at least with tarpitting avoidance and retries, while
clearly there are a lot of new static spam blocks (Scott Richter for
instance is back with a vengeance).

In relation to yesterday's reported leakage, I am guessing that Sniffer
isn't the only protection, and that RBL's are a part of that system. 
If so, the Network Solutions issues yesterday did cause issues with
resolving off of blacklists as it has been reported, and that could
explain the extra leakage.

Matt




Darin Cox wrote:

  We saw a sudden ~50% increase on July 16th, but only fluctuations and
moderate growth since then.  On weekdays we're now at 80% spam, 95% or
better on weekends.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community" 
Sent: Wednesday, October 18, 2006 9:23 AM
Subject: [sniffer] Re: Increase in spam


Hello K,

Wednesday, October 18, 2006, 8:52:17 AM, you wrote:

  
  
  I've been seeing a massive increase in spam over the last 2 days getting
through with minimal scores. Could this be due to the drawback of the
filter involved with false positives, or something else?

  
  
It's hard to pin down, but not likely to be the pulled rule. We have
seen a relative increase in new spam campaigns over the past 2 days
preceded by a lull. That may be what you're noticing.

I've attached a graph to illustrate.

_M

  

[sniffer] Re: SPAM Problems

[Matt]

Sorry about the OT here, but I feel compelled to add just a little 
follow up on the topic of pre-scanning and Alligate.


Alligate is IMO definitely the way to go.  As Paul pointed out, 
greylisting everything (i.e. ORF) has drawbacks and I wouldn't use a 
solution that greylisted everything.  I worked with Brian Milburn of 
Alligate for months to help him create a method of providing selective 
greylisting so that most legitimate E-mail is not greylisted.  I also 
helped him create a method of storing triplicates for use with 
greylisting that only track base domains and not the full sender and 
recipient, thus substantially reducing what needs to be greylisted if it 
does trigger selective greylisting.  I received nothing in return except 
for a very capable product that benefited my system greatly.  Brian is 
also a lot like Pete and R. Scott Perry.


Setting things up optimally is not going to be an out of the box type of 
experience.  I have both offered some free assistance in private and 
public to those that are dealing with Alligate, and Brian can also 
provide some support for new setups.  There is of course a limit to my 
time for things like this.  I have also occasionally consulted on such 
things at the request of others.


So while it can be a hard nut to crack, especially if one is not 
familiar with the architecture or concepts of a pre-scanning gateway, 
there is help out there, and it is definitely worth while.  I formerly 
used ORF for tarpitting and address validation, but going to Alligate 
for this was the best move that I have made since picking up Declude and 
Sniffer.


Note that Alligate Gateway is not a replacement for Sniffer, Declude or 
any other deep scanning solution, it is merely a tool for handling 
validation and some blocking of the most obvious and easiest to detect 
spam, primarily with passive means of blocking (greylisting and 
tarpitting), and without needing to throw a lot of CPU at it.  I handle 
over 1 million connections per day and Alligate averages about 5% CPU at 
peak times.  Only 7% of the connections result in delivery of a message 
to my deep-scanning layer using a configuration that is not aggressive.  
There is only one zombie spammer at present that will survive greylisting.


Matt



Dave Marchette wrote:

I agree with the pre-scanning concept.  IMgate, ORF and Alligate are all
good, but it just depends upon your level of comfort with each type of
environment these run in.  Each takes several days of fine tuning and
log babysitting (even though the vendors tell you it is plug and play-
it's not).  We've tested all three and prefer Alligate (thanks Matt!)
but any way you look at it, if you are running even moderate volume then
pre-scanning is the next step in the evolution of protection.   


-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Technical Support
Sent: Monday, October 23, 2006 7:28 AM
To: Message Sniffer Community
Subject: [sniffer] Re: SPAM Problems


We also use ORF by VamSoft on IIS to pre-process. 


We do not use the grey listing. We tried it, and it is great at
eliminating
spam, but it can delay mail for hours, which is a problems for most
email
users. 


Instead of grey listing, we have found ORF's tar-pitting very effective.


We set some tests at the ORF level, but don't block on them (because
there
is no "weighting"). We also have some spam trap email addresses. Fail a
test
or hit a spam trap and we tar-pit. Instead of sending us 100 spams a
minute
they can only send one per minute. 


We can pick up x-records with Declude and not have to re-run the tests
on
the iMail server, still using Declude to score the messages based on the
prior tests. 

ORF even has a built-in interface for sniffer. 


It is simpler and preferable to process everything on the iMail server,
but
when you want to off-load processing to stretch your iMail / Declude
investment, this arrangement can do the trick. 


Paul Fuhrmeister
[EMAIL PROTECTED]


-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf
Of David Waller
Sent: Monday, October 23, 2006 5:15 AM
To: Message Sniffer Community
Subject: [sniffer] Re: SPAM Problems

Filippo,

We had a similar problem. Due to the huge volumes of spam we found our
mail
server becoming less able to deal with email. Imail/Declude/Sniffer is
expensive in processor terms when processing email and we found the best
was
to pre-process mail filtering using Greylisting (we used Vamsoft in IIS
SMTP
but others exist). This has dramatically reduced the load on our server
and
seems to stop the bulk of spammers and mail harvesters

Hope this helps.

David



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PRO

[sniffer] Re: Version 2-3.5 Release -- Faster Engine

[Matt]

Kudos Pete!  Just wanted to say thanks.

Matt



Pete McNeil wrote:

Hello SNF Folks,

The plan was to hold off until the next major release, however in
light of recent increases in spam traffic we are pushing out a new
version with our faster engine included. All other upgrades are will
wait for the major release ;-)

The scanning engine upgrade results in a 2x speed increase that
hopefully will help with the higher volumes we are seeing now.

Version 2-3.5 also rolls up 2-3.2i1 which included the timing and file
locking upgrades.

You can find version 2-3.5 here:

http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Distributions

Thanks,

_M

  



#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Increase in spam

[Matt]

My connection traffic doubled over the course of two weeks.  This
started on about the 9th, and seems to have peaked and leveled off last
week.  The increase was mostly due to a new brute force spammer (a.k.a.
dictionary attack), but static spam seems to have also increased by
about 20%.  I believe the static spam increase is Scott Richter
lighting his companies back up, mostly at carolina.net, in addition to
the brute force zombie spam and massive increase in backscatter that
these attacks are causing.  About 10% of connections to our gateways
are the result of backscatter, with 30% of that coming from FrontBridge
alone (bigfish.net).

The new brute force spamming is not just simply higher volume, it also
has more targets than before.  This has helped to expose several
customer's accounts that had a domain aliased with a catch-all and
forwarded to an account that we were protecting.  Previously, we never
saw this since those domains weren't being attacked.  I have no clue as
to why anyone is still providing catch-alls, especially mail forwarding
services like BulkRegister.  It just seems like a good way to limit the
capacity of a server by 75% or more.

Matt



Pete McNeil wrote:

  Hello Andrew,

Wednesday, October 25, 2006, 1:33:20 PM, you wrote:

  
  
For another organization's graph of spam trends as received by them,
check out the updated graphs at TQM cubed:

  
  
  
  
http://tqmcube.com/tide.php

  
  
  
  
Their graph shows a sharp uptick at the end of June 2006.

  
  
...and a new upward trend around 0917.

That's consistent with what we've seen.

_M


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  

[sniffer] Re: Uploading problems

[Matt]

Try WPUT

   http://sourceforge.net/projects/wput/

Matt



K Mitchell wrote:

At 11:16 PM 12/7/2006 -0700, Jay Sudowski - Handy Networks LLC wrote:
  

Give this a try: http://www.ncftp.com/download/



  Just did about 5 minutes ago. It won't run without specifying a
destination directory, and sortmonster ftp won't allow any directory settings.


Thanks though  :o)



  

[sniffer] Re: FTP server / firewall issues - Resolved.

[Matt]

Darin,

There are many people with firewall or client configuration issues that 
cause problems with FTP, however HTTP rarely experiences issues and is 
definitely easier to support.  As far as efficiency goes, since the 
rulebases will all be zipped, there is little to be gained from 
on-the-fly improvements to FTP (and there are some for HTTP as well).  
In such a case, I would consider it to be effectively a wash, nothing 
gained, nothing lost (measurably).


Matt



Darin Cox wrote:

Thanks, Pete.  Appreciate you taking the time to explain what's happening in
more detail.

I'm curious as to why FTP is more difficult than HTTP to debug, deploy,
secure, and scale, though. I tend to think of them on equal footing, with
the exception of FTP being faster and more efficient to transfer files in my
experience.

Thanks for the link to save some time.  Much appreciated.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>

To: "Message Sniffer Community" 
Sent: Friday, January 05, 2007 9:47 PM
Subject: [sniffer] Re: FTP server / firewall issues - Resolved.


Hello Darin,

Friday, January 5, 2007, 6:23:22 PM, you wrote:

  

Hi Pete,



  

Why the change?



Many reasons. HTTP is simpler to deploy and debug, simpler to scale,
less of a security problem, etc...

Also, the vast majority of folks get their rulebase files from us with
HTTP - probably for many of the reasons I mentioned above.

  

FTP is more efficient for transferring files than HTTP.



Not necessarily ;-)

  

Can we request longer support for FTP to allow adequate time for everyone


to
  

schedule, test, and make the change?



I'm not in a hurry to turn it off at this point, but I do want to put
it out there that it will be turned off.

  

I remember trying dHTTP initially when this was set up, but it wasn't
working reliably, plus FTP is more efficient, so we went that way.  wget


may
  

work better when we have time to try it.



  

Also, what's this about gzip?  Is the rulebase being changed to a .gz


file?
  

Compression is a good move to reduce bandwidth, but can we put in a plug


for
  

a standard zipfile?



Gzip is widely deployed and an open standard on all of the platforms
we support. We're not moving to a compressed file -- the plan is to
change the scanning engine and the rulebase binary format to allow for
incremental updates before too long - so for now we will keep the file
format as it is.

Apache easily compresses files on the fly when the connecting client
can support a compressed format. The combination of wget and gzip
handle this task nicely. As a result, most achieve the benefits of
compression during transit almost automatically.

  

Do you have scripts already written to handle downloads the way you want
them now?  If so, how about a link?



We have many scripts on our web site:

http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.AutoUpdates

My personal favorite is:

http://www.sortmonster.com/MessageSniffer/Help/UserScripts/ImailSnifferUpdateTools.zip

I like it because it's complete as it is, deploys in minutes with with
little effort, generally folks have no trouble achieving the same
results, and an analog of the same script is usable on *nix systems
where wget and gzip are generally already installed.

There are others of course.

Hope this helps,

_M


  

[sniffer] Re: Integration with Mailenable

[Matt]

Yeah, filtering services suck!

Matt



Chris Bunting wrote:

Merak mail server has been great for us, we have 10,000 users, and have
not had any problems with it over the 5+ years we have been using it...
It's been rock-solid. Don't waste your money on the anti-virus/anti-spam
filtering services... just use message sniffer with a content filter and
you are set.

Thank You,
Chris Bunting
Lancaster Networks
Direct: 717-278-6639
Office: 888-LANCNET x703
MS Certified Systems Engineer
IP Telephony Expert

Lancaster Networks
1085 Manheim Pike 
Lancaster PA 17601 
www.lancasternetworks.com

--
Corporate Technology Solutions...
Specializing in 3com NBX Telephony Solutions
IT Services - Phone Systems - Digital CCTV
--
The information in this e-mail is confidential and may be privileged or
subject to copyright. It is intended for the exclusive use of the
addressee(s). 
If you are not an addressee, please do not read, copy, distribute or
otherwise act upon this email. If you have received the email in error, 
please contact the sender immediately and delete the email. The

unauthorized use of this email may result in liability for breach of
confidentiality, privilege or copyright.


-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Jay Sudowski - Handy Networks LLC
Sent: Thursday, March 15, 2007 10:27 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Integration with Mailenable

Stay Away From MailEnable.  


There are so many exploits out there for MailEnable, and there are more
exploits found monthly, if not weekly.  At one particular interval,
MailEnable had to re-release the same patch several times in the *same*
week because it kept on not actually fixing the root of the issue.  If
you run MailEnable, odds are that you will end up exploited, even if you
stay on the of the patches.

On top of that, MailEnable is just simply a CPU and IO hog, much more so
than other other mail server I have ever seen.  By default, they use
entirely text based configuration files, which on occasion get truncated
to zero during periods of high activity on the server.

In the past year, we have assisted our customers move 20,000+ mailboxes
away from MailEnable, mostly all to SmarterMail.  Do not waste your time
and money with MailEnable.  


-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Thursday, March 15, 2007 12:22 PM
To: Message Sniffer Community
Subject: [sniffer] Integration with Mailenable


We are finally going to replace our old Vopmail server. Looking at 
Mailenable Enterprise. Will Sortmonster work with that program? Is 
anyone using Mailenable? If so how is it and if it works with 
Sortmonster how did you use them together.


THanks,

Phil


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  


#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Integration with Mailenable

[Matt]

There is in fact a Domain Keys plug-in for SmarterMail listed on their 
downloads page:


   http://www.smartertools.com/Products/SmarterMail/DL/v4.aspx

Personally I'm not a fan of any present sender identification 
implementation.  Both SPF and Domain Keys are primarily associated with 
spam by volume, and SPF can at cause one's customers issues when they do 
things like use alternative SMTP servers or find themselves behind an 
SMTP proxy at a hotel or T-Mobile HotSpot...but I digress.


I think that both IMail and SmarterMail are decent products, but neither 
one of them is perfect.  SmarterMail certainly has a lower cost of 
entry.  I would trust Jay's experience with MailEnable considering his 
extensive experience.


Matt



Jay Sudowski - Handy Networks LLC wrote:

Hi Phil -

Good question.  We integrate Sniffer into SmarterMail via Declude.
However, SmarterMail does have the capability to run a program against a
message before it is delivered.  We have some customers that use a batch
file to call f-prot and get virus scanning integrated into their mail
server on the cheap.  I believe it would likely be possible to make use
of the same functionality to call Sniffer directly, and thus avoid
having to purchase Declude.  I have just never had a need to attempt
this.

As for domain keys, I don't believe so.  However, you can setup
SPFyou're your domains simply by adding the appropriate DNS records to
said domains zone files.

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Friday, March 16, 2007 12:01 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Integration with Mailenable


Jay,

Thanks for the heads up on Mailenable. I took a look at SmarterMail 
and it looks pretty good. How does it interface with Message Sniffer 
or does it require and external gateway such as EWall? How has 
support been with it and how have they been as far as updates. Also 
does it have "domain keys" capability and SPF support for sending 
mail to yahoo.com etc...


Thanks,

Phil


At 07:26 PM 3/15/2007, you wrote:
  

Stay Away From MailEnable.

There are so many exploits out there for MailEnable, and there are more
exploits found monthly, if not weekly.  At one particular interval,
MailEnable had to re-release the same patch several times in the *same*
week because it kept on not actually fixing the root of the issue.  If
you run MailEnable, odds are that you will end up exploited, even if


you
  

stay on the of the patches.

On top of that, MailEnable is just simply a CPU and IO hog, much more


so
  

than other other mail server I have ever seen.  By default, they use
entirely text based configuration files, which on occasion get


truncated
  

to zero during periods of high activity on the server.

In the past year, we have assisted our customers move 20,000+ mailboxes
away from MailEnable, mostly all to SmarterMail.  Do not waste your


time
  

and money with MailEnable.

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Thursday, March 15, 2007 12:22 PM
To: Message Sniffer Community
Subject: [sniffer] Integration with Mailenable


We are finally going to replace our old Vopmail server. Looking at
Mailenable Enterprise. Will Sortmonster work with that program? Is
anyone using Mailenable? If so how is it and if it works with
Sortmonster how did you use them together.

THanks,

Phil


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to


<[EMAIL PROTECTED]>
  

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to


<[EMAIL PROTECTED]>
  

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  

[sniffer] Re: How to incorporate a white list?

[Matt]

Agreed, however reverse DNS is not a universal solution as things like 
RR accounts will come from the same base domain as RR spam zombies, and 
you would otherwise have to track down each unique reverse DNS entry.


I would test a connection to the SMTP server instead.  Most of these 
servers will at least respond.  So if a domain like yahoo.com, 
gmail.com, rr.com, etc. is found in the reverse DNS for a new IP rule, 
you would then check to see if it at least responded to a port 25 
connection, and if it did, skip that rule.


Note that I score IP rules at half the weight of the others.  There are 
more common issues with international ISP's and webmail providers than 
with things like yahoo.com, gmail.com, rr.com, etc.  Many don't get a 
lot of international traffic so they don't notice it.


Matt


Andy Schmidt wrote:

Hi,

Unless I'm mistaken, rule 1370762 was targeting the same address range.

If I may make a suggestion:
Before the spam-trap robots are allowed to block major, well-known and
easily recognizable email providers, how about the robot script pulls a
WHOIS and a Reverse DNS and runs that data against a table of "can't block"
entities - or at least spits those out for "human review".

If that can't be done, then how about the robots issue an hourly report of
"suspect" IPs. A no-brainer script can pull matching WHOIS and RevDNS for
quick human review and overriding (if necessary).

I would rather those obvious bad rules are caught before or very quickly
after they go live. There is always some delay before I get first reports
until I realize that this is a "real" problem. Then I have to try to get
headers from end-users before I can dig into logs... Hours and hours pass
(especially if it's overnight events). In the meantime the problem escalates
all around me.

Thanks,
Andy

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Pete McNeil
Sent: Tuesday, April 03, 2007 11:09 AM
To: Message Sniffer Community
Subject: [sniffer] Re: How to incorporate a white list?

Hello Andy,

Tuesday, April 3, 2007, 9:36:17 AM, you wrote:

  

Hi Phil,



  

Yes, it seems as if some Sniffer rules, e.g., 1367683, is broadly


targeting
  

Google's IPs.



  

I've submitted 3 false positive reports since last night, at least two of
them were Google users, one located in the U.S. and the other in the
Netherlands!



This IP rule has been pulled.

FP processing will happen shortly.

_M



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  

[sniffer] Re: How to incorporate a white list?

[Matt]

Pete,

CBL has a proven 99.97% accuracy and on some systems over a 40% hit rate 
on traffic, yet their methods are rather simple and easy to implement.


If an IP hits your spamtrap, and it has either no reverse DNS entry or 
it has a dynamic reverse DNS entry, it is added, if it doesn't, it isn't 
added.  They have a few other mechanisms that I am aware of, but the 
above will take care of almost everything related to spam zombies.  Your 
current whitelisting method will take care of the few exceptions to 
this.  There is rather simple code that can test for standard types of 
dynamic reverse DNS entries with both numbers and hex encoded values, 
and exceptions for names that might include things like "mail" or "mx#" 
in the names.


If you want to expand this to static spammers, you merely introduce 
other pre-qualifications such as having a Mail From domain or HELO that 
matches the payload domain in the body.  I figure that for the most part 
however that you are tagging static spammers with other rules that take 
presidence over the IP rules, and that this would be minimally 
beneficial in comparison to spam zombies.


The source of the false positives hitting your spam traps are most 
likely due to AFF (Advance Fee Fraud) and some phishing, which use free 
accounts on legitimate servers to send their spam, and an increasing 
precidence of hacked E-mail accounts being used by zombie spammers.  The 
first method would avoid listing such servers in almost every 
circumstance, and we certainly wouldn't ever see things like yahoo.com, 
gmail.com and rr.com mail servers listed like we see with some degree of 
regularity under the current method.


Matt


Pete McNeil wrote:

Hello Andy,

Tuesday, April 3, 2007, 5:15:12 PM, you wrote:

  

Hi Jonathan:



  

That's exactly the problem. These particular rules were blocking Google mail
servers - NOT specific content.



To clarify, it was blocking precisely one IP. The F001 bot only tags a
single IP at a time (not ranges, ever), and only after repeated
appearances at clean spamtraps where the message also fails other
tests (often including content problems like bad headers, obfuscation,
heuristic scam text matching etc.)

The rule was in place from 20070326. The first reported false
positives arrived today (just after midnight). The rule was removed
just less than 12 hours from that report (due to scheduling and heavy
spam activity this morning that requiring my immediate attention). The
report was ordinary (not a rule panic).

As is the case with all FPs, the rule cannot be repeated (without
special actions).

  

Obviously, as already discussed in the past, it IS necessary that these
IP-based blocks are put under a higher scrutiny. I'm not suggesting that the
"automatic" bots should be disabled, I'm just proposing that "intelligence"
must be incorporated that will use RevDNS and WHOIS to identify POSSIBLY
undesirable blocks and to flag those for human review by Sniffer personnel
so that they don't end up poisoning mail severs of all their clients.



While interesting, these mechanism are not foolproof nor trivial to
implement. Also - our prior research has taught us that direct human
involvement in IP rule evaluation leads to far more errors we can
allow. Once upon a time, IP rules were created in very much the way
you describe -- candidate IPs were generated from spamtraps and the
live spam corpus and then reviewed (manually and automatically)
against RevDNS, WHOIS, and other tools. At that time, IP rules had the
absolute worst reliability of any test mechanism we provided. Upon
further R&D, we created the F001 bot that is in place and now the
error rate has been significantly reduced and our people are able to
focus on things that computers can't do better.

Please don't get me wrong, I'm definitely not saying that the F001 bot
can't be improved - it certainly can, and will if it survives. What I
am saying is that it is accurate enough now that any improvements in
accuracy would be non-trivial to implement.

Our current development focus is on developing the suite of
applications and tools that will allow us to complete the alpha and
beta testing of the next version of SNF*. That work has priority, and
given that these events are rare and easily mitigated we have not
deemed it necessary to make enhancements to the F001 bot a higher
priority.

The following factors make it relatively easy to mitigate these IP FP
events (however undesirable): Rule panics can make these rules
immediately inert, FP report/response times are sufficiently quick,
The IP rule group is sequestered at the lowest priority so that it can
easily be weighted lower than other tests.

Also, it is likely that the F001 bot and IP rules group will be
eliminated once the next SNF version is sufficiently deployed because
one of the major enhancements of the new engine is a mul

[sniffer] Re: Downloads are not working....

[Matt]

Appriver, who is somehow involved with Sniffer, is having a ridicolous 
problem with sending messages over and over again (once every few 
seconds).  They pulled their contact information from their site but 
didn't take down their servers.  I suspect this is putting strain on 
them and if Sniffer uses their bandwidth for downloads, that could 
explain things.


Matt

Chuck Schick wrote:

Speeds are really slow and the connection is lost before
completionEverything checks out good on our end.  Is something going on
with the sortmonster end of things?

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>



  


#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Downloads are not working....

[Matt]

Pete McNeil wrote:

I'm not sure what the actual issue is (I will get that data later),
however I've just been informed that it should be resolved in the next
20 minutes or so.
  


The issue was that they were redelivering messages over and over again.  
One customer got one message over 500 times in an hour!  I suspect that 
our gateways were blocking some of this automatically, and I also tried 
to block it at the router level but it kept popping out of other address 
blocks.


Matt

[sniffer] Re: Appriver issue

[Matt]

I have something that I would also like to clear up.

When I indicated that AppRiver had removed it's contact page, it likely 
just wasn't operating at the time that I was attempting to access it.  
Considering their issues, it would not be a surprise to see other issues 
like this caused, but it seemed suspicious since their home page was 
working and not their contact page.  I did note that it was working by 
the time that it was pointed out that it was up.


In no way did I ever believe that Pete or Sniffer had any direct 
involvement in the system that created these problems, and in no way 
should this reflect badly on Pete or Sniffer as far as I am concerned.


I was slightly miffed after getting off the phone with them where their 
reaction quite clearly indicated that they were aware of the issue.  I 
suggested that they take their servers off-line due to the issues that 
were being caused, but I was probably barking up the wrong tree.  The 
servers weren't taken off line for another hour or so, or maybe this is 
when the delivery servers caught up with the queued E-mail destined for 
my client.  I'm not sure why they didn't act on this sooner.  When you 
have a loop, it is important to stop it, and their multi-homing made it 
difficult for others to block.  One user received about 500 copies of 
the same message (and also called them), and there were other examples 
that we saw which were much more limited.  I do hope that they didn't 
choose to introduce new software at 11 a.m. ET on the busiest E-mail day 
of the week, and that this was only when the problems surfaced...


Everyone that deals with significant volumes of E-mail has issues from 
time to time, and I wouldn't draw conclusions about AppRiver based on 
just this one circumstance.  I would imagine that it is hard to plan for 
how to deal with a broad scale looping issue, and I'm sure this was a 
learning experience for them.


Matt




David Moore wrote:

I think what Peter is try to say is that Sort monster is hosted at Appriver
and Appriver had an issue and therefore so did Sort monster.

http://www.dnsstuff.com/tools/dnsreport.ch?&domain=sortmonster.com
 



Regards David Moore
[EMAIL PROTECTED]

J.P. MCP, MCSE, MCSE + INTERNET, CNE.
www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales

Office Phone: (+612) 9453 1990
Fax Phone: (+612) 9453 1880
Mobile Phone: +614 18 282 648

POSTAL ADDRESS:
PO BOX 190
BELROSE NSW 2085
AUSTRALIA.

-

This email message is only intended for the addressee(s) and contains
information that may be confidential, legally privileged and/or copyright.
If you are not the intended recipient please notify the sender by reply
email and immediately delete this email. Use, disclosure or reproduction of
this email, or taking any action in reliance on its contents by anyone other
than the intended recipient(s) is strictly prohibited. No representation is
made that this email or any attachments are free of viruses. Virus scanning
is recommended and is the responsibility of the recipient.


-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Kevin Rogers
Sent: Saturday, 19 May 2007 11:59 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Appriver issue

Thanks for the explanation, and I wasn't trying to blame you - just wanted
more info is all.

We use Sniffer, but not Appriver.  You said that if we don't use Appriver,
we shouldn't have been affected, but you also seemed to say that if one of
the recipient's of my user's email uses Appriver that might've caused a
problem.  And also that *some* of Sniffer users might have experienced the
problem as well. 


It sounds like things are still being worked out.  I just wanted some kind
of verification that they were aware of the problem, were working on it,
that they were in some way sorry about what happened...you know - the usual
stuff.  And I know that you are not an official rep of Appriver or anything,
but presently you're all we have in that role ;)

Thanks

Kevin




Pete McNeil wrote:
  

Hello Kevin,

Friday, May 18, 2007, 8:52:47 PM, you wrote:

  

Pete - Thanks for the reply, but I guess I don't understand what 
you're saying.  "Some packet loss" and "rulebase downloads to slow 
down for a time" don't reflect what happened to me yesterday and 
apparently not what happened to one of the other posters either when 
he said that Appriver was having a problem "with sending messages 
over and over again".  I received over (at last count) 35,000 
messages (almost all of which were bounced replies, from one email 
from one of our users who sent an email to about 70 people) yesterday.

  
  

And I had already gone to http://www.armresearch.com/  yesterday and 
there was nothing there.  There

[sniffer] Re: Error Messages since WeightGate

[Matt]

hat
   can run before the mystery heap is depleted. However, some people
   have reported better results by raising the value to 2048KB --
   that's one of the problems with undocumented resources (there's no
   way to know for sure which value is better or why).

   We recommend going to
   http://support.microsoft.com/default.aspx?scid=kb;EN-US;q142676 and
   changing the registry entry to use a value of "256" or "2048" (NOTE:
   Microsoft recommends 512 in that article; if you use 512, make sure
   not to have IMail's MaxQueProc registry entry set to more than 30).

Matt




Keith Johnson wrote:

Darrell,

Did you alter your heap size 3rd entry?  If so, did you go to 1024 or other.  I 
found this article by crossing a Declude page, appears to be what I need to go 
after.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q142676

-Keith

  _

From: Message Sniffer Community on behalf of Darrell ([EMAIL PROTECTED])
Sent: Sun 6/10/2007 2:31 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Error Messages since WeightGate



After looking into it I am on board with what Pete said about the "heap"
issue.  It makes sense to me that its the heap issue since were
launching weight gate -> SNF.  Effectively doubling the amount of
processes being launched.

Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.


Keith Johnson wrote:
  

Darrell,

You are right, a reboot will take care of it for a season, then it comes back 
out of the blue.  Very strange indeed.

Keith

  _

From: Message Sniffer Community on behalf of Darrell ([EMAIL PROTECTED])
Sent: Sat 6/9/2007 9:36 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Error Messages since WeightGate



Keith,

I was having the same problems last week.  Just came out of the blue and
was across several of our servers as well.  Same error verbatim.  FWIW -
I also use weightgate.  I rebooted the servers I was seeing this issue
on and the problem has not returned.

Very odd you mentioned that as I thought this was isolated to just me.

Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude,
Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring,
SURBL/URI integration, MRTG Integration, and Log Parsers.


Keith Johnson wrote:


It appears since installing WeightGate we have been receiving a lot of the 
below Application PopUps indicating an error:

The application failed to initialize properly 0xc142. Click on OK to 
terminate the application

The application entry is our Sniffer .exe.  Today alone I saw over 300.   I 
thought it was an isolated issue.  However, it is happening across all our 
servers.  We are running the latest Sniffer in Persistent mode.  We never saw 
these prior to WeightGate.  Has anyone seen this before?  Below is the actual 
entry in Event Log.

-Keith

Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date:  6/9/2007
Time:  12:12:35 AM
User:  N/A
Computer: NAIMAIL2
Description:
Application popup: rrctp2ez.exe - Application Error : The application failed to 
initialize properly (0xc142). Click on OK to terminate the application.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

  

--
---
Check out http://www.invariantsystems.com for utilities for Declude, Imail,
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>





#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>







#
This message is sent to you because you are subscribed to
  the mailing list .
To un

[sniffer] Re: Error Messages since WeightGate

[Matt]

Here's a better page from someone at Microsoft all about the desktop 
heap.  This one suggests that you can change the limit from 48 MB to a 
value as much as 450 MB.  You will probably normally not need more than 
the total number of processes that Declude can use times the amount of 
memory allocated per session, so if you have 512 MB/session, and have 
100 processes defined in Declude, you would need about 50 MB, but adding 
something like weightgate to an app that has latency could very well 
increase the needs even more.


   
http://blogs.msdn.com/ntdebugging/archive/2007/01/04/desktop-heap-overview.aspx


Matt


Matt wrote:

Keith,

When I looked at this several years ago, this is what I came up with:

Windows allows a total of 48 MB in the heap, and each service
started process uses the third setting in the chain, or 512 KB by
default, and there is about 10 MB that gets used for other
things.  Based on what Scott Perry wrote concerning this in a
obscure page on the Declude site about Declude Queue, there can
only be a total of 77 service started processes before having
issues, and you can assume that there will be one for Declude up
to my limit of 40, and also often times another process whether it
is a virus scanner or external filter application in JunkMail.

Windows apparently starts to barf when the limit is reached, and
applications can go into a bad state, only partially launching and
becoming corrupted.  This has a high association with load, but
the true association seems to be the number of processes, which
typically correspond to load but not necessarily.  This is
probably also what has caused McAfee to barf on occasion on my
server with similar errors.  McAfee has a decent amount of latency
compared to most other things that Declude launches except of
course for Eradispam due to the timeout issues.

There are two camps on what to do with the mystery heap, aka
desktop heap.  Some have indicated on the IMail and Declude lists
in the past that setting it to 2048 would resolve some issues with
IMail's SMTP and also the 16 bit version of F-Prot when run from
Declude which is awfully slow and CPU intensive.  That change
however would reduce the number of service started processes that
were possible by a factor of 4.  Scott suggests that reducing it
to maybe 256 would help in high traffic servers, though this is a
limit that you wouldn't want to pass because it could cause
instability.

FYI, the error messages will contribute to heap usage, so these must 
be cleared, and when you have a bunch of these, it will limit what you 
can run, and in fact make the problem worse.


If you are using Declude as a service, that certainly takes one 
process off the top that used to count towards the heap, but it's 
likely what is running concurrently that is causing the issue along 
with error dialogs.  Weightgate certainly adds to this issue, as well 
as other plugins and virus scanners.  The best solution for a high 
volume server that wants to do weight skipping would be for either 
Sniffer or Declude to skip based on both a high and a low weight 
within the config.  I have been asking for over three years for this 
and have even recently documented a solution for Declude that would be 
backwards compatible with current configs should they opt to do this.


Here's a quote from the old Declude site authored by Scott:

*Flaw #1 - Server crashing: Microsoft's Mystery Heap*
Fortunately, not many people experience this problem. However, it
is listed first because it is more serious than the other flaw.
This one can back up mail for hours/days, and crash the server.

The problem here is that each process that is started by a service
uses a certain (unknown) amount of an undocumented type of memory
that Windows allocates. Without knowing how much of the mystery
heap is used, or how much is left, or how much is available when
the system starts, it's impossible to know when you will run out.

When you DO run out, Windows does a *terrible* job in handling it.
Instead of preventing the program from loading and recording an
error to the event log, Windows will keep the program half-loaded
(the error almost always occurs while loading .DLLs) and pop up an
error message saying that it can't start the program.

When this happens, unless you happen to be at the server, you
won't have a chance to close the box. So, another one will soon
pop up as another SMTP process is started. By the time you find
out, there could be hundreds or thousands of the pop-up boxes.
Since Microsoft doesn't clear them automatically, when the
original 30 SMTP processes end, there still isn't enough of this
mystery heap left, because Microsoft is using it to display these
error messages. So

[sniffer] Dead Sniffer processes piling up.

[Matt]

Pete,

I found this morning an instance where suddenly the number of processes
on my system shot from around 50 to as many as 300, and after that
peak, it settled down and rode the 150 level.  All of the hung
processes are Sniffer being called by Declude.




I also had about 10 errors waiting to be cleared from another
application, but probably because of the way that Sniffer works (as a
service or something related), the Sniffer processes are just hung
without a prompt.  I saw this last week also.

I have Declude set for 200 processes, so it probably reached 300 when
the first 100 hung, and then it stayed with those 100 hung.  Is there
anything that can be done in Sniffer to kill off these hung processes
in an automated and proactive manner?  I recently upgraded to the
latest version and I was probably a version or two behind, and I don't
recall this happening before.

Thanks,

Matt

[sniffer] Re: Dead Sniffer processes piling up.

[Matt]

Pete,

I have left all of those processes active for troubleshooting, and they 
are still there and definitely Sniffer.  Process Explorer even shows 
what command line the executable was run with so I was able to do some 
digging in the logs for specifics.


I found that Declude was recording errors related to Sniffer, and 
Sniffer was not logging the messages or associated events at all.  
Here's what Declude is showing:


   06/14/2007 09:11:01.665 q3d2b00d49610.smd ERROR: External 
program SNIFFER-IP didn't finish quick enough; terminating.
   06/14/2007 09:11:01.665 q3d2b00d49610.smd Couldn't get external 
program exit code


Now it could be that Declude is causing issues by trying to terminate 
Sniffer.


FYI, I don't have a stack up of any additional files in my Sniffer 
directory, and the service is started and everything seems fine outside 
of this one period of time when my server got wallopped.  What happened 
was that one customer with over 1,000 addresses received 950 E-mails 
from a ConstantContact customer in spam run from harvested addresses.  
They can deliver fast enough that it likely stressed my system for a 
moment, and triggered this behavior.  It could also be that the content 
of these messages caused an issue with Sniffer.  My server has 8 cores 
in it, and if it reached 100% CPU, it only did so for a moment in time.


This very likely could be associated with heap issues, but I did double 
my heap memory the other day, and normally it doesn't cause processes 
like this to just hang in the background doing nothing.  That other 
application that hung about 10 times during this period is what suggests 
that it could be a heap issue because I know that app to be the first to 
go under stress (it is not a service).  That app does an average of over 
50 DNS lookups and has a lot more latency than Sniffer does, so it is 
remarkable that Sniffer hung 100 times and that app only hung 10 times.  
That suggests to me that maybe something better could be done in terms 
of cleaning up these processes.


I'll keep the server in this state until the evening in the event that 
you want to take a look at it.


Thanks,

Matt



Pete McNeil wrote:


Hello Matt,


Thursday, June 14, 2007, 12:44:32 PM, you wrote:





>




I also had about 10 errors waiting to be cleared from another 
application, but probably because of the way that Sniffer works (as a 
service or something related), the Sniffer processes are just hung 
without a prompt.  I saw this last week also.



I have Declude set for 200 processes, so it probably reached 300 when 
the first 100 hung, and then it stayed with those 100 hung.  Is there 
anything that can be done in Sniffer to kill off these hung processes 
in an automated and proactive manner?  I recently upgraded to the 
latest version and I was probably a version or two behind, and I don't 
recall this happening before.



It seems very unlikely that SNF instances would be hung -- they will 
either time-out themselves or be killed off by Declude. Please let us 
know if there are any errors in your SNF log.



Also - check the SNF working directory to make sure you don't have a 
lot of old job files hanging around. That can cause SNF instances to 
relax their timing based on the assumption there is a high system load 
-- with relaxed timing they will stay around longer waiting for results.



If you find that you do have a lot of old job files hanging around 
then you should clean them out to get things going normally again.



Stop SMTP

Wait for all jobs to finish

Stop your persistent instance

Remove all left-over job files (QUE, WRK, FIN, ABT, XXX, SVR)

Restart your persistent instance

Restart SMTP


Also, presuming you have a persistent instance - make sure that is 
still running. If that had failed for some reason then you might be 
running now in peer-server mode which will be a bit slower than 
persistent mode.



Hope this helps,


_M


--

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.

#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>



  

[sniffer] Re: Spammers turning to PDF attachments?

[Matt]

I saw some AFF (419/Nigerian) stuff that came in PDF format.  That one 
is going to be a real pain if they keep it up since those messages come 
from legitimate webmail providers, and lack all but a few words of text 
in the body.  It's hard to get a consistent pattern out of that.  I'm 
not nearly as worried about the zombies.


Matt



Colbeck, Andrew wrote:

See this article at the Internet Storm Center:

http://isc.sans.org/diary.html?storyid=3012


Pump and dump scams now in PDF
Published: 2007-06-20,
Last Updated: 2007-06-20 21:33:39 UTC
by Maarten Van Horenbeeck (Version: 1)

Apparently the groups behind what we know as pump and dump spam have
found a new way to bypass spam filters. As of yesterday, we've been
observing e-mails with bogus text, often in german, each with a PDF in
attachment...



Andrew.






#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>


  




#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Greeting Malware Spike Graph

[Matt]

Pete,

The first one of these hit our system at 8:45 a.m. ET yesterday (linked
Malware).

FYI, this is the same guy that is sending the PDF stock spam, and was
responsible for the 3 other large virus seedings in the last 6 months.

Matt



Pete McNeil wrote:

  Hello Sniffer Folks,

Vertical Wall Of Spam

  
  
  
  
  

#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

  

[sniffer] Re: re subscriptions to list

[Matt]

All auto-responders should be burnt in hell

Have a nice day :)

Matt



Pete McNeil wrote:

Regarding this thread and to nobody in particular:

I would like to say a word or two before this gets out of hand.

Our policy on this list is to provide the answers needed no matter how
obvious or well posted those answers may be.

Emotionally negative responses are discouraged and generally not
useful.

RTFM type answers should be emotionally neutral, should summarize a
quick answer, and should provide a link to TFM.

For whatever reason, these kinds of requests are made and these kinds
of questions are asked. The folks who make these requests or ask these
questions - no matter how obvious - need help. The best thing we can
do is provide that help.

Keep in mind also that these messages are archived so that they remain
searchable on the 'web. This means that any solutions we post here,
including references to obvious or well posted answers, serve to make
those answers easier to find.

Please: Be kind and helpful, or stay away from the send button. I
can't remember the number of times something simple and obvious
baffled me when I needed it least -- and I'm sure many of us have had
similar moments.*

A simple answer to an obvious question can go a long way in a positive
direction.

Please help us keep this forum active, positive, and informative.

Thanks,

_M

  




#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Excessive amounts of Foreign language spam

[Matt]

I recommend not doing this.  There are enough possibilities of 
legitimate discussion and data being transmitted by E-mail that could 
contain this string that you would be best off being more specific to 
the encoding of the actual message.  Target the header charset tag and 
you should be good to go if you want to ban most all of it, but keep in 
mind that legitimate E-mails from Cyrillic based systems can still send 
messages written in English using this and other charactersets, so make 
sure there is nothing legitimate at all coming from countries that would 
use this before using it.


Matt



Kim W. Premuda wrote:

We use this in Declude to filter messages containing Cyrillic (Russian)
characters...

 ANYWHERE   10  CONTAINSkoi8-r

Kim W. Premuda
FastWave Internet Services, Inc.
858-487-1414
[EMAIL PROTECTED]



-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Rick Hogue
Sent: Wednesday, December 26, 2007 7:20 AM
To: Message Sniffer Community
Subject: [sniffer] Excessive amounts of Foreign language spam

 
I have been getting a large amount of foreign language email appears to be

Russian but not sure as I do not speak it. What is being done about this
kind of spam?
I am on Imail 8.21 and I am not using the latest beta of Sniffer. I do not
use other methods other than a couple from my Declude engine including my
own blacklist, but there are so many different IP addresses on this it is
very hard to keep up with. Help!

 


Simplified Association Management Systems
Rick Hogue
P.O. Box 18304
Louisville, KY 40261
1-502-459-3100 office
http://www.samprogram.com




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>


  




#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: XYNTService -- Any Problems?

[Matt]

SRVANY works perfectly and is free with Windows.  Why not use that?

Matt



Pete McNeil wrote:

Hello Sniffer Folks,

We are working on an installer for the command-line version of SNF
V3.0.

We are considering re-distributing XYNTService to setup the
SNFServer.exe as part of the installation. There are some rumblings
here and there about XYNTService not working the same way on some
versions of Windows.

If any of you have experience with XYNTService then we would sure like
to hear about it.

If anyone knows of an alternative that we can bundle with our
installer then please let us know that too...

(Why don't you just write something?? -- ) We'd prefer not to reinvent
that particular wheel right now -- not that it's hard, just that it's
not necessary and we'd rather do other important stuff.

Thanks!

_M

  




#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: XYNTService -- Any Problems?

[Matt]

I'm sure that I don't speak for everyone, but I would tend to avoid 
third-party service systems, and this would also expose Sniffer to the 
potential pitfalls of that software.


You could provide directions on how to install SRVANY, and then have a 
script that completes the process once the executables are on the 
system.  That would be my short-term recommendation.  In the long-term, 
I would do your own service as opposed to use someone else's container.


I would not recommend distributing XYNTService until you have trialled 
that for several months with a range of systems.  The work of properly 
testing this is possibly more work than creating your own service.


All IMO of course.

Matt



Pete McNeil wrote:

Hello Matt,

Friday, May 9, 2008, 3:57:42 PM, you wrote:

  

SRVANY works perfectly and is free with Windows.  Why not use that?



We can't redistribute SRVANY with our installer and we can't be sure
it will be present on all systems. I've been using SRVANY every time I
do an install for somebody... but we want something that we can
deliver with the installer so it can be a (more or less) one click
process.

_M

  

[sniffer] Re: It's official. SNF Version 3.0 is Ready!

[Matt]

Pete,

Now that you got that taken care of, can you give us an idea when you 
expect 4.0 to be released?


Matt



Pete McNeil wrote:

Hello Sniffer folks,

Back in Q1 we were sure we'd be ready with the new SNF after nearly a
year of testing on both large and small systems. What a surprise!

After publishing the first release candidate we went from version 1-5
to version 2-27 at a breathtaking pace!

Thank you to everyone who has tested, poked, prodded, and twisted the
new SNF -- not to mention keeping up with all of those updates during
the final phase of testing. I can't imagine getting to this point
without your patience, trust, attention to detail, and persistence!
Bravo!



Without further fanfare: Today the latest release candidate becomes
the official production release of Message Sniffer (SNF) Version 3.0.

The changes:

-- Minor updates to readme files.

-- Changed the build / version information and recompiled.

-- Removed redundant comments from the configuration file.

We have been bug free for more than 2 months with several hundred
systems using the new engine.

You can download the latest distributions from this page:

http://www.armresearch.com/products/index.jsp

You may also notice that we've published our new web site! There are a
few bits of documentation still under construction here and there, but
we're well on our way to filling those in along with a stream of
continues improvements and additions based on our work with you!

Once again, Thanks to everyone for a fantastic job!

Thanks for all of your support, comments, and efforts!

As always we're hear to help. Now, onward to the next upgrade...
always work to do ;-)

Cheers!

_M

  




#
This message is sent to you because you are subscribed to
 the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: It's official. SNF Version 3.0 is Ready!

[Matt]

Pete,

Glad you got the joke.  I'll allow you a a little time to take your mind 
off of the future :)


Thanks,

Matt



Pete McNeil wrote:

Hello Matt,

Thursday, June 26, 2008, 4:21:42 PM, you wrote:

  

Pete,



  
Now that you got that taken care of, can you give us an idea when you 
expect 4.0 to be released?



Hehehe.

We're not close enough to that to be remotely accurate, but I will
tell you that I'd like it to be within something approaching a year.

There are a lot of continuous upgrades to do on the back-end that will
unleash and enhance V3's power and provide additional tools and
products along the way -- plus plenty of work helping new third party
products get off the ground w/ SNF inside... So we'll be plenty busy
and we'll keep you posted.

_M


  

[sniffer] Re: Sniffer Helper App?

[Matt]

Steve,

Since this hasn't yet been mentioned, try Alligate (www.alligate.com).  
It does selective greylisting (only greylists things that look spammy), 
and also will validate your users' addresses and do things like country 
blocking/tarpitting/greylisting.  Only one zombie spammer survives 
greylisting, and after you dump all of that plus validate addresses, you 
will reduce your traffic down to a point where it is only 1/3 spam.  If 
you only reject bad addresses and clear abuse (many bad addresses in one 
connection for instance), you can do this with 99.% accuracy.  I'm 
not lying about that either.  The only things that fail selective 
greylisting will be black boxes that don't spool E-mail, and if you give 
a wide retry time, you will likely allow future attempts from a black 
box that happens to get greylisted.


Selective greylisting is far superior to regular greylisting since it is 
rarely triggered against legitimate E-mail.  I dump around 93% of all 
connections to my servers and I don't need to falsely trust a single 
source of data such as SpamCop to achieve those results.  I then leave 
the heavy lifting to a secondary filtering system where the heavy 
lifting is performed.  Alligate requires almost no resources, though you 
should dedicate a box to it so that other things don't step on it's feet.


Matt



Steve Guluk wrote:


Hello, 

I run iMail 9.0 and would like a program that can do GeoIP to 
screen foreign countries before they even get to iMail. I used to use 
MXGuard (still have an active license) but my server could not handle 
the CPU draw. I moved to eWall which really has some great potential 
as it is a nice light gateway client that works with Sniffer but it 
also crashes and has a few other problems (this program also 
introduced me to GeoIP).



Any other suggestions as I am beat after trying to get some decent 
spam relief as well as relief from an aging server. My server is an 
AMD 2.0 with Raid  and 2 gigs of Ram   It's faired well over the 
last couple years but the spam levels ramping up are starting to take 
their toll and I don't want to move to a new server just yet.



eWalls got me spoiled on the GeoIP feature where it polls a DB for 
country info based on the incoming IP and can delete emails before 
they reach iMail.  



Any suggestions on what I should consider to help with spam and also 
use Sniffer. Is Declude worth while? Some other light gateway like eWall ?



Thanks in advance for any suggestions, 




*Steve Guluk*

SGDesign

(949) 661-9333

ICQ: 7230769

[sniffer] Slow processing times, errors

[Matt]

Pete,

I've had many recent incidences where, as it turns out, SNFclient.exe 
takes 30 to 90 seconds to respond to every message with a result code 
(normally less than a second), and as a result backs up processing.  
Restarting the Sniffer service seems to do the trick, but I only tested 
that for the first time today after figuring this out.


I believe the events are triggered by updates, but I'm not sure as of 
yet.  Updates subsequent to the slow down do not appear to fix the 
situation, so it seems to be resident in the service.  When this 
happens, my SNFclient.exe.err log fill up with lines like this:


20130627155608, arg1=F:\\proc\work\D6063018a2550.smd : Could 
Not Connect!


At the same time, my Sniffer logs start showing frequent 
"ERROR_MSG_FILE" results on about 1/8th of the messages.


I'm currently using the service version 3.0.2-E3.0.17.  It's not 
entirely clear to me what the most current one is.


Any suggestions as to the cause or solution?

Thanks,

Matt


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: Slow processing times, errors

[Matt]

Darin,

I'm not seeing that sort of thing.  With 3.x, there doesn't appear to be 
any extraneous file creation in the Sniffer program directory, and never 
any TMP files in my spool.  I do not have Sniffer modifying headers, so 
that may be different on our systems.


Matt


On 6/27/2013 5:25 PM, Darin Cox wrote:
When we had sluggish performance similar that yours, resulting in 
numerous sniffer .tmp files in the spool, the cause was eventually 
traced to a proliferation of files in the sniffer directory.  Clearing 
them out brought performance back up to normal.

Darin.

*From:* e...@protologic.com <mailto:e...@protologic.com>
*Sent:* Thursday, June 27, 2013 5:17 PM
*To:* Message Sniffer Community <mailto:sniffer@sortmonster.com>
*Subject:* [sniffer] Re: Slow processing times, errors
We were experiencing this several days ago and couldn't find a fix 
that worked or worked for long. We uninstalled SNF and reinstalled and 
have not detected a problem since. I will check the logs and report 
back if I see anything intermittent.





Sent using SmarterSync Over-The-Air sync for iPad, iPhone, BlackBerry 
and other SmartPhones. May use speech to text. If something seems odd 
please don't hesitate to ask for clarification. E.&O.E.


On 2013-06-27, at 2:06 PM, Matt wrote:

> Pete,
>
> I've had many recent incidences where, as it turns out, 
SNFclient.exe takes 30 to 90 seconds to respond to every message with 
a result code (normally less than a second), and as a result backs up 
processing. Restarting the Sniffer service seems to do the trick, but 
I only tested that for the first time today after figuring this out.

>
> I believe the events are triggered by updates, but I'm not sure as 
of yet. Updates subsequent to the slow down do not appear to fix the 
situation, so it seems to be resident in the service. When this 
happens, my SNFclient.exe.err log fill up with lines like this:

>
> 20130627155608, arg1=F:\\proc\work\D6063018a2550.smd : Could Not 
Connect!

>
> At the same time, my Sniffer logs start showing frequent 
"ERROR_MSG_FILE" results on about 1/8th of the messages.

>
> I'm currently using the service version 3.0.2-E3.0.17. It's not 
entirely clear to me what the most current one is.

>
> Any suggestions as to the cause or solution?
>
> Thanks,
>
> Matt
>
>
> #
> This message is sent to you because you are subscribed to
> the mailing list .
> This list is for discussing Message Sniffer,
> Anti-spam, Anti-Malware, and related email topics.
> For More information see http://www.armresearch.com
> To unsubscribe, E-mail to:
> To switch to the DIGEST mode, E-mail to
> To switch to the INDEX mode, E-mail to
> Send administrative queries to
>

[sniffer] Re: Slow processing times, errors

[Matt]

This is an automated message from the mailing list software.  In order 
to unsubscribe you must issue the command "please unsubscribe".



#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: Slow processing times, errors

[Matt]

d : XCI
   Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
   20130627183820, arg1=F:\\proc\work\D8638016d42db.smd : XCI
   Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
   20130627183820, arg1=F:\\proc\work\D862b00e64292.smd : XCI
   Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
   20130627183820, arg1=F:\\proc\work\D8638017342e0.smd : XCI
   Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
   20130627183820, arg1=F:\\proc\work\D865d01804393.smd : XCI
   Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
   20130627183820, arg1=F:\\proc\work\D8631017742b1.smd : XCI
   Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
   20130627183820, arg1=F:\\proc\work\D85b100e33f7f.smd : XCI
   Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek


I am looking to retool presently just because it's time.  So if you are 
convinced that this is due to low resources, don't concern yourself with it.


Matt


On 6/28/2013 10:36 AM, Pete McNeil wrote:

On 2013-06-27 20:01, Matt wrote:
I'm attaching a snippet of my log.  About 100 lines past the start, 
where you see a smattering of error messages, you then see a large 
block of them while the Sniffer service is restarting, and then after 
that no errors at all.  There have in fact been no errors at all in 
several hours since this restart of Sniffer. 


I can promise you that the error you're reporting comes directly from 
a problem with the file system. Here is the code where that error is 
generated. Put simply the code tries to open the file and determine 
it's size. If that doesn't work it throws the ERROR_MSG_FILE exception 
in one of two forms -- that's what ends up in the log.


| *try*  {/// Try opening the message file.
/|/||/| MessageFile.open(MessageFilePath.c_str(), ios::in | 
ios::binary);/// Open the file, binary mode.
/|/||/| MessageFile.seekg(0, ios::end);/// Find the end of the file,
/|/||/| MessageFileSize = MessageFile.tellg();/// read that position as 
the size,
/|/||/| MessageFile.seekg(0, ios::beg);/// then go back to the 
beginning.
/|/||/| MyScanData.ScanSize = MessageFileSize;/// Capture the message 
file size.
/|/||/| }
|| *catch*(...) {/// Trouble? Throw FileError.
/|/||/| MyRulebase->MyLOGmgr.logThisError(/// Log the error.
/|/||/|   MyScanData,*"scanMessageFile().open"*,
||   snf_ERROR_MSG_FILE,*"ERROR_MSG_FILE"*
|| );
|| *throw*  FileError(*"snf_EngineHandler::scanMessageFile() 
Open/Seek"*);
|| }
||
|| *if*(0 >= MessageFileSize) {/// Handle zero length files.
/|/||/| MessageFile.close();/// No need to keep this open.
/|/||/| MyRulebase->MyLOGmgr.logThisError(/// Log the error.
/|/||/|   MyScanData,*"scanMessageFile().isFileEmpty?"*,
||   snf_ERROR_MSG_FILE,*"ERROR_MSG_FILE"*
|| );
|| *throw*  FileError(*"snf_EngineHandler::scanMessageFile() 
FileEmpty!"*);
|| }
|

Another clue is that in the log snippet you provide, there are hints 
of a problem brewing when there are sporadic instances of this error. 
Then, when there is a large block -- virtually all requests to open 
the files for scan are rejected by the OS. Either something made those 
files unavailable, or the OS was unable to handle the request. I find 
it interesting also that the time required to report the error started 
at about 172 milliseconds and continued to climb to 406, 578, and then 
656 before the restart.


SNF does not make log entries in the classic log during a restart, by 
the way.


Note also the timestamps associated with these events and you can see 
that the event was precipitated by a dramatic rise in message rates. 
The first part of your log seems to indicate about 7-10 messages per 
second. During the large block of errors, the message rate appears to 
have been in excess of 120 (I counted approximately 126 at timestamp 
20130627183819). That's an increase at least an order of magnitude 
higher than the rate that was causing sporadic errors.


I suspect based on the data you have provided that something on your 
system generated a very large spike of activity that your IO subsystem 
was unable to manage and this caused snf scans to fail because snf was 
unable to open the files it was asked to scan.


Your restart of SNF apparently coincided with the event, but since all 
of the SMD file names are unique during the event, and since SNF has 
no way to generate scan requests on it's own, SNF does not appear to 
have been the cause of the event in any way. It was able to record the 
event, none the less.


So the question in my mind now is:

* Is there a way to improve your IO subsystem so that it can gain some 
headroom above 10 msg/sec?

* What caused the sudden dramatic spike th

[sniffer] Re: Slow processing times, errors

[Matt]

Pete,

Just after the restart of the Sniffer service, times dropped back down 
into the ms from 30+ seconds before, so what I am saying is that if I/O 
was the issue, it was merely the trigger for something that put the 
service in a bad state when it started.  I/O issues are not persistent, 
but could happen from time to time I'm sure. Restarting Sniffer with a 
backlog of 2,500 messages and normal peak traffic will not re-trigger 
the condition, and I press Declude to run up to 300 messages at a time 
in situations like that, and the CPU's are pegged until the backlog 
clears.  In the past, I restarted the whole system, not knowing why it 
worked.  During normal peak times (without bursts), the Declude is 
processing about 125 messages at a time which take an average of 6 
seconds to fully process, and therefore Sniffer is probably handling 
only about 10 messages at a time (at peak).


Since 5/22 I have seen 4 or 5 different events like this, and I 
confirmed that they are all present in the SNFclient.exe.err log.


Matt



On 6/28/2013 12:41 PM, Pete McNeil wrote:

On 2013-06-28 12:10, Matt wrote:
I am looking to retool presently just because it's time.  So if you 
are convinced that this is due to low resources, don't concern 
yourself with it.


Ok. It makes sense that the ~200 messages all at once could have 
happend at the restart. SNFClient will keep trying for 30-90 seconds 
before it gives up and spits out it's error file. That's where your 
delays are coming from. SNF itself was clocking only about 100-800ms 
for all of the scans.


The error result you report is exactly the one sent by SNF -- that it 
was unable to open the file.


I am very sure this is resource related -- your scans should not be 
taking the amount of time they are and I suspect most of that time is 
eaten up trying to get to the files. The occasional errors of the same 
time are a good hint that IO is to blame.


The new spam that we've seen often includes large messages -- so 
that's going to put a higher load on IO resources -- I'll bet that the 
increased volume and large message sizes are pushing IO over the edge 
or at least very close to it.


Best,

_M





#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: Slow processing times, errors

[Matt]

I'll certainly look more closely next time.  Hopefully I'll be migrated 
before this happens again :)


Matt


On 6/28/2013 1:44 PM, Darin Cox wrote:
How about running performance monitor to watch disk I/O, mem, cpu, 
page file, etc. over time in the hopes of catching one of the events?

Darin.

*From:* Matt <mailto:for...@mailpure.com>
*Sent:* Friday, June 28, 2013 12:10 PM
*To:* Message Sniffer Community <mailto:sniffer@sortmonster.com>
*Subject:* [sniffer] Re: Slow processing times, errors
Pete,

I'm near positive that it's not system resources that are causing 
Sniffer to not be able to _access the files_.  I believe these errors 
are a symptom and not the cause.


You have to keep in mind that on the messages that don't throw errors, 
they were taking 30-90 seconds to scan, but immediately after a 
restart it was under 1 second.  The system stayed the same, it was 
just the state of the service that was off in a bad way.


I did add a larger client about a month ago around the time that this 
started, which did inch up load by between 1% and 5% I figure, but I 
can't say for sure that the two things are connected.  I've seen much 
bigger changes however in spam volumes from single spammers.  I have 
looked at my SNFclient.exe.err log and found that the previous 
slowdowns were all represented in this file, and nothing else really 
since a smattering in 2012 of other stuff.  I believe that I/O could 
be the trigger, or general system load, but the error in the service 
that misses opening some files, and is otherwise slower than normal by 
100 times, will persist when everything else is fine again.  I figure 
that this is all triggered by a short-term lack of resources or a 
killer message type of issue that does something like run away with 
memory.  Certainly there were no recent changes on the server prior to 
this starting to happen, including Sniffer itself which has been 
perfectly solid up until 5/22.


Regarding the ERROR_MSG_FILE batch that I sent you in that log, it did 
happen exactly when I restarted Sniffer, and in fact the 
SNFclient.exe.err log showed a different error while this was 
happening, and maybe this will point you to something else?  That log 
says "Could Not Connect!" when the regular Sniffer log shows 
"ERROR_MSG_FILE" about 1/8th of the time while in a bad state.  When I 
restarted the Sniffer service, the regular log showed a bunch of 
"ERROR_MSG_FILE" in a row, but the SNFclient.exe.err log below shows 
"XCI Error!: FileError snf_EngineHandler::scanMessageFile() 
Open/Seek".  You can match the message ID's with the other log that I 
provided. I believe that block of messages was already called to 
SNFclient.exe, but the Sniffer service haddn't yet responded, and so 
they were dumped as a batch into both logs during shut down of the 
service.


20130627183807, arg1=F:\\proc\work\D862600e64269.smd : Could
Not Connect!
20130627183808, arg1=F:\\proc\work\D86440177431f.smd : Could
Not Connect!
20130627183808, arg1=F:\\proc\work\D861200ce41ce.smd : Could
Not Connect!
20130627183809, arg1=F:\\proc\work\D864401734321.smd : Could
Not Connect!
20130627183809, arg1=F:\\proc\work\D861400da41e3.smd : Could
Not Connect!
20130627183810, arg1=F:\\proc\work\D862600d7425f.smd : Could
Not Connect!
20130627183811, arg1=F:\\proc\work\D864a00e94346.smd : Could
Not Connect!
20130627183811, arg1=F:\\proc\work\D8615019b41f4.smd : Could
Not Connect!
20130627183813, arg1=F:\\proc\work\D862900e94282.smd : Could
Not Connect!
20130627183815, arg1=F:\\proc\work\D863d01584306.smd : Could
Not Connect!
20130627183817, arg1=F:\\proc\work\D86030158416f.smd : Could
Not Connect!
20130627183818, arg1=F:\\proc\work\D862300e94255.smd : Could
Not Connect!
20130627183819, arg1=F:\\proc\work\D862900e64281.smd : Could
Not Connect!
20130627183819, arg1=F:\\proc\work\D864b00d74357.smd : XCI
Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
20130627183819, arg1=F:\\proc\work\D864800d7433c.smd : XCI
Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
20130627183819, arg1=F:\\proc\work\D861901734205.smd : XCI
Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
20130627183819, arg1=F:\\proc\work\D861d01774230.smd : XCI
Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
20130627183819, arg1=F:\\proc\work\D8641016d4310.smd : XCI
Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
20130627183819, arg1=F:\\proc\work\D865000e64363.smd : XCI
Error!: FileError snf_EngineHandler::scanMessageFile() Open/Seek
20130627183819, arg1=F:\\proc\work\D865000e14361.smd : XCI
Error!: FileError snf_EngineHandler::scanMessageFile() O

[sniffer] Re: Slow processing times, errors

[Matt]

Eric,

I'm guessing based on what you were seeing, that it was unrelated to 
what I was seeing.  Sniffer never actually died, it just got over 100 
times slower, and 1/8th of the time it timed out.  This never happened 
before 5/22, and this same server has been there for years, and the same 
installation of Sniffer for 2 years or so.  I would think that if the 
issue was I/O (under normal conditions), it would have happened before 
5/22 as there were clearly bursty periods often enough that my own 
traffic didn't change dramatically enough so that it happened 4 to 5 
times in one month.


The server itself could have some issues that could be causing this.  
Maybe the file system is screwy, or Windows itself, or memory errors, or 
whatever.


Matt


On 6/28/2013 2:12 PM, E. H. (Eric) Fletcher wrote:

Matt:

I mentioned in a previous post that we had experienced something similar at
about that time and resolved it a day or so later by re-installing sniffer
when service restarts, reboots and some basic troubleshooting did not give
us the results we needed.  At this point that still seems to have been
effective (about 5 days now).

At the time, we did move things around to see whether it was related to the
number of items in the queue or anywhere else within the structure of the
mail system and found it made no difference. A single item arriving in an
empty Queue was still not processed.   CPU utilization was modest (single
digit across 4 cores) and disk I/O was lighter than usual as it took place
over a weekend.  Memory utilization was a little higher than I'd like to
see, we are addressing that now.

Following a suggestion from another ISP, we moved the spool folders onto a
RAM drive a couple of months ago.  That has worked well for us, we did rule
it out as the source of the problem by moving back onto the conventional
hard disk during the last part of the troubleshooting and for the first hour
or two following the reload.  We are processing on the Ramdisk now and have
been for over 4 days again.

For what it's worth . . .

Eric


-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf
Of Matt
Sent: Friday, June 28, 2013 10:32 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Slow processing times, errors

Pete,

Just after the restart of the Sniffer service, times dropped back down into
the ms from 30+ seconds before, so what I am saying is that if I/O was the
issue, it was merely the trigger for something that put the service in a bad
state when it started.  I/O issues are not persistent, but could happen from
time to time I'm sure. Restarting Sniffer with a backlog of 2,500 messages
and normal peak traffic will not re-trigger the condition, and I press
Declude to run up to 300 messages at a time in situations like that, and the
CPU's are pegged until the backlog clears.  In the past, I restarted the
whole system, not knowing why it worked.  During normal peak times (without
bursts), the Declude is processing about 125 messages at a time which take
an average of 6 seconds to fully process, and therefore Sniffer is probably
handling only about 10 messages at a time (at peak).

Since 5/22 I have seen 4 or 5 different events like this, and I confirmed
that they are all present in the SNFclient.exe.err log.

Matt



On 6/28/2013 12:41 PM, Pete McNeil wrote:

On 2013-06-28 12:10, Matt wrote:

I am looking to retool presently just because it's time.  So if you
are convinced that this is due to low resources, don't concern
yourself with it.

Ok. It makes sense that the ~200 messages all at once could have
happend at the restart. SNFClient will keep trying for 30-90 seconds
before it gives up and spits out it's error file. That's where your
delays are coming from. SNF itself was clocking only about 100-800ms
for all of the scans.

The error result you report is exactly the one sent by SNF -- that it
was unable to open the file.

I am very sure this is resource related -- your scans should not be
taking the amount of time they are and I suspect most of that time is
eaten up trying to get to the files. The occasional errors of the same
time are a good hint that IO is to blame.

The new spam that we've seen often includes large messages -- so
that's going to put a higher load on IO resources -- I'll bet that the
increased volume and large message sizes are pushing IO over the edge
or at least very close to it.

Best,

_M




#
This message is sent to you because you are subscribed to
   the mailing list .
This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and
related email topics.
For More information see http://www.armresearch.com To unsubscribe, E-mail
to:  To switch to the DIGEST mode, E-mail to
 To switch to the INDEX mode, E-mail to
 Send administrative queries to

[sniffer] Re: Slow processing times, errors

[Matt]

I just looked through my history of the SNFclient.exe.err log and I was 
a bit off.  There were two small occurrences before 5/22, and both were 
so small they were without a doubt unnoticeable.  Here's my history 
since installation on 4/10/2012 with the number of occurrences of "Could 
Not Connect!" noted:


   11/19/2012 (949 occurrences) - * No backup in excess of 2 minutes
   occurred
   4/26/2012 (181 occurrences) - * No backup in excess of 2 minutes
   occurred
   5/22 (3,568 occurrences) - * No backup in excess of 2 minutes occurred
   5/31 (13,745 occurrences)
   6/3 (2,630 occurrences) - * No backup in excess of 2 minutes occurred
   6/11 (26,194 occurrences)
   6/13 (28,633 occurrences)
   6/14 (83,342 occurrences)
   6/17 (5,952 occurrences) - * No backup in excess of 2 minutes occurred
   6/21 (10,894 occurrences)
   6/27 (34,959 occurrences)

At peak times, we are probably doing between 30,000 and 40,000 messages 
per hour.  When this hit at peak hour yesterday, the server was backed 
up 2 minutes within 10 minutes of this starting.  If it happens outside 
of business hours, it's likely not seen at all.  The backup was resolved 
within 1 hour using different Declude settings, but Sniffer wasn't 
restarted for 2 hours and 45 minutes after the problem started.  So 
those ~35,000 occurrences were from 165 minutes of email.


After looking through my logs, it doesn't seem that I rebooted hardly 
any of these times.  I tend to not want to take the server down outside 
of rush hour.  I do tweak Declude for rush processing when backed up, so 
Declude is restarted which will stop sending files to Sniffer for a 
period of time.  It seems that Sniffer is mostly healing itself without 
restarting it's service, though maybe the updates will cause a service 
restart/reset?


I also checked and found that we added that larger client on 6/1, and 
outside of that, customer counts have been fairly consistent.


Matt


On 6/28/2013 2:56 PM, e...@protologic.com wrote:

Matt:
Coincidentally (I hope) this happened to us on the 22nd also. It did 
not stop working completely although we didn't get the throughput you 
did. We also saw the messages indicating it was not able to open the 
file. Pretty much the same message as in your first post and not one 
I've seen before.

Eric




Sent using SmarterSync Over-The-Air sync for iPad, iPhone, BlackBerry 
and other SmartPhones. May use speech to text. If something seems odd 
please don't hesitate to ask for clarification. E.&O.E.


On 2013-06-28, at 11:39 AM, Matt wrote:

> Eric,
>
> I'm guessing based on what you were seeing, that it was unrelated to 
what I was seeing. Sniffer never actually died, it just got over 100 
times slower, and 1/8th of the time it timed out. This never happened 
before 5/22, and this same server has been there for years, and the 
same installation of Sniffer for 2 years or so. I would think that if 
the issue was I/O (under normal conditions), it would have happened 
before 5/22 as there were clearly bursty periods often enough that my 
own traffic didn't change dramatically enough so that it happened 4 to 
5 times in one month.

>
> The server itself could have some issues that could be causing this. 
Maybe the file system is screwy, or Windows itself, or memory errors, 
or whatever.

>
> Matt
>
>
> On 6/28/2013 2:12 PM, E. H. (Eric) Fletcher wrote:
>> Matt:
>>
>> I mentioned in a previous post that we had experienced something 
similar at
>> about that time and resolved it a day or so later by re-installing 
sniffer
>> when service restarts, reboots and some basic troubleshooting did 
not give

>> us the results we needed. At this point that still seems to have been
>> effective (about 5 days now).
>>
>> At the time, we did move things around to see whether it was 
related to the
>> number of items in the queue or anywhere else within the structure 
of the
>> mail system and found it made no difference. A single item arriving 
in an

>> empty Queue was still not processed. CPU utilization was modest (single
>> digit across 4 cores) and disk I/O was lighter than usual as it 
took place

>> over a weekend. Memory utilization was a little higher than I'd like to
>> see, we are addressing that now.
>>
>> Following a suggestion from another ISP, we moved the spool folders 
onto a
>> RAM drive a couple of months ago. That has worked well for us, we 
did rule
>> it out as the source of the problem by moving back onto the 
conventional
>> hard disk during the last part of the troubleshooting and for the 
first hour
>> or two following the reload. We are processing on the Ramdisk now 
and have

>> been for over 4 days again.
>>
>> For what it's worth . . .
>>
>> Eric
>>
>>
>&g

[sniffer] Re: What is your oldest production CPU?

[Matt]

Intel 5400 series Xeon here.  But don't forget virtualization.  I'm not 
sure what CPU virtualization does to targeting your code.


Matt




On 12/27/2013 9:43 AM, Pete McNeil wrote:

Hello Sniffer Folks,

We would like to know what your oldest production CPU is.

When building new binaries of SNF or it's utilities we would like to 
select the newest CPU we can without leaving anybody behind.


We're also evaluating whether we should split binaries into a 
"compatible" version base on Intel i686 (or equivalent AMD), and a 
"current" version based on Intel Core2 (or equivalent AMD).


Please respond here.

Thanks for your time!!

_M





#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: What is your oldest production CPU?

[Matt]

On a VMware ESXi 5.x box with a virtual machine version 8, and physical 
E5-2689 CPU's I see the following:


On a Windows 2003 32-bit host, Device Manager shows that it is x86 
family 6 model 45.
On a Windows 2008 R2 64-bit host, Device Manager shows that it is 
Intel64 family 6 model 45.


Windows does know the processor version as well, though that's just meta 
information I believe and may not be reliable.  There are of course 
several other popular flavors of virtualization that I am not familiar with.


Matt





On 12/27/2013 3:58 PM, Pete McNeil wrote:

On 2013-12-27 15:45, Matt wrote:
Intel 5400 series Xeon here.  But don't forget virtualization.  I'm 
not sure what CPU virtualization does to targeting your code.


That's a good point The processor should be specified in the VM 
profile and if I recall correctly it is typically defaulted to the 
processor of the VM host. I should look closer at this -- but would 
like some feedback.


Thanks,

_M





#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

Re: [sniffer] rule idea

[Matt]

Please don't, my Grandmother probably couldn't get through then :)

The more solid the basis for the rules, the higher the score I can give 
to the test.  Most spammers nowadays will have a time that is only off 
by a few hours when they hard code the headers for a zombie attack, 
however once you start getting out several days, or even months or 
years, the likelihood that this is not spam increases.  There's no good 
rule of thumb IMO.

Scott from Declude has been testing this idea out for several months now 
without releasing the functionality to the public, probably because it's 
unreliable I'm thinking.  It it was to be scored, I would much rather it 
be separate from other tests.

Matt



Herb Guenther wrote:

At one time we had floated the idea of a rule that would mark any 
email that was more than 24-48 hrs ahead or behind the actual current 
time and date as spam.  I just got two "You've been invited to a blind 
date" messages that were dated last summer.  99.9% of these off date 
messages are spam, and anyone real who has there date that far off 
should fix it.

Would it be hard to add such a rule to sniffer?

Herb

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] F-Prot and netsky

[Matt]

F-Prot prompted me for an upgrade of the program when I logged in this
morning (full download and install process).  I assume that this is
meant to take care of the issue in not catching Mydoom.F.  Before that
I was showing definitions that were last updated on the 18th.  Everyone
should log onto their servers and run the updater if they aren't
immediately prompted.

If I'm correct, it also took several days for them to fix an issue with
Mimail and that required a version upgrade.

Matt


Madscientist wrote:
At
09:32 AM 2/24/2004, you wrote:
  I was
wondering if anyone else is using F-prot for their virus engine in
declude, and what they now think about it. Netsky was discovered on the
18th, and F-Prot actually had it posted on their website as being
discovered by them on the 19th. But they didn't update their definition
files to actually catch it until early this morning. This meant that
netsky ran rampant under F-Prots nose for 6 days. I feel this is
completely unacceptable, and I am going to change my virus engine this
week unless someone can tell me that there is a good reason why I
shouldn't. 
 
Any ideas or feedback from someone
using
F-Prot?
Thanks
  
We recently abandoned McAfee for F-Prot. F-Prot is much more efficient
and stable on our NT test platform. Though I am not pleased with the
delays you mention, I'm also not willing to throw them out given the
alternatives and at this point I consider the delay an aberration
rather
than a systemic flaw. A better strategy to dropping F-Prot, in my
opinion, is to also include alternatives - since diversity is better
protection anyway and the costs are well within reason.
  
My $0.02.
_M
  
  
  Pete McNeil (Madscientist)
President, MicroNeil Research Corporation.
Chief SortMonster,
  www.SortMonster.com.
Vox 703-406-2016, Fax 703-406-2017
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

[sniffer] Efficiency request for Declude installations and maybe others.

[Matt]

Pete,

Would it be possible to add the ability to tell Sniffer not to run when 
Declude passes it a weight?  I understand that we tend to weight 
differently, so this would require two switches to pull off, but it 
would help with efficiency.  The command line in a Declude config would 
be something like the following:

   "C:\IMail\Declude\Sniffer\aaabbbccc.exe your-code %WEIGHT% 25"

Declude will replace %WEIGHT% with the weight before calling Sniffer, 
and the next entry, 25, would tell Sniffer to not run if the the current 
weight was equal to 25 or above.  Some people also do some whitelisting 
with external programs like Sniffer, in which case it might be a good 
idea to add a weight under which you would also skip processing, i.e.

   "C:\IMail\Declude\Sniffer\aaabbbccc.exe your-code %WEIGHT% 25 -10"

On my system, the addition of the weight variable would cause Sniffer to 
not be run on between 50% and 75% of the E-mail depending on the day of 
the week, so this could be a very big deal.

Thanks,

Matt

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Efficiency request for Declude installations andmaybeothers.

[Matt]

Pete,

That is of course an option.  He did make this variable available for 
such uses, but that's clearly not the only way to skin this cat.  I 
think the trick here is determining which external tests to run 
according to which skip weight setting.  Different external tests would 
have potentially different trigger levels instead of one main trigger.  
Certainly Declude could provide this, but it would require a setting for 
each individual test call.  I would imagine that he could add new 
columns to the external test call like so:

- Current Format -
SNIFFER-GENERALexternal063
"C:\IMail\Declude\Sniffer\programname.exe mycode"60

- Potential New Format -
SNIFFER-GENERALexternal063
"C:\IMail\Declude\Sniffer\programname.exe mycode"60   25   -10

The first extra column would be the skip-if-equal-to-or-above-weight 
setting and the second extra column would be the 
skip-if-equal-to-or-below-weight
setting.

Scott seems extra busy right now, but he obviously monitors this list so 
I'll leave it here for now.  Declude has of course made huge strides in 
terms of efficiency.  It would be nice if possible for Sniffer + Declude 
to make use of the rulebase loading method mentioned earlier as well.

Thanks,

Matt



Madscientist wrote:

I think the best place to handle this would be within Declude since 
Declude has all of the information and has control over which tests 
get called.

I have seen some discussions on not executing certain tests based on 
weights that are reached.

Probably the most reasonable tests to modulate in this way would be 
external tests - but Scott's the best one to answer that question.

Hope this helps,
_M
PS: If you are working to mitigate a load problem that may be handled 
shortly. We will be working on a feature to "nail up" a Message 
Sniffer instance so that all other instances will run as clients (thus 
not loading the rulebase). This should significantly reduce system 
loads and may make complex modulation mechanisms unnecessary.

At 01:01 PM 3/5/2004, you wrote:

Pete,

Would it be possible to add the ability to tell Sniffer not to run 
when Declude passes it a weight?  I understand that we tend to weight 
differently, so this would require two switches to pull off, but it 
would help with efficiency.  The command line in a Declude config 
would be something like the following:

   "C:\IMail\Declude\Sniffer\aaabbbccc.exe your-code %WEIGHT% 25"

Declude will replace %WEIGHT% with the weight before calling Sniffer, 
and the next entry, 25, would tell Sniffer to not run if the the 
current weight was equal to 25 or above.  Some people also do some 
whitelisting with external programs like Sniffer, in which case it 
might be a good idea to add a weight under which you would also skip 
processing, i.e.

   "C:\IMail\Declude\Sniffer\aaabbbccc.exe your-code %WEIGHT% 25 -10"

On my system, the addition of the weight variable would cause Sniffer 
to not be run on between 50% and 75% of the E-mail depending on the 
day of the week, so this could be a very big deal.

Thanks,

Matt

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Efficiency request for Declude installations andmaybeothers.

[Matt]

Pete,

Forgive me for pressing this, but I have a short-term need to reduce the 
processor utilization on my server because it also serves Web sites and 
I need to stay away from pegging my processor until I separate the spam 
blocking to a new machine.  This is one of the things that I am looking at.

I'm thinking that unless Scott was willing to work skip functionality 
into Declude in the short-term (and I don't assume his schedule revolves 
around my needs), it might be possible to write a simple handler script 
that calls Sniffer only if the %WEIGHT% variable is in a certain range.  
It seems that the only tricky part for a novice programmer like myself 
would be capturing the result code and passing it back to Declude, but I 
could find someone to help me with that.  If you know of any other 
potential pitfalls please let me know (like message file/data handling), 
and if you could tell me what the full command line arguments were that 
are passed by Declude to Sniffer, and the format of the result code that 
is passed back, that would save me some research time (I'm thinking 
there is a file name in there unless the data is streamed).

Also, if this was done, would it be possible to use such a script in a 
way that would allow Sniffer to run pre-loaded with the rulebase as a 
service on Windows?

I'll share whatever I come up with if going the script route is necessary.

Thanks,

Matt



Matt wrote:

Pete,

That is of course an option.  He did make this variable available for 
such uses, but that's clearly not the only way to skin this cat.  I 
think the trick here is determining which external tests to run 
according to which skip weight setting.  Different external tests 
would have potentially different trigger levels instead of one main 
trigger.  Certainly Declude could provide this, but it would require a 
setting for each individual test call.  I would imagine that he could 
add new columns to the external test call like so:

- Current Format -
SNIFFER-GENERALexternal063
"C:\IMail\Declude\Sniffer\programname.exe mycode"60

- Potential New Format -
SNIFFER-GENERALexternal063
"C:\IMail\Declude\Sniffer\programname.exe mycode"60   25   -10

The first extra column would be the skip-if-equal-to-or-above-weight 
setting and the second extra column would be the 
skip-if-equal-to-or-below-weight
setting.

Scott seems extra busy right now, but he obviously monitors this list 
so I'll leave it here for now.  Declude has of course made huge 
strides in terms of efficiency.  It would be nice if possible for 
Sniffer + Declude to make use of the rulebase loading method mentioned 
earlier as well.

Thanks,

Matt



Madscientist wrote:

I think the best place to handle this would be within Declude since 
Declude has all of the information and has control over which tests 
get called.

I have seen some discussions on not executing certain tests based on 
weights that are reached.

Probably the most reasonable tests to modulate in this way would be 
external tests - but Scott's the best one to answer that question.

Hope this helps,
_M
PS: If you are working to mitigate a load problem that may be handled 
shortly. We will be working on a feature to "nail up" a Message 
Sniffer instance so that all other instances will run as clients 
(thus not loading the rulebase). This should significantly reduce 
system loads and may make complex modulation mechanisms unnecessary.

At 01:01 PM 3/5/2004, you wrote:

Pete,

Would it be possible to add the ability to tell Sniffer not to run 
when Declude passes it a weight?  I understand that we tend to 
weight differently, so this would require two switches to pull off, 
but it would help with efficiency.  The command line in a Declude 
config would be something like the following:

   "C:\IMail\Declude\Sniffer\aaabbbccc.exe your-code %WEIGHT% 25"

Declude will replace %WEIGHT% with the weight before calling 
Sniffer, and the next entry, 25, would tell Sniffer to not run if 
the the current weight was equal to 25 or above.  Some people also 
do some whitelisting with external programs like Sniffer, in which 
case it might be a good idea to add a weight under which you would 
also skip processing, i.e.

   "C:\IMail\Declude\Sniffer\aaabbbccc.exe your-code %WEIGHT% 25 -10"

On my system, the addition of the weight variable would cause 
Sniffer to not be run on between 50% and 75% of the E-mail depending 
on the day of the week, so this could be a very big deal.

Thanks,

Matt

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/H

Re: [sniffer] Efficiency request for Declude installationsandmaybeothers.

[Matt]

Pete,

Right this second I'm not in a bind, but I've been growing business fast 
and I need to reserve enough processing power to scale up on the same 
box for the next couple of months, and then for a period of time, this 
might remain my backup MX.  I throw a ton of tests at my setup, and 
while I do try to optimize within the boundaries, this is one place that 
has potential.  I'm pretty certain that it will end up not calling 
Sniffer in excess of 50% of the time because the RBL's will have already 
reached a comfortable weight for me to stop processing on, and although 
Sniffer is very lean, this should help with the peaks.

FYI, here are two screen captures of Task Manager showing what is going 
on with Sniffer and without Sniffer from a few moments ago.

   http://www.mailpure.com/with_sniffer.gif
   http://www.mailpure.com/without_sniffer.gif
It's not bad, but during business rush hours I hit 80% to 100% every few 
seconds, and I need to protect my response times for my Web server for 
the time being.  Also keep in mind that legitimate traffic causes the 
biggest hits because of large file attachments, running every filter in 
Declude, and often having in excess of 32 KB of content to scan.  This 
is a dual PIII 1 GHz machine with RAID 5.  Before going hog wild with 
Declude's custom filters and a second virus scanner, it would bounce 
around between 0% and 5%.  Most of the processing used is the result of 
all of my custom filters in Declude.

I'm interested in nailing-up Sniffer as you suggested, but I would 
prefer to be a beta tester as opposed to an alpha tester for obvious 
reasons.  I'll trust your judgment on this, just tell me when.  I think 
I watch my system close enough and have redundancies now that would 
protect me from a hiccup in beta software.  I'm going to give the 
handler script a shot though because it looks simple and should at least 
save some loading times.  No need to rush on my account, I'm just trying 
to stay one step ahead of things.  If this works well enough, I might 
even code up a handler to disable virus checking on extra large files of 
certain types (not very common, but they produce long and large spikes).

Thanks,

Matt



Pete McNeil wrote:

Matt,

I'm sorry you're in such a bind. We all get there from time to time.

First, as far as I know you should be able to call a script from 
declude and pass it parameters. You may need to do this by calling 
cmd.exe - but you need to know that this isn't likely to save you 
processing on balance since the majority of Message Sniffer instances 
are going to load as client instances and will normally use very few 
resources - probably fewer than any scripting engine.

None the less, if you want to try it you can find details on the 
command line parameters for Message Sniffer at this link:

http://www.sortmonster.com/MessageSniffer/Help/TechnicalDetailsHelp.html#CmdLine 

One thing you might consider in the short term is to reduce the 
strength of your Message Sniffer rulebase. This is done by increasing 
the rule strength threshold. A small amount of additional spam will 
get through - but the rulebase will be much smaller and therefore 
faster to load. (The majority of Message Sniffer's resource use is in 
loading the rulebase - not in scanning the messages. Cellular 
peer-server technology helps mitigate this by allowing one instance to 
process messages for many before the rulebase is reloaded.)

If you are looking for an immediate fix then I recommend this 
approach. Let me know off list (support@) if this is what you would 
like to do.

Over the next couple of days (possibly beginning tonight) I will be 
working on a "Persistent" option for Message Sniffer which will allow 
you to "nail up" a server instance. In theory this shouldn't be hard 
to do but the implications can be tricky. If you are willing to work 
with potentially buggy code then I'll be happy to share early betas 
with you.

Hope this helps,
_M
At 03:05 PM 3/8/2004, you wrote:

Pete,

Forgive me for pressing this, but I have a short-term need to reduce 
the processor utilization on my server because it also serves Web 
sites and I need to stay away from pegging my processor until I 
separate the spam blocking to a new machine.  This is one of the 
things that I am looking at.

I'm thinking that unless Scott was willing to work skip functionality 
into Declude in the short-term (and I don't assume his schedule 
revolves around my needs), it might be possible to write a simple 
handler script that calls Sniffer only if the %WEIGHT% variable is in 
a certain range.
It seems that the only tricky part for a novice programmer like 
myself would be capturing the result code and passing it back to 
Declude, but I could find someone to help me with that.  If you know 
of any other potential pitfalls please let me know (like message 
file/data handli

[sniffer] Question about the command line output

[Matt]

Pete,

I just started testing things and I've run Sniffer on a test file
containing two matches in it.  When I run it from the command prompt it
just simply logs the results and returns no value to the window.

So my question is...am I supposed to see the exit code in the command
window?  I found the following in Declude's manual, but I just want to
make sure everything is ok before I proceed.
" After your program is finished, it needs to return an
exit code to Declude
JunkMail (in C/C++, this is done simply with "return code;" at the end
of the
main function; you can (carefully!) use the Windows ExitProcess( )
function
in other languages)."


Thanks,

Matt
-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [sniffer] Config When Using Sniffer With Declude...

[Matt]

I'm with Scott on this and I score roughly the same way.  One should
definitely break out the different result codes because the categories
have different levels of reliability.  I personally don't score the
GRAY stuff because I have MAILPOLICE-BULK scored fairly high and an
extra point or two was causing a ton of false positives.  Unfortunately
some sources are more gray than others, but there's no good way to
differentiate that on its own, though some GRAY rules will get hit in
other categories when.

On a hold weight of 10, I use the following:

SNIFFER-GENERAL        external    063   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0 
SNIFFER-EXPERIMENTAL    external    062   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    4    0
SNIFFER-OBFUSCATION    external    061   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-GRAY        external    060   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    0    0
SNIFFER-CASINO        external    059   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-DEBT        external    058   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-GETRICH        external    057   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-INK        external    056   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-MALWARE        external    055   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-PORN        external    054   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-PHISHING    external    053   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-PHARMACY    external    052   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-SPAMWARE    external    051   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-MEDIA        external    050   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-AVSOFT        external    049   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-INSURANCE    external    048   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0
SNIFFER-TRAVEL        external    047   
"C:\IMail\Declude\Sniffer\sniffer2.exe code"    6    0

Matt


Scott Fisher wrote:

  Here are my sniffer settings. I consider SPAM to be weight 20. So it generally takes sniffer and one or two other failure to become SPAM.

The return code 60 of "greymail", I've lowered the weight on to lower false positives.

SNIFFER-NOTFOUND external 000 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 0 0
SNIFFER-TRAVEL  external 047 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 8 0
SNIFFER-INSURANCE external 048 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 11 0
SNIFFER-AV-PUSH  external 049 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 12 0
SNIFFER-WAREZ  external 050 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 10 0
SNIFFER-SPAMWARE external 051 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 10 0
SNIFFER-SNAKEOIL external 052 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 13 0
SNIFFER-SCAMS  external 053 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 10 0
SNIFFER-PORN  external 054 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 13 0
SNIFFER-MALWARE  external 055 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 12 0
SNIFFER-ADVERTISING external 056 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 10 0
SNIFFER-SCHEMES  external 057 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 13 0
SNIFFER-CREDIT  external 058 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 13 0
SNIFFER-GAMBLING external 059 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 10 0
SNIFFER-GREYMAIL external 060 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 2 0
SNIFFER-OBFUSCATION external 061 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 13 0
SNIFFER-SPAM  external 062 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 12 0
SNIFFER-GENERAL  external 063 "D:\IMail\Declude\Sniffer\sniffer2.exe code" 13 0

Scott Fisher
Director of IT
Farm Progress Companies

  
  

  
[EMAIL PROTECTED] 03/09/04 03:37PM >>>

  

  
  Hello All,

I am running Sniffer with Declude and was wanting to get some ideas on how
everyone has Declude setup.  Currently I just have the basic setup as
follows.

SNIFFER external nonzero "d:\imail\declude\sniffer2_2\winx\snifferprog.exe
sniffer auth" 10 0

I hold anything with a weight of 10m therefore anything failing sniffer gets
held and reviewed.  I was thinking that sniffer had a way to check and see
why it failed, but I have not found much on that.  I guess I am just not
looking in the right place...  Anyone give me some hints?

Thanks!

Sincerely,
Gr

Re: [sniffer] Question about the command line output

[Matt]

Pete,

It does help.  I've been researching things and came up with the
following VB samples:

    http://www.mentalis.org/apilist/ExitProcess.shtml

My programming buddy is looking at these and figuring out a way to
capture the result codes from a unique process.  Returning them to
Declude once they are captured should be easy.  He's going to pick back
up on this tomorrow.

If anyone has some sample code that would work to capture the result
codes returned by a unique process when called with wscript.run, please
don't be bashful :)

Thanks,

Matt



Pete McNeil wrote:
The
value that is returned is an integer "result code" so you
won't see it directly. In a batch/cmd file you would detect this result
code as an ERRORLEVEL but no text is produced unless there is an error
that Message Sniffer expects you to see - such as a bad command line
configuration.
  
If your log file looks correct then things should be working
fine.
  
Hope this helps,
_M
  
At 04:29 PM 3/9/2004, you wrote:
  Pete,

I just started testing things and I've run Sniffer on a test file
containing two matches in it.  When I run it from the command prompt
it just simply logs the results and returns no value to the
window.

So my question is...am I supposed to see the exit code in the command
window?  I found the following in Declude's manual, but I just want
to make sure everything is ok before I proceed.

  " After your program is finished, it needs to return an exit
code to Declude JunkMail (in C/C++, this is done simply with "return
code;" at the end of the main function; you can (carefully!) use the
Windows ExitProcess( ) function in other languages)."

  


Thanks,

Matt

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [sniffer] Resident Sniffer?

[Matt]

This all sounds like great stuff.  I'm looking forward to the so-called 
"solid" beta :)

Matt



Pete McNeil wrote:

We are still in the process of moving our offices so development 
efforts have been paused based on a recent comment that this issue was 
not urgent.

However, primary engineering decisions have been completed for this 
update and it is the next project in line.

Barring unforeseen events I will begin coding this today. In theory it 
should not take long to complete the work since "hooks" for this 
mechanism were stubbed into the peer-server code when it was designed.

We will implement the change by allowing the filename to be overloaded 
as a switch/code. We will also use this mechanism for other options in 
the future.

The command line will look something like this:

snfrv2r2.exe authenticationxx persistent

-- normally the file to be scanned would go where the word 
"persistent" is. When the file to be scanned is "persistent" then the 
instance goes in to a persistent server mode.

-- A later option will be "stdio" which will place the program in a 
mode to accept the message on stdin and produce a modified version on 
stdout - thus allowing it to be piped in front of spamc and other 
similar programs.

-- A later option will be "communigate" which will place the program 
in a mode to act as an external filter using communigate pro's filter 
protocols.

The details of these options will probably change slightly from the 
above description and each will be handled in it's own 2-x release 
process. Additional filtering mechanisms will also be implemented 
during these releases such as "blinder" rules, fuzzy rules, network 
learning, etc...

I will be sure to keep the list up to date on this work and as soon as 
I have a solid beta I will ask for beta testers. Once we have 
completely finished our move we will be able to move forward more 
quickly with development efforts.

Thanks!
_M
PS: MicroNeil's new contact info is up to date on the MicroNeil web site.

At 08:57 AM 3/16/2004, you wrote:

Pete,

Could you inform us on the progress on the issue below?

Groet, (regards)
--
ing. Michiel Prins bsc   [EMAIL PROTECTED]
SOS Small Office Solutions / Reject / 
Wannepad 27   -   1066 HW   -Amsterdam
t.+31(0)20-4082627  -  f.+31-(0)20-4082628
--
Consultancy -  Installation -  Maintenance
Network Security   -  Internet  -   E-mail
Software Development -  Project Management
--
-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: woensdag 3 maart 2004 13:14
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Resident Sniffer?

At 03:54 AM 3/3/2004, you wrote:
>Hi,
>
>Would it be possible to have a 'bogus' sniffer in memory at all time,
>that provides other sniffer instances with the rulebase etc, the way it
>is working now if you have concurrent sniffer sessions?
>
>It would be great to have one instance of sniffer 'out there' (not
>scanning
>messages) which is just waiting for others to share the DB with. This
>speeds up message sniffing ror Mdaemon considerably, because MD can
>only have 1 instance of the content filter at all times (and therefore
>1 instance of Sniffer).
That's very interesting... I didn't know that MDaemon was limited in 
this
way.

We are planning to make an update that will allow a sniffer instance 
to run
in a script with long wait times so that it can be set up to do this.

We are also planning to help integrate sniffer with MDaemon directly 
- I've
been told we will begin working on that this month.

Hope this helps,
_M
This E-Mail came from the Message Sniffer mailing list. For 
information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message has been scanned for spam and viruses by www.reject.nl


This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] RunExeSvc for Persistent sniffer.

[Matt]

I'm going to give this one a try right now since I have the Resource Kit 
installed already.  Just one question...do I need to change the 
arguments in my Declude config, or will the service definition take care 
of the 'persistence'?

Thanks,

Matt



Bill Boebel wrote:

We've been using svrany for years with several custom applications and it
works great.  This utility has been around since the NT4 Resource Kit...
 http://www.pyeung.com/pages/win2k/userdefinedservice.html

Bill

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil
Sent: Friday, March 19, 2004 12:25 AM
To: [EMAIL PROTECTED]
Subject: [sniffer] RunExeSvc for Persistent sniffer.
Hello folks,

We've been continuing to test the new persistence enabled sniffer engine
and some utilities that will allow it to run as a service.
We found a free utility that seems to be very solid, and very simple.

http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html

One of the scripts we used is:

debug=false
cmdline=c:\Projects\sniffer2-3\TestBed\snfrv2r2.exe xnk05x5vmipeaof7
persistent
home=c:\Projects\sniffer2-3\TestBed
(Note: The mismatch between the sniffer2-3 directory and the snfrv2r2.exe
is not a type-o. We re-branded the 2-3 to use the snfrv2r2 license in our
example - it was easier that than creating a new license. Note also that
the cmdline parameter includes the full path to the executable - you will
need to do this also. We could not get the service to start on our NT test
bed without including the full path to the .exe)
We've tested this on our XP based Toshiba laptop, and on our NT4 based
IMail test bed. Both seem to setup and work fine. Auto-start works fine, so
does logging out and logging in.
Once you've set up a persistent sniffer instance as a service, go into your
services control panel (usually via administrative tools), set the service
to start automatically, and start it.
A window will appear for the program - do not close the window! Minimize it.

When you log out sniffer will continue to run in the background. When you
log in the window will be visible again - it's harmless. If you close it
though you will have ended the sniffer.exe out from under the service. This
won't cause you any trouble, but you won't get the benefit of the
persistent server until you stop and start the service again to relaunch
the program.
Using RunExeSvc, the actual service is the RunExeSvc program. That program
launches sniffer as a client and stands in as a service stub for your OS.
You can use this to run all sorts of things... The developer uses it to run
Java based web servers, for example.
Eventually we will build a win32 service version of Message Sniffer, but
for now this is the fastest way we can bring you the features you need.
Please give this a try and let us know how it works for you.

If you find a different utility that you like better then please let us
know.
Thanks!
_M
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] RunExeSvc for Persistent sniffer.

[Matt]

Ok, I think I did it.  Only took a minute (thanks Bill).  Here are some
more precise directions, but consider them to be "beta" directions
(please correct them if you find a problem):

1)    Install the Windows 2000 Resource Kit, or download
and install the INSTSRV.exe and SRVANY.exe files in a permanent
location, preferably within your path.  The individual files can be
found at the following location:
            http://www.pyeung.com/pages/win2k/userdefinedservice.html
  
2)    Open a command prompt (Click on the Start Button, Select Run, and
type CMD)
  
3)    Enter the following command (customize for the paths of the
executables)
            C:\Progra~1\Resour~1\INSTSRV Sniffer
C:\Progra~1\Resour~1\SRVANY.exe
  
4) Open up the Registry Editor (Click on the Start Button, select Run,
and type REGEDIT)
  
5) Locate the following key:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer
  
6) From the Edit menu, select New, select Key, and name the new key
Parameters
  
7) Highlight the Parameters key
  
8) From the Edit menu, select New, select String Value, and name the
new value Application
  
9) From the Edit menu, select Modify, and type in the full path name
and application name, including the drive letter and file extension
(don't use quotes, customize path, executable name and authentication
code)
  Example: C:\IMail\Declude\Sniffer\[yourlicx].exe
[authenticationxx] persistent
  
       [yourlicx] = your license ID
       [authenticationxx] = your authentication string
  
10) Open the Services MMC
  
11) Start the Sniffer service
  
12) Set the Sniffer service to Automatic


Matt



Matt wrote:
I'm
going to give this one a try right now since I have the Resource Kit
installed already.  Just one question...do I need to change the
arguments in my Declude config, or will the service definition take
care of the 'persistence'?
  
  
Thanks,
  
  
Matt
  
  
  
  
Bill Boebel wrote:
  
  
  We've been using svrany for years with
several custom applications and it

works great.  This utility has been around since the NT4 Resource
Kit...


 http://www.pyeung.com/pages/win2k/userdefinedservice.html


Bill



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]]On Behalf Of Pete McNeil

Sent: Friday, March 19, 2004 12:25 AM

To: [EMAIL PROTECTED]

Subject: [sniffer] RunExeSvc for Persistent sniffer.



Hello folks,


We've been continuing to test the new persistence enabled sniffer
engine

and some utilities that will allow it to run as a service.


We found a free utility that seems to be very solid, and very simple.


http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html


One of the scripts we used is:


debug=false

cmdline=c:\Projects\sniffer2-3\TestBed\snfrv2r2.exe xnk05x5vmipeaof7

persistent

home=c:\Projects\sniffer2-3\TestBed


(Note: The mismatch between the sniffer2-3 directory and the
snfrv2r2.exe

is not a type-o. We re-branded the 2-3 to use the snfrv2r2 license in
our

example - it was easier that than creating a new license. Note also
that

the cmdline parameter includes the full path to the executable - you
will

need to do this also. We could not get the service to start on our NT
test

bed without including the full path to the .exe)


We've tested this on our XP based Toshiba laptop, and on our NT4 based

IMail test bed. Both seem to setup and work fine. Auto-start works
fine, so

does logging out and logging in.


Once you've set up a persistent sniffer instance as a service, go into
your

services control panel (usually via administrative tools), set the
service

to start automatically, and start it.


A window will appear for the program - do not close the window!
Minimize it.


When you log out sniffer will continue to run in the background. When
you

log in the window will be visible again - it's harmless. If you close
it

though you will have ended the sniffer.exe out from under the service.
This

won't cause you any trouble, but you won't get the benefit of the

persistent server until you stop and start the service again to
relaunch

the program.


Using RunExeSvc, the actual service is the RunExeSvc program. That
program

launches sniffer as a client and stands in as a service stub for your
OS.

You can use this to run all sorts of things... The developer uses it to
run

Java based web servers, for example.


Eventually we will build a win32 service version of Message Sniffer,
but

for now this is the fastest way we can bring you the features you need.


Please give this a try and let us know how it works for you.


If you find a different utility that you like better then please let us

kno

Re: [sniffer] RunExeSvc for Persistent sniffer.

[Matt]

Pete,

Although inconclusive, some screen caps of Task Manager seems to show a 
dramatic reduction in many of the peaks with the service turned on.  
It's hard to tell the exact impact due to the virus scanners not always 
being called, and SKIPIFWEIGHT settings disabling a mountain of custom 
Declude filters which both are processor hogs, but the smaller peaks.  I 
believe the following before and after screen caps are representative of 
the impact (I looked for similar E-mail hit frequencies):

   Before
   http://www.mailpure.com/no_service.gif
   After (with service)
   http://www.mailpure.com/service.gif
The real test will have to wait for rush hour though.

Thanks,

Matt



Pete McNeil wrote:

The service definition takes care of the persistence. Your Declude 
config should not be changed.

_M

At 01:05 AM 3/19/2004, you wrote:

I'm going to give this one a try right now since I have the Resource 
Kit installed already.  Just one question...do I need to change the 
arguments in my Declude config, or will the service definition take 
care of the 'persistence'?

Thanks,

Matt



Bill Boebel wrote:

We've been using svrany for years with several custom applications 
and it
works great.  This utility has been around since the NT4 Resource 
Kit...

 http://www.pyeung.com/pages/win2k/userdefinedservice.html

Bill

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil
Sent: Friday, March 19, 2004 12:25 AM
To: [EMAIL PROTECTED]
Subject: [sniffer] RunExeSvc for Persistent sniffer.
Hello folks,

We've been continuing to test the new persistence enabled sniffer 
engine
and some utilities that will allow it to run as a service.

We found a free utility that seems to be very solid, and very simple.

http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html

One of the scripts we used is:

debug=false
cmdline=c:\Projects\sniffer2-3\TestBed\snfrv2r2.exe xnk05x5vmipeaof7
persistent
home=c:\Projects\sniffer2-3\TestBed
(Note: The mismatch between the sniffer2-3 directory and the 
snfrv2r2.exe
is not a type-o. We re-branded the 2-3 to use the snfrv2r2 license 
in our
example - it was easier that than creating a new license. Note also 
that
the cmdline parameter includes the full path to the executable - you 
will
need to do this also. We could not get the service to start on our 
NT test
bed without including the full path to the .exe)

We've tested this on our XP based Toshiba laptop, and on our NT4 based
IMail test bed. Both seem to setup and work fine. Auto-start works 
fine, so
does logging out and logging in.

Once you've set up a persistent sniffer instance as a service, go 
into your
services control panel (usually via administrative tools), set the 
service
to start automatically, and start it.

A window will appear for the program - do not close the window! 
Minimize it.

When you log out sniffer will continue to run in the background. 
When you
log in the window will be visible again - it's harmless. If you 
close it
though you will have ended the sniffer.exe out from under the 
service. This
won't cause you any trouble, but you won't get the benefit of the
persistent server until you stop and start the service again to 
relaunch
the program.

Using RunExeSvc, the actual service is the RunExeSvc program. That 
program
launches sniffer as a client and stands in as a service stub for 
your OS.
You can use this to run all sorts of things... The developer uses it 
to run
Java based web servers, for example.

Eventually we will build a win32 service version of Message Sniffer, 
but
for now this is the fastest way we can bring you the features you need.

Please give this a try and let us know how it works for you.

If you find a different utility that you like better then please let us
know.
Thanks!
_M
This E-Mail came from the Message Sniffer mailing list. For 
information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html



--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sni

Re: [sniffer] Help

[Matt]

Have you tried a reboot?  Checked your error logs?  Made sure that DNS
and all of your E-mail services are running?

Is there even a chance that you will be able to receive this message?

Matt



Richard Farris wrote:

  I just did an Windows NT update and now I cant get any email...when I turn
sniffer off I at least can send mail to myself but still cant get from
outside..any ideas.,

Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support

- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 24, 2004 2:01 PM
Subject: Re: [sniffer] Possible Bad Rule?


  
  
We had a badly coded rule that matched yahoo.
The rule has been removed.
About 30 rulebases went out before it was caught.
These are being recompiled with the correction right now.
I will see if I can push yours to the top.

_M

At 02:02 PM 3/24/2004, you wrote:


  I am getting a lot of complaints today from Yahoo users...

Sheldon


- Original Message -
From: "Darrell LaRock" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "'SnifferSupport'" <[EMAIL PROTECTED]>
Sent: Wednesday, March 24, 2004 10:33 AM
Subject: [sniffer] Possible Bad Rule?


  
  
Pete,



I am seeing a ton of false positives for RULE 100543.  I sent a few in

  

  
  to
  
  

  
you to check out ([EMAIL PROTECTED]).  I wanted to post this here as well

  

  
  since it
  
  

  
seems to take approx. 24 hours to process false positives.



Darrell











  
  
This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
  


This E-Mail came from the Message Sniffer mailing list. For information

  
  and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
  
  


  
  

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [sniffer] Error_Bad_Matrix

[Matt]

Pete,

FYI, I was trying to set up log uploads yesterday night and it took me a 
while to figure out that the FTP connection was unreliable from my 
server.  Packets were being dropped/munged somewhere.  I also noted a 
much lower hit rate on SNIFFER-PHARMACY yesterday, but no indication of 
matrix problems in the logs today (yesterday's were deleted).

Every once in a while my colocator's border router goes on the fritz and 
starts dropping packets.  A reboot usually fixes that issue.

If your router checks out fine, you might want to take a look at the 
routes going from your server to the customers that have indicated a 
problem and those that have indicated that there is none, that might 
identify something not so obvious if you run out of ideas.

I know how these things go and the worst part is not knowing the source 
while others expect an quick fix.  No big deal on my end in the mean 
time though.

Matt



Pete McNeil wrote:

snf2check.exe will catch a partial download but it will not catch 
corruption in the middle of the file.

_M

At 03:57 PM 3/25/2004, you wrote:

I run snf2check.exe against every .snf file downloaded.  I just 
checked it
again manually, and no errors were reported.  I now have almost 3500
Error_Bad_Matrix entries in today's log.

Bill

-Original Message-
From: Vivek Khera [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 25, 2004 12:52 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Error_Bad_Matrix


On Mar 25, 2004, at 3:39 PM, Paul Lushinsky wrote:

> I decided to look in my log files for the past several days because of
> number of Error_Bad_Matrix related messages. I can't find this message
> in any of my log files until today starting with the update I auto
> downloaded at 8:15 this morning, and went until the update at noon.
> While I was look at the log file, another update notice came, so an
> update was done and the Error_Bad_Matrix message is back.
>
I'm curious if the people who are seeing these messages are running
snf2check.exe before making the rule files live.  I do so, and have not
seen a single instance of this error.
Can you run snf2check.exe on the current bad matrix you have and see if
it reports an error?
This E-Mail came from the Message Sniffer mailing list. For 
information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

--- 

This message and any included attachments are from Siemens Medical 
Solutions
USA, Inc. and are intended only for the addressee(s).
The information contained herein may include trade secrets or 
privileged or
otherwise confidential information.  Unauthorized review, forwarding, 
printing,
copying, distributing, or using such information is strictly 
prohibited and may
be unlawful.  If you received this message in error, or have reason 
to believe
you are not authorized to receive it, please promptly delete this 
message and
notify the sender by e-mail with a copy to 
[EMAIL PROTECTED]

Thank you

This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Spam storm?

[Matt]

How about a byte length compare or checksum of some sort?

Matt



Pete McNeil wrote:

At 06:25 PM 3/25/2004, you wrote:

We also saw many BAD_MATRIX errors last night.

If the problem was 'wget', shouldn't the snf2check
utility detect a corrupt file? Also, we did a manual
update yesterday afternoon and there were no 'wget'
error messages. The problem got corrected sometime
between last night and this morning.


Perhaps though some have had trouble throughout the day.

At the very least the verification on snf2check should
be improved to catch this issue. Updating with a bad
ruleset creates many problems.


Agreed. I'm looking for some simple ways to do that without changing 
the rulebase file format. There aren't any simple mechanisms that come 
to mind. Perhaps there will be no choice but to change the format in 
order to prevent this possibility.

_M


-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Thursday, March 25, 2004 7:06 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Spam storm?

This helps narrow things down. Specifically we know that the rulebase 
files
are not corrupted on the server but during the download. That 
explains why
I haven't been able to recreate a problem in the lab.

I have a suspicion that wget may be failing intermittently.
Another customer recently had unexplainable, intermittent issues with 
wget.
They replaced wget with code of their own and have had no further 
problems.

Can we narrow this down to wget under heavy traffic conditions perhaps?

_M

This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Spam storm?

[Matt]

FYI, I'm on Sprint also and saw issues.

Matt



Pete McNeil wrote:

At 09:31 AM 3/26/2004, you wrote:

On Mar 26, 2004, at 7:42 AM, Russ Uhte (Lists) wrote:

downloads are coming from.  However, I too have noticed really slow 
download speeds.  I use wget, and I've never had a single problem, 
other than occasionally it is extremely slow sometimes.  Once it 
does actually download, it's always a "clean" download.  I haven't 
seen a single instance of the error_bad_matrix.


I haven't been monitoring my d/l speeds, but the last few weeks or so 
I get about 3 to 4 check failures from snf2check.  My pipe is a quite 
underutilized 100Mbit at a uunet co-lo (Pete, right near ya in 
Ashburn -- you should think about co-lo there :-) )

I don't recall getting those errors before the big network switch at 
microneil earlier this year.

I've not seen a single bad matrix.  But then I'm not on windows... so 
perhaps it is related to windows.


It's starting to come together now.

Wget on windows + errors on the Sprint line since the move = corrupted 
downloads for folks who end up routing through sprint along the way?

Could be.

_M

PS: When we do move again we'll be moving into the local Equinix 
facility... Sounds like it might be the same place. Right now our 
hands are tied a bit so we can't move yet.



This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Final beta (b2) for snfrv2r3

[Matt]

Pete,

I haven't been following this thread closely but latest generation SCSI
drives can be below 4 ms seek times as rated by their manufacturers.

FYI, I haven't seen any issues with the persistent Sniffer beta run as
a resource kit service besides some expected brief delays according to
the way that processes when traffic is less heavy.

Matt



Pete McNeil wrote:
I must
be getting punchy... but this just occurred to me... Anybody else
remember when a high performance hard drive had a seek time just under
30ms ??
  
_M
  
At 06:01 PM 4/7/2004, you wrote:
  If
thats all that happens during the first setup timer than you do have
some
performance issue on a production machine.
My production mail server is not too beefy and does somewhere around
120k+ a day.
Heres a snipplet from my logs (with persistent sniffer) for
comparison
 
fde2jqoe   
20040407041105  D7f587132019a8525.SMD  
0   31 
Final
fde2jqoe    20040407041105 
D7f577130019a80fe.SMD   0  
15  Final
fde2jqoe    20040407041106 
D7f5973740202893b.SMD   0  
16  Clean
fde2jqoe    20040407041109 
D7f58737302028553.SMD   0  
16  Final
fde2jqoe    20040407041109 
D7f53712e019a73bf.SMD   0  
15  Final
fde2jqoe    20040407041120 
D7f6490fe0072b647.SMD   0  
0   Final
fde2jqoe    20040407041120 
D7f6590ff0072b721.SMD   15 
0   Final
fde2jqoe    20040407041120 
D7f659172b84a.SMD   0  
32  Final
fde2jqoe    20040407041120 
D7f6591010072ba3e.SMD   0  
15  Final
fde2jqoe    20040407041120 
D7f6691020072bbe4.SMD   0  
31  Final
fde2jqoe    20040407041121 
D7f6691030072bdc9.SMD   0  
16  Final
fde2jqoe    20040407041123 
D7f6991050072c932.SMD   0  
16  Clean
fde2jqoe    20040407041123 
D7f6a91060072cbf2.SMD   0  
15  Final
fde2jqoe    20040407041123 
D7f6a73760202cc6f.SMD   0  
16  Final
 


From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Pete McNeil
Sent: Wednesday, April 07, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Final beta (b2) for snfrv2r3

At 04:06 PM 4/7/2004, you wrote:
So,
making sure I'm following your analysis: I'm looking at my log file and
I'm seeing lines similar to
   
  snf2beta 20040407020014
D60a4134.SMD
181 30 Match 101576 58 20 38 68
And that 181 figure seems to hold pretty stable. 181 is substantially
lower than the values I was seeing prior to the current beta [and I
have
a production machine similar in content and power to your test
machine],
but I'm seeing that you achieve numbers 2-6 times faster than I am.
  

Yes... that seems about right. When a persistent server is running the
rulebase is almost never reloaded. Only two significant things happen
during the setup time as measured by Sniffer: 1) Loading the rulebase,
2)
locating a job to process (directory scan + locking).

The drop seems to indicate that the rulebase reload has stopped as it
should. That only leaves the directory scan and a couple of
rename/create
operations.

_M


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

[sniffer] Possible blip?

[Matt]

Pete,
I noted late last night that my rulebase grew by 700 KB over the size of 
the previous one that was archived on my machine, and also the hits for 
some of the tests were noticeably lower and I had a definite increase in 
the number of messages that scored in my Hold range (instead of scoring 
higher and landing in Drop).  This morning though the size of my 
rulebase again dropped by about 450 KB.

I was just wondering if this might have been a hiccup with a bad 
compilation or maybe you were testing something out?

Thanks,
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Possible blip?

[Matt]

Pete,
I was judging based on the size of our Hold range which scores from 
10-24.  On Monday that was 1.86% of total traffic, but on Tuesday that 
was 2.83%.  Message volume was hardly different.  Other notables were 
that on Monday, Sniffer hit 77.27% of all E-mail but on Tuesday it hit 
74.53% (both exclude Gray hits).  Our overall spam percentage is about 
82% on Monday and 81% on Tuesday.  I did also see a drop in XBL hits 
which are primarily zombies from 38.14% to 34.93%.  I've always found 
static spammers to be much more problematic because they lack many 
spammy patterns, and it could be that there was a wave of them that came 
online yesterday which could account for the difference.

I don't want to make a huge deal out of this, but I noted the drop in 
size from one rulebase to another and thought that might be significant, 
and I like to be aware of what is going on.  In reality though the 
difference in percentages in our Hold file meant manually reviewing 50% 
more E-mails, or about 500 extra messages.  With everything else 
consistent, I figured it was worth a post just to check.

I do recall an old posting where you indicated that you were going to 
drop the expiration down to 5 days under a certain number of hits.  My 
thought there is that while it does present some savings in processing, 
it might make more sense to do a 7-8 day expiration in order to help 
catch spammers that are on weekly schedules, primarily lower volume 
niche spammers.  Unfortunately I can't compare my current results 
accurately to the pre-change data because the makeup of my traffic has 
changed significantly over that time frame.

Another possibility is that our Chinese language spam might have been 
extra heavy.  I've brought in much more of that recently from a couple 
different clients and it regularly scores low, probably because it's 
difficult to determine if most of it is spam.  I do know that Sniffer 
doesn't do nearly as well with this stuff.  I've noticed that these guys 
are spamming mostly during Chinese business hours, and they might have 
been extra light on Monday due to the lag in hours coming from a 
weekend.  If you are interested in getting these caught messages 
forwarded to you in an automated fashion for study or for potential 
inclusion, just let me know.  I also have a filter set up for Russian 
language E-mail, but it is not nearly as high in volume (now).

Regarding when I saw the changes in the rule base, I was pulling an 
all-nighter for server administration and noticed this around 5 a.m. 
when I ran the stats program on my Declude logs.  The renamed 'old' 
rulebase was just over 4 MB while the active one was 4.7 MB, then at 
about noon I noticed it was about 4.3 MB, and now it's back up over 4.7 
MB (1,000 KB = 1 MB in these stats if that matters).

I haven't yet upgraded to the most recent release, I'm still on the 
prior beta.  I'll probably do that this evening.  I tend to wait on 
upgrades until there has been enough time for bugs to surface unless I 
am already looking for a fix.  I'm sure that the extra verification of 
the rulebase will help prevent the potential of problems, and I guess 
this has the possibility of being caused by a bit of corrupted data, 
though that's probably reaching.

Again, regardless if there was a blip, Sniffer still does a wonderful 
job of tagging lots and lots of E-mail, just not quite as much as the 
day before.

Thanks,
Matt

Pete McNeil wrote:
At 12:57 PM 5/19/2004, you wrote:
Pete,
I noted late last night that my rulebase grew by 700 KB over the size 
of the previous one that was archived on my machine, and also the 
hits for some of the tests were noticeably lower and I had a definite 
increase in the number of messages that scored in my Hold range 
(instead of scoring higher and landing in Drop).  This morning though 
the size of my rulebase again dropped by about 450 KB.

I was just wondering if this might have been a hiccup with a bad 
compilation or maybe you were testing something out?

We didn't have anything under test that would alter the rulebases. I'm 
going to dig through the logs and see if there's anything I can identify.

If the rulebase was corrupted in any way you would have been able to 
detect that with the latest snf2check utility.

It's not unusual for ruelbase sizes to change by as much as 20%. The 
system is constantly activating and deactivating rules based on new 
log files that are reported. Currently a significant change might 
occur once per day - though we are working on new analysis engines 
that will permit more frequent rule strength adjustments.

For example, we might add 300-900 rules over the course of a day - 
then have that many (or more) removed when the new rule strength 
numbers are calculated.

Another factor that impacts rulebase size is the content of the rules. 
The folding process is not deterministi

Re: [sniffer] Possible blip?

[Matt]

Pete,

Our Hold range has returned to more normal territory on Thursday. 
Here's the stats from the week as a whole on what has been very
consistent traffic.  Out of all E-mail processed, both good and bad,
the %Hold represents what scored between 10-24 points on our system and
needed review, the %Sniffer represents all Sniffer hits except for
Gray, the %Spam is what we scanned and didn't deliver (generally about
99.8% of spam is caught at a score of 10 which this is based on), and
the Sniffer/Spam is the percentage of Sniffer hits as a portion of
messages scoring 10 or more.

    Day      %Hold    %Sniffer    %Spam    Sniffer/Spam
    Mon:     1.86%     77.27% 80.37% 96.14%
    Tue:     2.83%     74.53% 79.37% 93.39%
    Wed:     2.13% 77.60% 79.66% 97.41%
    Thur:    1.95%     76.50% 80.66% 94.84%

The only change that we made to our system was to add two smaller
domains later in the week, and we introduced filters for Cyrillic and
Chinese languages on Wednesday morning which have cut our hold file
down by 0.38 percentage points on Thursday, which explains how our
%Hold is lower on than on Wednesday with a lower Sniffer hit rate on
spam.

I did note two high volume untagged static spammers on Tuesday that we
blacklisted locally, and that combined with the increase in Sniffer
change rates (spam storm) might account for the changes that I saw.  I
am wondering though about the recommendations that you have made for
possibly fine tuning our rule base.  Again though, please keep in mind
that I still feel that performance is overall very, very good.

One of my thoughts regarding minimum rule strengths and grace periods
is that all groups aren't necessarily the same.  For instance Nigerian
scams are low volume and sporadic, and my system performs the worst on
these things.  Maybe lower rule strengths and longer grace periods
makes much more sense for the Phishing category than it does for many
other categories for instance.  Is that possible?

I also looked up the rule strengths on your site and found that about
50%, or maybe more, have a strength below 1, and maybe lowering that is
worth testing out so long as I don't massively increase the number of
records.  I do think though that I would like to test out extending the
grace period.  Most of my false positives are not on things that this
would affect, and that might give niche sources a little extra coverage
if I understand things correctly.

I'll follow your directions and contact you directly regarding any
affirmative changes, but I thought it might be beneficial to keep this
discussion public since some other stats hounds might find this
information to be of use :)

If you can glean anything from the numbers that I gave you, please add
your thoughts.

Thanks,

Matt





Pete McNeil wrote:
At
05:00 PM 5/19/2004, you wrote:
  

  
  I haven't yet upgraded
to the
most recent release, I'm still on the prior beta.  I'll probably do
that this evening.  I tend to wait on upgrades until there has been
enough time for bugs to surface unless I am already looking for a
fix.  I'm sure that the extra verification of the rulebase will help
prevent the potential of problems, and I guess this has the possibility
of being caused by a bit of corrupted data, though that's probably
reaching.
  
There were no substantive changes from the beta to the production
version. Largely just a removal of monitoring code.
  
  Again, regardless if
there was a
blip, Sniffer still does a wonderful job of tagging lots and lots of
E-mail, just not quite as much as the day before.
  
Last night I was able to adjust the rule strength analysis window back
to
it's original settings. About 5 days of data were lost - but those days
will be recovered quickly. Please let me know if this adjustment
improved
your conditions.
  
I've noted that on a number of other lists there seem to be posts about
a
sudden increase in spam over the past few days. We are definitely
seeing
this also - approximately a 25% or more increase in new rule additions
in
the past 4 days:
  
  http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp
  
Specifically note from about 4 days ago...
  
  
  Days Ago Adjustments
 ---

0    356
1    508
2    391
3    410
4    410
5    326
6    309
7    371
8    292
9    347
10   309

  
  ( 5-10 : 1954/6 -> 325.67, 0-5 : 2075/5 -> 415, 325.67/415
-> 78.47 ) 
Note that day 0 is not complete. So applying a "fudge factor"
78.4 _looks like_ 75%.
Besides, 92% of statistics are made up on the spot anyway %^b
  I think a number of things are combined here... I just want to
get a
good handle on them and make sure we are doing the best we can.
  
I've noted, Matt, that your rulebase tuning parameters are set at the
defaults. If you would like to adjust these to be more aggressive then
please let 

Re: [sniffer] Possible blip?

[Matt]

Scott,

Regarding my Cyrillic and Chinese filters, I did a review of a full
week's held spam, looking for foreign languages and patterns to tag.  I
found from other research that the primary Chinese characterset,
GB2312, contains the Western Latin characterset, and so someone could
send an E-mail with this characterset defined and still have English as
the message.  Because of this I do more than just look for the
offending characterset, I've built a combo filter that looks for both
high bit characters such as ¥ as well as body or header hits for
encoding of GB2312 (Chinese/Korean) or Windows-1251 (Cyrillic).  I also
have Declude END statements for appearances of US-ASCII and ISO-8859-1,
so messages like this one that are referencing such patterns won't trip
the filter.  It seems to be stopping about 80% to 90% of the stuff, but
I'm guessing that the stuff that is getting through didn't hit one of
the high bit characters in my filter and I might need to simply expand
my list a bit.  Unfortunately I have no idea what characters are most
common, so I'm just eyeballing it from sources.

I had one false positive on a Yahoo Groups posting that referenced
163.com, a Chinese free Web mail provider that inserts Chinese language
footers.  The message was in English, but encoded in GB2312 and didn't
indicate any sign of English besides the actual text.  Because of this,
I might throw in an exception for the word "the " (followed by a space)
just as a test to see if text in English is present, but I have to
review that.  This message was also BASE64 encoded and that might be an
appropriate exception???  The last pattern that I might look at is
using the new MailPolice test for identifying Web-mail providers, and
excepting them from the filter because they have issues with encoding
languages I've found.

Hope this helps.

Matt



Scott Fisher wrote:

  2 thoughts from me:

1. Right on on the Nigerian scams, possible keeping these rules longer. As I was forwarding out a Nigerian scam to the spam mailbox, I too wondered how long the Nigerian rules were kept in play. I might also add Nigeria's twin sister the International Lottery spam and Stock Spams might also be kept longer. I noticed an increase in the Stock spams this week. 

2. I've been tracking different character sets for a couple of weeks, the Chinese, Cyrillic and Korean look promising. I get false hits on Greek, Thai, and Vietnamese Headers.

Scott Fisher
Director of IT
Farm Progress Companies

  
  

  
[EMAIL PROTECTED] 05/21/04 12:42PM >>>

  

  
  Pete,

Our Hold range has returned to more normal territory on Thursday.  
Here's the stats from the week as a whole on what has been very 
consistent traffic.  Out of all E-mail processed, both good and bad, the 
%Hold represents what scored between 10-24 points on our system and 
needed review, the %Sniffer represents all Sniffer hits except for Gray, 
the %Spam is what we scanned and didn't deliver (generally about 99.8% 
of spam is caught at a score of 10 which this is based on), and the 
Sniffer/Spam is the percentage of Sniffer hits as a portion of messages 
scoring 10 or more.

Day  %Hold%Sniffer%SpamSniffer/Spam
Mon: 1.86% 77.27% 80.37% 96.14%
Tue: 2.83% 74.53% 79.37% 93.39%
Wed: 2.13% 77.60% 79.66% 97.41%
Thur:1.95% 76.50% 80.66% 94.84%

The only change that we made to our system was to add two smaller 
domains later in the week, and we introduced filters for Cyrillic and 
Chinese languages on Wednesday morning which have cut our hold file down 
by 0.38 percentage points on Thursday, which explains how our %Hold is 
lower on than on Wednesday with a lower Sniffer hit rate on spam.

I did note two high volume untagged static spammers on Tuesday that we 
blacklisted locally, and that combined with the increase in Sniffer 
change rates (spam storm) might account for the changes that I saw.  I 
am wondering though about the recommendations that you have made for 
possibly fine tuning our rule base.  Again though, please keep in mind 
that I still feel that performance is overall very, very good.

One of my thoughts regarding minimum rule strengths and grace periods is 
that all groups aren't necessarily the same.  For instance Nigerian 
scams are low volume and sporadic, and my system performs the worst on 
these things.  Maybe lower rule strengths and longer grace periods makes 
much more sense for the Phishing category than it does for many other 
categories for instance.  Is that possible?

I also looked up the rule strengths on your site and found that about 
50%, or maybe more, have a strength below 1, and maybe lowering that is 
worth testing out so long as I don't massively increase the number of 
records.  I do think though that I would like to test out extending the 
grac

Re: [sniffer] OT: Language filtering in Declude, was Possible blip?

[Matt]

No, just one, but it won't score unless there is a header or body
indication of the GB2312 or Windows-1251 charactersets.  I'm using a
combo filter in Declude where the HIGHBIT filter is non-scoring, and
the CHINESE and CYRILLIC filters contain a line that says:

    TESTSFAILED      END      NOTCONTAINS      HIGHBIT

I'm pretty sure that the CHINESE and CYRILLIC filters will always hit
where appropriate unless the HIGHBIT test doesn't hit.  I have about 65
different high bit characters in that filter presently, all copied from
spam.  If Scott was around, I would ask him how the NONENGLISH test is
tripped because that might accomplish the same goals, however I'm not
sure if it also scores the definition of a characterset, in which case
it would have false positives in this scenario.

Matt



Scott Fisher wrote:

  Interesting.

Are you searching for 2 character pairs with GB2312?

Scott Fisher
Director of IT
Farm Progress Companies

  
  

  
[EMAIL PROTECTED] 05/21/04 01:46PM >>>

  

  
  Scott,

Regarding my Cyrillic and Chinese filters, I did a review of a full 
week's held spam, looking for foreign languages and patterns to tag.  I 
found from other research that the primary Chinese characterset, GB2312, 
contains the Western Latin characterset, and so someone could send an 
E-mail with this characterset defined and still have English as the 
message.  Because of this I do more than just look for the offending 
characterset, I've built a combo filter that looks for both high bit 
characters such as ¥ as well as body or header hits for encoding of 
GB2312 (Chinese/Korean) or Windows-1251 (Cyrillic).  I also have Declude 
END statements for appearances of US-ASCII and ISO-8859-1, so messages 
like this one that are referencing such patterns won't trip the filter.  
It seems to be stopping about 80% to 90% of the stuff, but I'm guessing 
that the stuff that is getting through didn't hit one of the high bit 
characters in my filter and I might need to simply expand my list a 
bit.  Unfortunately I have no idea what characters are most common, so 
I'm just eyeballing it from sources.

I had one false positive on a Yahoo Groups posting that referenced 
163.com, a Chinese free Web mail provider that inserts Chinese language 
footers.  The message was in English, but encoded in GB2312 and didn't 
indicate any sign of English besides the actual text.  Because of this, 
I might throw in an exception for the word "the " (followed by a space) 
just as a test to see if text in English is present, but I have to 
review that.  This message was also BASE64 encoded and that might be an 
appropriate exception???  The last pattern that I might look at is using 
the new MailPolice test for identifying Web-mail providers, and 
excepting them from the filter because they have issues with encoding 
languages I've found.

Hope this helps.

Matt



Scott Fisher wrote:

  
  
2 thoughts from me:

1. Right on on the Nigerian scams, possible keeping these rules longer. As I was forwarding out a Nigerian scam to the spam mailbox, I too wondered how long the Nigerian rules were kept in play. I might also add Nigeria's twin sister the International Lottery spam and Stock Spams might also be kept longer. I noticed an increase in the Stock spams this week. 

2. I've been tracking different character sets for a couple of weeks, the Chinese, Cyrillic and Korean look promising. I get false hits on Greek, Thai, and Vietnamese Headers.

Scott Fisher
Director of IT
Farm Progress Companies

 



  

  [EMAIL PROTECTED] 05/21/04 12:42PM >>>
   

  

  

Pete,

Our Hold range has returned to more normal territory on Thursday.  
Here's the stats from the week as a whole on what has been very 
consistent traffic.  Out of all E-mail processed, both good and bad, the 
%Hold represents what scored between 10-24 points on our system and 
needed review, the %Sniffer represents all Sniffer hits except for Gray, 
the %Spam is what we scanned and didn't deliver (generally about 99.8% 
of spam is caught at a score of 10 which this is based on), and the 
Sniffer/Spam is the percentage of Sniffer hits as a portion of messages 
scoring 10 or more.

   Day  %Hold%Sniffer%SpamSniffer/Spam
   Mon: 1.86% 77.27% 80.37% 96.14%
   Tue: 2.83% 74.53% 79.37% 93.39%
   Wed: 2.13% 77.60% 79.66% 97.41%
   Thur:1.95% 76.50% 80.66% 94.84%

The only change that we made to our system was to add two smaller 
domains later in the week, and we introduced filters for Cyrillic and 
Chinese languages on Wednesday morning which have cut our hold file down 
by 0.38 percentage points on Thursday, which explains how our %Hold is 
lower on than on Wednesday with a lower Sniffer hit rate on spam

Re: [sniffer] OT: Language filtering in Declude, was Possibleblip?

[Matt]

I think you might have possibly identified the group of required
characters.  I'll give that a try.  I'm not sure if any Cyrillic stuff
has been passing through but this bears watching as well and I might
have to change my list there as well.

I am also tagging BIG5, however almost all spam comes in GB2312. 
Here's what I'm searching for in the CHINESE filter:

# CHINESE v1.0.0
  
  SKIPIFWEIGHT    25
  MAXWEIGHT    10
  
  TESTSFAILED    END    NOTCONTAINS    HIGHBIT
  
  SUBJECT        END    CONTAINS    charset=gb2312
  SUBJECT        END    CONTAINS    charset="gb2312"
  SUBJECT        END    CONTAINS    charset=big5
  SUBJECT        END    CONTAINS    charset="big5"
  
  HEADERS        10    CONTAINS    =?gb2312?b?
  HEADERS        10    CONTAINS    =?big5?b?
  HEADERS        10    CONTAINS    charset=gb2312
  HEADERS        10    CONTAINS    charset="gb2312"
  HEADERS        10    CONTAINS    charset=big5
  HEADERS        10    CONTAINS    charset="big5"
  
  BODY        10    CONTAINS    charset=gb2312"
  BODY        10    CONTAINS    charset=3dgb2312"
  BODY        10    CONTAINS    charset=big5"
  BODY        10    CONTAINS    charset=3dbig5"
  BODY        10    CONTAINS    content=zh-cn"
  BODY        10    CONTAINS    content=3dzh-cn"


The END statements for the subject are meant as a precaution, although
it's probably not necessary with the HIGHBIT filter ending on US-ASCII
and ISO-8859-1 (plus a language definition hit for 'content="en-us"').

I do believe that you can apply a similar technique to spam in Spanish,
but since the characterset is the same as English, you would be
searching for those 'content=' markers in combination with special
characters (a short list in this case).  We hardly see any Spanish
spam, or at least held Spanish spam so I'm doing nothing about it. 
Spanish is of course a lot more common in US E-mail.  It may be that
some Spanish spam isn't identified as Spanish since that's not
necessary for proper display in most E-mail clients, but I have seen no
proof of that.

Matt



Scott Fisher wrote:

  Interesting. I generally just punish people if GB2312 ?BIG5 or such are in the headers. This is overwhelmingly SPAM, but like you siad there are English in some of those messages.

It looks like the GB2312 Chinese characters will have A B0 to F7 as it's highbyte. 
and an A0 to FF as it's lowbyte. 
If the GB2312 Chinese is present, I would think most every character should be one of these:
°±²³ µ¶· *º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷

Checking some of my e-mails confirms that.

The bad news is that requires another body filter. It's too bad there wasn't a BODY256 filter type where only the first 256 bytes would be checked. That would certainly be enough to score up these, and wouldn't be a CPU hog. I'm not certain that I'd want to throw another body filter at my few Chinese spams.

How often do you get a body indication of GB2312 / Cyrillic charactersets with no header indication?

It's an interesting subject because I those few Chinese spams that get through to three of my accounts frustrate me.
Got any tips for Spanish spam?

Scott Fisher
Director of IT
Farm Progress Companies

  
  

  
[EMAIL PROTECTED] 05/21/04 03:17PM >>>

  

  
  No, just one, but it won't score unless there is a header or body 
indication of the GB2312 or Windows-1251 charactersets.  I'm using a 
combo filter in Declude where the HIGHBIT filter is non-scoring, and the 
CHINESE and CYRILLIC filters contain a line that says:

TESTSFAILED  END  NOTCONTAINS  HIGHBIT

I'm pretty sure that the CHINESE and CYRILLIC filters will always hit 
where appropriate unless the HIGHBIT test doesn't hit.  I have about 65 
different high bit characters in that filter presently, all copied from 
spam.  If Scott was around, I would ask him how the NONENGLISH test is 
tripped because that might accomplish the same goals, however I'm not 
sure if it also scores the definition of a characterset, in which case 
it would have false positives in this scenario.

Matt



Scott Fisher wrote:

  
  
Interesting.

Are you searching for 2 character pairs with GB2312?

Scott Fisher
Director of IT
Farm Progress Companies

 



  

  [EMAIL PROTECTED] 05/21/04 01:46PM >>>
   

  

  

Scott,

Regarding my Cyrillic and Chinese filters, I did a review of a full 
week's held spam, looking for foreign languages and patterns to tag.  I 
found from other research that the primary Chinese characterset, GB2312, 
contains the Western Latin characterset, and so someone could send an 
E-mail with this characterset defined and still have English as the 
message.  Because of

Re: [sniffer] OT: Language filtering in Declude, wasPossibleblip?

[Matt]

Not if you want to exclude certain domains from hitting individual
languages.  The test for HIGHBIT pre-qualifies the message, and then
there are separate tests for CHINESE and CYRILLIC that can each be
independently excluded.  I would have to exclude both
languages/charactersets if I reversed the order.

There are currently 35 characters to be searched after updating for
your list and trimming somewhat randomly for size.  Considering the END
statements for US-ASCII and ISO-8859-1, and SKIPIFWEIGHT settings, the
full filter should rarely ever run.  You could also do a TESTSFAILED
END NOTCONTAINS NONENGLISH potentially, but I'm still not positive how
that hits.  Like I said before, I'm not sure if NONENGLISH hits on
characters or the definition of charactersets, or both, and whether or
not it has any limitations (like hitting on common extended English
characters).  If it only hits on what we consider high bit characters,
the HIGHBIT test could be abandoned.

BTW, I just reviewed in detail why some of this stuff was still
appearing in my Hold file and the reason is two-fold.  For one, I
needed to add more points as all of the Chinese and Cyrillic
charactersets that I was tagging did in fact hit these filters and
scored 10 points.  I was being somewhat cautious since this was a new
filter and I did find that one false positive so I'll wait a bit longer
to increase the score.  The second reason why I was still seeing this
some funky stuff was that some of the Cyrillic messages were encoded in
KOI8-R and I wasn't filtering for that...but I am now :)  I also added
KOI8-U (the Ukrainian version) just for good measure.

Matt





Scott Fisher wrote:

  Wouldn't it be better to reverse the order?

Run the subject and header tests on the majority of the mail.
Then run the body with a TESTSFAILED END NOTCONTAINS CHINESE. 
You should end up with less body searches this way.

Scott Fisher
Director of IT
Farm Progress Companies

  
  

  
[EMAIL PROTECTED] 05/21/04 04:28PM >>>

  

  
  I think you might have possibly identified the group of required 
characters.  I'll give that a try.  I'm not sure if any Cyrillic stuff 
has been passing through but this bears watching as well and I might 
have to change my list there as well.

I am also tagging BIG5, however almost all spam comes in GB2312.  Here's 
what I'm searching for in the CHINESE filter:

# CHINESE v1.0.0

SKIPIFWEIGHT25
MAXWEIGHT10

TESTSFAILEDENDNOTCONTAINSHIGHBIT

SUBJECTENDCONTAINScharset=gb2312
SUBJECTENDCONTAINScharset="gb2312"
SUBJECTENDCONTAINScharset=big5
SUBJECTENDCONTAINScharset="big5"

HEADERS10CONTAINS=?gb2312?b?
HEADERS10CONTAINS=?big5?b?
HEADERS10CONTAINScharset=gb2312
HEADERS10CONTAINScharset="gb2312"
HEADERS10CONTAINScharset=big5
HEADERS10CONTAINScharset="big5"

BODY10CONTAINScharset=gb2312"
BODY10CONTAINScharset=3dgb2312"
BODY10CONTAINScharset=big5"
BODY10CONTAINScharset=3dbig5"
BODY10CONTAINScontent=zh-cn"
BODY10CONTAINScontent=3dzh-cn"


The END statements for the subject are meant as a precaution, although 
it's probably not necessary with the HIGHBIT filter ending on US-ASCII 
and ISO-8859-1 (plus a language definition hit for 'content="en-us"').

I do believe that you can apply a similar technique to spam in Spanish, 
but since the characterset is the same as English, you would be 
searching for those 'content=' markers in combination with special 
characters (a short list in this case).  We hardly see any Spanish spam, 
or at least held Spanish spam so I'm doing nothing about it.  Spanish is 
of course a lot more common in US E-mail.  It may be that some Spanish 
spam isn't identified as Spanish since that's not necessary for proper 
display in most E-mail clients, but I have seen no proof of that.

Matt



Scott Fisher wrote:

  
  
Interesting. I generally just punish people if GB2312 ?BIG5 or such are in the headers. This is overwhelmingly SPAM, but like you siad there are English in some of those messages.

It looks like the GB2312 Chinese characters will have A B0 to F7 as it's highbyte. 
and an A0 to FF as it's lowbyte. 
If the GB2312 Chinese is present, I would think most every character should be one of these:
°±²³ µ¶· *º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷

Checking some of my e-mails confirms that.

The bad news is that requires another body filter. It's too bad there wasn't a BODY256 filter type where only the first 256 b

Re: [sniffer] OT: Language filtering in Declude, wasPossibleblip?

[Matt]

Scott,

All of those patterns came directly from the source code of E-mails. 
The charset=3dgb2312" pattern is quite common in the body of E-mail, in
fact I think that it is FrontPage or another Microsoft product that
encodes it this way when it appears in a META tag.

Share and share alike :)

Matt



Scott Fisher wrote:

  I used this reference on names character sets:
http://msdn.microsoft.com/library/default.asp?url="">

Would you really encounter a =3d ?
Should it be charset3dgb2312?

Enjoyed your thoughts, glad you didn't post this on a Monday...

Scott Fisher
Director of IT
Farm Progress Companies

  
  

  
[EMAIL PROTECTED] 05/21/04 04:28PM >>>

  

  
  I think you might have possibly identified the group of required 
characters.  I'll give that a try.  I'm not sure if any Cyrillic stuff 
has been passing through but this bears watching as well and I might 
have to change my list there as well.

I am also tagging BIG5, however almost all spam comes in GB2312.  Here's 
what I'm searching for in the CHINESE filter:

# CHINESE v1.0.0

SKIPIFWEIGHT25
MAXWEIGHT10

TESTSFAILEDENDNOTCONTAINSHIGHBIT

SUBJECTENDCONTAINScharset=gb2312
SUBJECTENDCONTAINScharset="gb2312"
SUBJECTENDCONTAINScharset=big5
SUBJECTENDCONTAINScharset="big5"

HEADERS10CONTAINS=?gb2312?b?
HEADERS10CONTAINS=?big5?b?
HEADERS10CONTAINScharset=gb2312
HEADERS10CONTAINScharset="gb2312"
HEADERS10CONTAINScharset=big5
HEADERS10CONTAINScharset="big5"

BODY10CONTAINScharset=gb2312"
BODY10CONTAINScharset=3dgb2312"
BODY10CONTAINScharset=big5"
BODY10CONTAINScharset=3dbig5"
BODY10CONTAINScontent=zh-cn"
BODY10CONTAINScontent=3dzh-cn"


The END statements for the subject are meant as a precaution, although 
it's probably not necessary with the HIGHBIT filter ending on US-ASCII 
and ISO-8859-1 (plus a language definition hit for 'content="en-us"').

I do believe that you can apply a similar technique to spam in Spanish, 
but since the characterset is the same as English, you would be 
searching for those 'content=' markers in combination with special 
characters (a short list in this case).  We hardly see any Spanish spam, 
or at least held Spanish spam so I'm doing nothing about it.  Spanish is 
of course a lot more common in US E-mail.  It may be that some Spanish 
spam isn't identified as Spanish since that's not necessary for proper 
display in most E-mail clients, but I have seen no proof of that.

Matt



Scott Fisher wrote:

  
  
Interesting. I generally just punish people if GB2312 ?BIG5 or such are in the headers. This is overwhelmingly SPAM, but like you siad there are English in some of those messages.

It looks like the GB2312 Chinese characters will have A B0 to F7 as it's highbyte. 
and an A0 to FF as it's lowbyte. 
If the GB2312 Chinese is present, I would think most every character should be one of these:
°±²³ µ¶· *º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷

Checking some of my e-mails confirms that.

The bad news is that requires another body filter. It's too bad there wasn't a BODY256 filter type where only the first 256 bytes would be checked. That would certainly be enough to score up these, and wouldn't be a CPU hog. I'm not certain that I'd want to throw another body filter at my few Chinese spams.

How often do you get a body indication of GB2312 / Cyrillic charactersets with no header indication?

It's an interesting subject because I those few Chinese spams that get through to three of my accounts frustrate me.
Got any tips for Spanish spam?

Scott Fisher
Director of IT
Farm Progress Companies

 



  

  [EMAIL PROTECTED] 05/21/04 03:17PM >>>
   

  

  

No, just one, but it won't score unless there is a header or body 
indication of the GB2312 or Windows-1251 charactersets.  I'm using a 
combo filter in Declude where the HIGHBIT filter is non-scoring, and the 
CHINESE and CYRILLIC filters contain a line that says:

   TESTSFAILED  END  NOTCONTAINS  HIGHBIT

I'm pretty sure that the CHINESE and CYRILLIC filters will always hit 
where appropriate unless the HIGHBIT test doesn't hit.  I have about 65 
different high bit characters in that filter presently, all copied from 
spam.  If Scott was around, I would ask him how the NONENGLISH test is 
tripped because that might accomplish the same goals, however I&

[sniffer] Spammer pollution

[Matt]

Pete,
I'm guessing that you have seen this already, but check out all of the 
domains that are listed in this zombie spam:

http://groups.google.com/groups?q=elder.com+group:*abuse*&hl=en&lr=&ie=UTF-8&scoring=d&selm=200404022023.i32KNhR00959%40localhost.localdomain&rnum=3
So where's Waldo :)
I found it while researching a new client (wanting to make sure that 
they don't spam).  This is the first time that I noticed this pattern 
though.  Thankfully in large part to Sniffer and some combinations of 
patterns with other tests, this stuff doesn't even get held very often.

Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Spammer pollution

[Matt]

Pete McNeil wrote:
M> So where's Waldo :)
When reviewing a message like that we always troll the actual message
for the link that was intended - this helps us discard those that are
in there for "fluff".
The porn guys do a lot of this too - and their twist is to add hidden
links to competitors so that if/when the domains/links get picked up
there is collateral damage. (So the theory goes).
 

You didn't answer my question...
http://synapse.subneural.net/~denon/waldo/
Matt :)
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] Experimental hits on bounce messages

[Matt]

Pete,
I've been seeing a good deal of Experimental hits on bounce messages, 
primarily with the Nazi spam that has been forging recipients, but I've 
seen these on other messages that seemingly don't have any spam content, 
though most of course do involve spam.

I was wondering if this is due to IP's being logged for spamtrap hits 
from these bounces, or if it was due to something else.  If these are IP 
related, it would likely be problematic.

And another related question regarding the Nazi spam.  Would it be 
possible to move these rules from Experimental to another category such 
as Malware or General?  Personally I have grown accustomed to 
Experimental being a category for rules that are not as reliable and 
more likely to hit on personal E-mail so I weight it low, on the other 
hand this Nazi stuff is certainly problematic and I'm hoping that your 
rules are tight enough to place in another category.  I do have a filter 
that deals with bounce messages from Joe-Jobs by testing for both a 
Sniffer hit or other content related filter along with indications of a 
null sender or other sign of a bounce, but I was excluding 
Sniffer-Experimental from this.

Thanks,
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Experimental hits on bounce messages

[Matt]

Pete,
So would the Message-ID produce a hit if it was in the body of a 
message?  The reason why I ask is because I'm concerned about the 
possibility of legitimate servers getting tagged with Experimental and 
how that plays into my system.

Am I also to assume that you have some protections in place to protect 
from bounce messages from Joe-Jobs getting a server listed in 
Experimental?  I have definitely seen some of these where legitimate 
bounces were tagged with Experimental, and I'm guessing this was the 
result of spam being relayed or bounced.

Matt
Pete McNeil wrote:
On Sunday, June 13, 2004, 11:49:21 PM, Matt wrote:
M> Pete,
M> I've been seeing a good deal of Experimental hits on bounce messages,
M> primarily with the Nazi spam that has been forging recipients, but I've
M> seen these on other messages that seemingly don't have any spam content,
M> though most of course do involve spam.
M> I was wondering if this is due to IP's being logged for spamtrap hits
M> from these bounces, or if it was due to something else.  If these are IP
M> related, it would likely be problematic.
There may be a few IPs involved but I suspect it's a new message-id
rule we have in place. It seems that the Nazi spam is delivered with a
forged qmail header that qmail would never produce. The rule is
somewhat broad so we've left it in the experimental group - just in
case something about it turns out to be problematic.
Most of the Nazi spam rules are actually coded for known subjects and
generalizations of these.
M> And another related question regarding the Nazi spam.  Would it be 
M> possible to move these rules from Experimental to another category such
M> as Malware or General?  Personally I have grown accustomed to 
M> Experimental being a category for rules that are not as reliable and
M> more likely to hit on personal E-mail so I weight it low, on the other
M> hand this Nazi stuff is certainly problematic and I'm hoping that your
M> rules are tight enough to place in another category.  I do have a filter
M> that deals with bounce messages from Joe-Jobs by testing for both a
M> Sniffer hit or other content related filter along with indications of a
M> null sender or other sign of a bounce, but I was excluding 
M> Sniffer-Experimental from this.

It's a close call but I think the rules we have are in the right
places - at least for now.
_M

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Experimental hits on bounce messages

[Matt]

Pete,

I've seen a moderate number of these bounces in the last few days
tagged by Experimental that didn't have any obvious indications of
spam.  You are of course correct that a majority of bounces are the
result of viruses or Joe-Jobs.  Fortunately the Joe-Jobs are mostly
returned to non-existant addresses so they aren't a huge issue although
the volume is remarkable and growing, especially from the likes of
AOL.  I'm used to seeing these fail tests besides Experimental however
when they hit on a Subject or content, and using a filter that scores
bounces with spam content very high takes care of this issue.  I'm
worried however because we do unfortunately end up blocking some
legitimate bounces, especially for customers that operate automated
mailers and have lots of customers due to the bouncing servers failing
multiple technical tests.  So there is a good reason to want to make
sure that we aren't improperly tagging legitimate servers by the IP,
and that's why we have steered clear of weighting Experimental at more
than 30% of the typical hold weight on our system and have left it out
of our combo filters until the Nazi issue and the subsequent tagging of
these messages in Experimental.  If these rules were in a different
category, it would make me feel a lot better about it.  I'm guessing
maybe from my standpoint, Spamware would be the most appropriate
category for tagging forged message ID's of this type.  This is such a
large issue presently that it does matter somewhat and I would feel
much more comfortable not having to use combo filters with the
Experimental result code.

BTW, here's an example of a bounce that I blocked after including
Experimental in our BOUNCER combo filter.  I honestly can't tell if
this is legitimate or not, and I can't see any signs of spam content
which makes me think it was the IP that triggered the hit, but I'm
posting it here so that you might be able to tell me what rule hit. 
The log entry is above the source.  I'm just trying to figure out how
to tune my system appropriately and wondering if I need to be on the
lookout for legitimate servers tagged by Experimental which due to
their inclusion now in combo filters, may cause legitimate E-mail to
bounce.

Thanks,

Matt


hb064pkq    20040614012029    Dfd5a0e3101a49a3c.SMD    16    15   
Match    84800    62    1    51    38
hb064pkq    20040614012029    Dfd5a0e3101a49a3c.SMD    16    15   
Final    84800    62    0    2674    38

Received: from oxygen.singnet.com.sg [165.21.74.85] by
mx1.mailpure.com with ESMTP
  (SMTPD32-8.05) id AD5AE3101A4; Sun, 13 Jun 2004 21:20:26 -0400
Received: from localhost (localhost)
    by oxygen.singnet.com.sg (8.12.11/8.12.9) id i5E13liD016172;
    Mon, 14 Jun 2004 09:20:24 +0800
Date: Mon, 14 Jun 2004 09:20:24 +0800
From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="i5E13liD016172.1087176025/oxygen.singnet.com.sg"
Subject: [20] Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
X-MailPure:

X-MailPure: SNIFFER-EXPERIMENTAL: Failed, listed in the Experimental
category (weight 4).
X-MailPure: LEGITCONTENT: Passed, legitimate content detected (weight
-1).
X-MailPure: NULLSENDER: Message failed NULLSENDER test (line 3, weight
4) (weight capped at 4).
X-MailPure: FOREIGN: Message failed FOREIGN test (line 589, weight 3)
(weight capped at 3).
X-MailPure: TLD-ASIAN: Message failed TLD-ASIAN test (line 132, weight
1).
X-MailPure: BOUNCER: Message failed BOUNCER test (line 13, weight 10).
X-MailPure: RECIPIENTS: [snip].com>
X-MailPure:

X-MailPure: Spam Score: 21
X-MailPure: Scan Time: 06/13/2004 at 21:20:31 -0400
X-MailPure: Spool File: Dfd5a0e3101a49a3c.SMD
X-MailPure: Server Name: oxygen.singnet.com.sg
X-MailPure: SMTP Sender: <>
X-MailPure: Received From: oxygen.singnet.com.sg [165.21.74.85]
X-MailPure: Country Chain: SINGAPORE->destination
X-MailPure:

X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:

X-RCPT-TO: [snip].com>
Status: R
X-UIDL: 385994059

This is a MIME-encapsulated message

--i5E13liD016172.1087176025/oxygen.singnet.com.sg

The original message was received at Mon, 14 Jun 2004 09:00:06 +0800
from mx12.singnet.com.sg [165.21.74.122]

   - The following addresses had permanent fatal errors -
<[EMAIL PROTECTED]>
    (reason: 550 5.1.1 User unknown)

   - Transcript of session follows -
550 5.1.1 <[EMAIL PROTECTED]>... User unknown

--i5E13liD016172.1087176025/oxygen.singnet

Re: [sniffer] Gray Hosting Change Of Status - Request For Comments

[Matt]

Pete,
From my own perspective, here are some comments.
1) "unwanted commercial advertising" isn't necessarily spam.  I often 
find rules in the General group from others nominating sources that are 
generally perceived as being of low value, including by myself, but 
aren't technically spam by the measures that we use.  We consider any 
first-party relationship with the recipient to be ok so long as they 
provide an easy method of unsubscribing and they honor unsubscriptions.  
It would be a good idea to establish a general rule for the service and 
in handling things that are nominated by customers.  You can't be all 
things to all people, and while advertising is mostly unwanted it is 
sometimes missed.

2) I don't weight the Gray category on my system.  There are too many 
newsletters and first-party advertising messages that come through for 
me to give it any weight when such things are based on the provider and 
not the sender it represents.  We do however use hits on this category 
to defeat some filters on our system (Declude based) because it can be a 
good identifier of a bulk-mailer and all that comes with it.

3) Moving clean Gray rules over to General will mostly be Ok, but it 
will definitely cause some false positives with our own more 
conservative definition of spam.  I would actually prefer that you kill 
the rules with false positives and re-purpose this category as something 
like "Dirty Bulk" to identify rules associated with specifically dirty 
lists on bulk mailers.  Some are 95% junk, some are maybe 10% junk, and 
IMO, some like CheetahMail are less than that.

4) I think that 50% legitimate for Gray hits is a big underestimate.  
Possibly part of that figure is explained by more general rules that 
target the bulk-mailer and not the source it represents.  If care was 
taken to tag information unique to the sender of the spam newsletter or 
spam advertising sent through bulk-mailers that are mixed, that will 
help to segregate the good from the bad.  Tagging the From line or the 
Reply-To line is often a very accurate way to identify these sources, 
especially when they primarily use tracking links in the body.  Some 
also make use of unique campaign ID's that can be tagged with certain 
providers.  I am not a fan of tagging the provider's own domains because 
that doesn't allow for differentiation between good and bad, and you 
must whitelist after each false positive.  I would also propose that 
customer submissions still primarily go to the General category and spam 
trap hits go into a Dirty Bulk category.  I trust the General category 
less than every other category except Experimental primarily due to the 
fact that it contains submissions from users with a more liberal 
definition of spam than I have (I found Amazon.com in there once for 
instance).  I would hope that people wouldn't report this stuff because 
it can affect everyone on the system.

5) Just an FYI, deciphering whether or not bulk-mail is legitimate, 
partially legitimate or totally spam is the hardest part of my job, so 
whatever you do, please don't make it any harder :)

Thanks,
Matt

Pete McNeil wrote:
Hello Sniffer Folks,
 We are reviewing a number of statistics with an eye toward reducing
 false positives. We have already changed a number of our rule coding
 policies where our highest false positive rates are found.
 One of the proposed changes is controversial and I would very much
 like your input about this.
 The Gray hosting rule group currently has a Block-First,
 White-Rule-Later policy. Rules coded into this group are for the
 likes of Constant Contact.
 Some time ago when this policy was drafted the overwhelming
 consensus was that most content arriving from these services was
 unwanted advertisement spam - therefore it was reasonable to
 white-rule legitimate publications as they were identified,
 especially since a single white rule would be shared by all
 subscribers (thus reducing the work and FP load).
 A recent analysis has shown that the situation has changed somewhat
 significantly. In general the following seem true -
 * The gray hosting group typically tags just less than 2% of messages.
 * Of this 2%, approximately half of the hits would be false positives.
 * If this is true then any benefit generated by the group is negated
 by the risk.
 * Also, if a given system does find benefit from the group then that
 benefit would likely be very small.
 If these points stand up to your comments then the proposal is as
 follows:
 - Existing gray-hosting rules with any reported false positives will
 be removed from the system.
 - The remaining gray-hosting rules will be moved to the "ungrouped"
 group (result 63).
 - No special treatment will exist for future rules that might have
 been placed in the gray-hosting group and no special status will be
 maintained for previous members of the gray-hosting group.
 - Result cod

Re: [sniffer] Reporting - was: spam leakage up

[Matt]

Pete,

If the data is normalized, tab delimited seems like the most widely
available choice.  I've never played with XML, and although it might be
more useful in many places, in others it presents overhead, especially
as far as a learning curve goes.

It may also be that real-time reporting isn't that widely sought after,
especially on systems where Sniffer is just one part of an overall
system.  For me there would be no real value to this except for a rare
occasion that I'm researching a problem or my interest is peaked (which
isn't a good justification for work).  Those that desire real-time
functionality may well be more experienced DB admins or programmers and
may be able to handle whatever format that you throw at them.

Matt



Pete McNeil wrote:

  We are working on specs for real-time reporting out of Sniffer and
haven't had a lot of feedback on the XML based format. We were looking
at this format because, in theory anyway, it's easy to port into a
database or even directly into a web page or other format.

Am I guessing right that the reason we didn't get a lot of feedback is
because not many folks can really use XML data in practice?

Should we adopt a different format for a "real-time scoreboard"
output file? Tab delimited? CSV? --- perhaps directly to HTML?

(if HTML then I will continue with the XML concept and use DOM to read
the XML as a data island and format the output - anybody have experience
with this - it seems harder in practice than the examples let on.)

Any thoughts would be appreciated.

Thanks,
_M

(The idea of a "scoreboard" was to create some useful indicators that
could be read in near real-time - without a lot of heavy lifting. At
the time it seemed there was a pressing need for this kind of
functionality. I'm beginning to wonder - I don't want to spend effort
on something that nobody really cares about. There are plenty of other
features planned that we could focus on. I need some feedback.
Thanks!)

On Thursday, June 24, 2004, 12:02:06 PM, Aaron wrote:

AC> Thanks Herb but we don't have Coldfusion.

AC> Looks great tho!

AC> Aaron
AC> www.vantech.net

AC> On Jun 24, 2004, at 8:55 AM, Herb Guenther wrote:

  
  

   I wrote a coldfusion page that parses the logs into a sql database
every night, and then the display page you saw.  If you have a 
coldfusion server I would be happy to give you the code.

 Herb

 Aaron J.Caviglia wrote:

Herb,

 How did you generate that SPAM report?

 Thanks,
 Aaron Caviglia
 www.vantech.net

 On Jun 24, 2004, at 8:46 AM, Herb Guenther wrote:


 wow, that is even worse than we are seeing, we are at about 80%, but
should really be at about 85% if all were tagged. 

 Here is our last weeks stats, we did not see an increase in volume,
so much as the amount gettig thru in the last couple days and 
continuing today.

 Herb



 SPAM Report


 Statistics are based on the last 6,150,612 email messages received.
You are viewing Server 1 Stats View Server 2 stats


 Statistic
 06/17
 06/18
 06/19
 06/20
 06/21
 06/22
 06/23
 Weekly Total
 Daily Avg.

 Delivered Messages
 34,291
 30,762
 22,331
 22,484
 31,245
 33,588
 33,582
 208,283
 25,311

 Good Messages
 6,493
 5,101
 1,595
 1,721
 6,209
 6,772
 6,170
 34,061
 5,221

 Spam Messages
 27,798
 25,661
 20,736
 20,763
 25,036
 26,816
 27,412
 174,222
 20,090

 Spam Percent
 81%
 83%
 92%
 92%
 80%
 79%
 81%
 84%
 79%

 Mal Formed Headers
 3,845
 4,277
 3,193
 3,555
 4,094
 4,286
 4,459
 27,709
 4,949

 Spam Headers
 4,544
 4,081
 3,665
 3,367
 4,800
 5,712
 6,129
 32,298
 3,308

 Spam Routing
 6,351
 5,697
 5,200
 5,613
 5,718
 6,072
 5,616
 40,267
 3,375

 No Reverse DNS
 6,864
 7,787
 6,529
 6,729
 7,742
 6,783
 5,023
 47,457
 2,446

 White Listed
 1,157
 968
 116
 162
 1,237
 1,245
 1,229
 6,114
 785

 General Spam
 1,021
 958
 736
 851
 1,012
 1,045
 1,122
 6,745
 1,490

 Experimental
 1,543
 1,190
 951
 970
 1,284
 1,342
 1,472
 8,752
 900

 Obfuscation
 240
 183
 158
 189
 196
 336
 151
 1,453
 352

 Grey Hosts
 355
 196
 29
 33
 213
 343
 315
 1,484
 166

 Gambling
 272
 202
 263
 261
 215
 303
 161
 1,677
 124

 Refinancing/Loans
 2,293
 2,216
 1,809
 1,659
 2,167
 2,013
 1,975
 14,132
 1,765

 Business opportunities
 1,989
 1,991
 1,546
 1,547
 1,990
 2,089
 2,163
 13,315
 1,464

 Ink and toner cartridges
 159
 124
 41
 91
 100
 89
 63
 667
 121

 Pornography
 2,296
 1,874
 2,189
 1,798
 2,120
 2,224
 2,333
 14,834
 1,731

 Send money scams
 57
 63
 66
 57
 85
 84
 82
 494
 65

 Online pharmacies
 6,792
 6,098
 5,419
 4,907
 5,766
 5,526
 5,767
 40,275
 5,684

 Cable/Satellite descramblers
 1,250
 1,340
 1,190
 1,384
 1,277
 1,710
 1,554
 9,705
 867

 Norton/McAfee offers
 17
 61
 4
 7
 11
 19
 25
 144
 68

 Insurance quotes, etc.
 706
 493
 374
 354
 526
 552
 547
 3,552
 649

 Travel/vacation offers
 216
 135
 82
 61
 87
 160
 121
 862
 238

 Viruses Detected
 649
 440
 223
 201
 537
 498
 493
 3,0

Re: [sniffer] IP Rules moving to Group 60

[Matt]

A big thumbs up from me :)
Matt

Pete McNeil wrote:
Hello Sniffer Folks,
 We are planning to split the Experimental rule group into two parts.
 Experimental (Abstract), (62), will contain abstract heuristics.
 Experimental (Received [IP]), (60), will contain all IP rules.
 The change is designed to allow the IP rules to be isolated so they
 can be weighted differently. IP rules are more dynamic and therefore
 more likely to cause false positives.
 If there are no objections then this change will take place this
 afternoon at approximately 1800 EDT.
Thanks,
_M
Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] zipping log files

[Matt]

Pete,
Due to growing log file sizes and a ridiculous amount of fragmentation 
caused by all of the associated products, I was forced to move to a 
system that does hourly rotation of my logs, moving them to a different 
drive, and then zipping them up after midnight.

I'm thinking that you would save a significant amount of bandwidth on 
your end by allowing us to zip and upload our logs.  There was a brief 
exchange on this list two months ago about you thinking about enabling 
this and I thought I would chime in on this and suggest it again.  This 
would actually simplify my scripting since I could do it all within a 
single script without a multiple minute wait for it to upload a +15 MB 
uncompressed log file.  I can however certainly make it work the other 
way if required.

Please note that I'm using WinZip 9.0's Command Line Option which is 
free for registered users of WinZip.  I prefer this over gzip because I 
use WinZip anyway and like the right click menu zipping that it provides 
for, and the commands are quite simple and seemingly complete.  If you 
move to support zip files, please don't discriminate against the 
non-open source stuff :)

Thanks,
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] zipping log files

[Matt]

Pete McNeil wrote:
That's a bit confusing.
(use Winzip, but don't discriminate against
open source (gzip?))
 

"non-open source", not just "open source".  Should make sense.

Anyway, I haven't had time to dive into that again. My
responsibilities have been expanding at an astonishing rate.
We will probably pursue this at some point, and when we do we will
probably accept log files gzipped with a .gz extension since they are
going to end up on a linux box for processing and I need a way to
identify them without going through a lot of hoops.
gzip should be able to handle standard zip files.  You mentioned a while 
back about possibly changing everything to a .gz extension first, and I 
think that makes sense.  It shouldn't be more than a single line of code 
for you to support .zip files in addition to the .gz files once that is 
in place.

I only asked about this because I am about to re-enable the uploads and 
would have waited a little while if this functionality was on the 
horizon.  I'll do it the old way for now.


In the long term I hope to have Sniffer take care of it's own UL & DL
ops ... but that will be a while coming.
That would be nice for many, but not really a universal solution.  It 
might be a lot of work on your end whereas a group of well documented 
scripts could net similar results while allowing for custom 
configurations like my own.  I wonder how many logs you really need in 
order to net the stats that you are after anyway.  I'll bet that a 
standard-type of log naming/placement/rotation mechanism would be of 
more use to many of us.  I've worked around that for the moment, so 
don't consider that to be a request on my part.

Thanks,
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] zipping log files

[Matt]

Pete McNeil wrote:
On Friday, July 16, 2004, 11:04:42 PM, Matt wrote:

M> gzip should be able to handle standard zip files.  You mentioned a while
Key word being _should_ ;-)
 

Well, there's always Info-ZIP's UnZip for Linux if it doesn't:  
http://www.info-zip.org/pub/infozip/UnZip.html .  I thought all that 
stuff was built into most packages, but clearly I know very little about 
that environment presently.  Too many flavors and not enough taste buds.


This will be a while coming though - we need to grow a bit more to
free up the necessary development resources.
 

Translation: Time to hire some poor schmoe to do the dirty work so that 
I can spend more time programming :)  I hear ya loud and clear.

I'm quite happy to see the progress in the areas that you have been 
focusing on.  Changes to the rules are good improvements, and running as 
a service is as well, and I know that you are working on some other 
things also.

So when is the multi-processor 64-bit executable coming?  Just kidding, 
no need to answer that one, although I'm sure that you've thought about 
that also.

Thanks,
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Surprising missed spam

[Matt]

Corby,

Personally, I'm a fan of leaving the generic stuff out due to the
potential of false positives.  Those of us that are using Sniffer in
addition to other spam blocking mechanisms can afford to lose some
Sniffer hits on such phrases because they will be picked up by other
means almost all of the time.  Including such phrases however would
increase our false positive rate without a measurable benefit in spam
capture rates.  I have even asked Pete to remove some phrase hits from
my own rulebase for exactly this reason.

Matt



Agid, Corby wrote:

  
  
  Surprising missed spam

  Hello,
  
  I was surprised recently by some spam
that got through without getting caught by the sniffer.   We've been
getting some plain text messages that have obvious spam words in the
subject line.   For example, a plain text message with "horny
teenagers" came through.  The content was also very spammy, but all
plain text.   I tried sending myself a few messages with standard spam
phrases and none of them tripped any sniffer rules.
  Am I missing something?
  
  Corby
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [sniffer] Surprising missed spam

[Matt]

Actually, we scan for many businesses as well as home users, and have
clients with mail boxes on every continent except Antarctica.  To me
it's really a matter of what classifies spam, and while these phrases
are spammy, they are not accurate enough to use in my rulebase.  Pete
knows what he is doing however, and you will note that most of his
rules are based on 'payload' hits, which are generally links.  Without
a payload, the message is merely a statement, and while that has
happened (Nazi spamdemic), it is not the norm.  These guys do change
their payloads around regularly, but the ones that use these sorts of
phrases in spam are highly likely to also get tagged by other
obfuscation techniques in Sniffer.  Of course there are also many
blacklists that are good at tagging both zombie and static spam sources.

My point was really that I prefer to tag spam based on a positive hit
instead of a suggestive one, and for the most part, Sniffer does this. 
It is especially effective in combination with other spam blocking
techniques.  If for instance you have 3 hits on perfectly unassociated
patterns, and each one is 99% accurate, or rather 1% inaccurate, the
net result is that the combination of hits would produce a false
positive rate 0.0001%.  A good example of this would be a message that
is tagged by Sniffer for a link in the body, tagged by SpamCop for
leaking spam by the IP, and forges the Mail From domain.  Unfortunately
I do see false positives frequently enough when Sniffer hits in
combination with some other less accurate test giving it enough points
to be held on my system, many of which might fall into a gray category
or results from a more generic/suggestive hit in combination with some
technical shortcoming.

Spam bothers me a whole bunch, that's why I'm in the business, but
false positives bother me even more.  I do wish that over time Pete
could further separate his rules into more positive and more suggestive
ones so that things like known URL's would be examples of more positive
ones and things like "horny teenagers" would be an example of a
suggestive one.  Given that, I could weight accordingly.

Matt



Agid, Corby wrote:

  
  
  
  I suppose everyone's
userbases have differenent requirements.  An ISP or private
enterprise might worry about false postives on "horny teenagers" and
"penis enlargement", but for our local government agency, it causes
problems.  
   
  Corby
  
  
  

 From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of Matt
Sent: Monday, September 13, 2004 5:25 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Surprising missed spam


Corby,

Personally, I'm a fan of leaving the generic stuff out due to the
potential of false positives.  Those of us that are using Sniffer in
addition to other spam blocking mechanisms can afford to lose some
Sniffer hits on such phrases because they will be picked up by other
means almost all of the time.  Including such phrases however would
increase our false positive rate without a measurable benefit in spam
capture rates.  I have even asked Pete to remove some phrase hits from
my own rulebase for exactly this reason.

Matt



Agid, Corby wrote:

  

  Hello, 
  I was surprised recently by some
spam that got through without getting caught by the sniffer.   We've
been getting some plain text messages that have obvious spam words in
the subject line.   For example, a plain text message with "horny
teenagers" came through.  The content was also very spammy, but all
plain text.   I tried sending myself a few messages with standard spam
phrases and none of them tripped any sniffer rules.
  Am I missing something? 
  Corby 


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

[sniffer] Test ordering/precedence

[Matt]

Pete,

Given some of the recent changes in the result codes for Sniffer, I
thought I would inquire about the precedence of the result codes and
how these can affect systems.

On my system I have weighted the result codes differently and overall,
I would consider the following order to be suggestive of the order of
reliability from the most reliable to the least reliable.  Note that
this is not scientific, but instead based on doing review and tests
that hit less often could appear higher in terms of stated reliability
though I have considered this in making the list:

1.    SNIFFER-INK(56)
   SNIFFER-CASINO(59)
   SNIFFER-INSURANCE(48)
   SNIFFER-MEDIA(50)
   SNIFFER-GETRICH(57)
   SNIFFER-DEBT(58)
   SNIFFER-PHARMACY(52)
  
2.    SNIFFER-AVSOFT(49)
   SNIFFER-PHISHING(53)
  
3.    SNIFFER-TRAVEL(47)
   SNIFFER-PORN(54)
  
4.    SNIFFER-SPAMWARE(51)
   SNIFFER-OBFUSCATION(61)
   SNIFFER-MALWARE(55)
  
5.    SNIFFER-EXPERIMENTAL(62)
  
6.    SNIFFER-GENERAL(63)
  
7.    SNIFFER-IP(60)


I'm not sure exactly how Sniffer orders the precedence of the result
code, but I would like to recommend that you give some consideration to
reviewing such things in light of recent changes and also maybe
consider allowing us to customize the precedence as a part of our
rulebase.

Thanks,

Matt
-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [sniffer] Test ordering/precedence

[Matt]

John,

If you read this more carefully, I was not suggesting that action be
taken that would affect everyone's system in such a way that it would
require modifications.  The 60 result code was recently changed from
Gray rules to IP rules, and that change may or may not suggest a
modification to the standard way that Sniffer operates (considering
that the environment will only return one result code).  Sniffer may or
may not follow the numerical ordering of the result codes at present,
but then again, it might.  Regardless, it wouldn't be a bad idea to
review the precedence as a part of ongoing due diligence.  I also
recommended one potential solution for customization by controlling the
precedence from within the rule base and I would also imagine that the
new config file could also be used to control this.

So if a change was made, I'm sure it wouldn't be done unless it was
measurable and would be to everyone's benefit, and it if Pete felt the
need, it could be done in such a way so that only those that would want
to change it would need to take action.

I try to make it a practice to consider the needs of others before I
give suggestions or ask for new capabilities, and I did do that in this
case.  I don't doubt that others have slightly different ordering in
terms of what they feel is more and less accurate, and of course
results can vary widely across systems.  Pete is especially sensitive
to these needs and has done a wonderful job of customizing rule bases
without placing the burden on his customers to do so.

Matt




John Tolmachoff (Lists) wrote:

  
  
  
  
  Matt Matt
Matt.
   
  Then
everyone would have to make sure
they made the relevant changes on their systems.
   
  As we have
seen on the Declude Junkmail
list, there will
always be those who set up their systems and then forget about them.
Making a
change like that would cause problems.
   
  
  John
Tolmachoff
  Engineer/Consultant/Owner
  eServices
For You
  
   
  
  -Original
Message-
  From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
  Sent: Saturday,
September 18, 2004 5:28
PM
  To:
[EMAIL PROTECTED]
  Subject: [sniffer]
Test
ordering/precedence
   
  Pete,
  
Given some of the recent changes in the result codes for Sniffer, I
thought I
would inquire about the precedence of the result codes and how these
can affect
systems.
  
On my system I have weighted the result codes differently and overall,
I would
consider the following order to be suggestive of the order of
reliability from
the most reliable to the least reliable.  Note that this is not
scientific, but instead based on doing review and tests that hit less
often
could appear higher in terms of stated reliability though I have
considered
this in making the list:
  1.    SNIFFER-INK(56)
   SNIFFER-CASINO(59)
   SNIFFER-INSURANCE(48)
   SNIFFER-MEDIA(50)
   SNIFFER-GETRICH(57)
   SNIFFER-DEBT(58)
   SNIFFER-PHARMACY(52)
  
2.    SNIFFER-AVSOFT(49)
   SNIFFER-PHISHING(53)
  
3.    SNIFFER-TRAVEL(47)
   SNIFFER-PORN(54)
  
4.    SNIFFER-SPAMWARE(51)
   SNIFFER-OBFUSCATION(61)
   SNIFFER-MALWARE(55)
  
5.    SNIFFER-EXPERIMENTAL(62)
  
6.    SNIFFER-GENERAL(63)
  
7.    SNIFFER-IP(60)
  
I'm not sure exactly how Sniffer orders the precedence of the result
code, but
I would like to recommend that you give some consideration to reviewing
such
things in light of recent changes and also maybe consider allowing us
to
customize the precedence as a part of our rulebase.
  
Thanks,
  
Matt
  
  
  -- 
  =
  MailPure custom filters for Declude JunkMail Pro.
  http://www.mailpure.com/software/
  =
  
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [sniffer] Test ordering/precedence

[Matt]

Thanks Pete, but let me just stress the largest issue that I see and I 
think you already are aware of it.  The new IP classification is the 
most likely to produce false positives and it's result code of 60 places 
precedence of that over General, Experimental and Obfuscation hits.  
There is a large difference in accuracy on my system between IP rules 
and the other three tests.  I hinted at this when you first made the 
change from that category being Gray (which I didn't score) to IP but 
got no response :)

I score IP at 4 but the other three are all scored at a 6.  The false 
positives with things like General tend to drop significantly over time 
as you report false positives, and I believe it to be over 98% accurate 
on my system while the IP hits have a much higher false positive rate 
based on open relay mail servers and message bounces to forged addresses 
that correspond to your spamtraps (I get a lot of IP hits on the bounce 
messages that we block, many of these from legitimate servers).  I would 
have desired the IP hits to have been added as a result code of 64 
instead of replacing the result code of 60 for this reason.

I'm sure that you can run some stats to figure out how often IP hits 
might override General, Experimental and Obfuscation hits, and get a 
better idea as to the potential impact of having a generally higher 
scoring test hit.  I know it would have an effect on weighted systems, 
though I'm not sure how large that effect might be.  As things stand on 
my system, IP is the #3 test and I fear that it is stealing hits from 
more accurate tests, especially the #2 test, Experimental which happens 
to be very good at tagging zombies and hitting new sources of spam that 
aren't as widely blacklisted due to the types of rules that are 
present.  Here are some recent numbers from my system:

SNIFFER-EXPERIMENTAL...23.32%
SNIFFER-IP...9.70%
SNIFFER-OBFUSCATION...2.02%
SNIFFER-GENERAL.1.64%
So now might not be the time for this due to the potential of having to 
modify configs, but please minimally consider it at the next opportunity 
where a change such as the Gray to IP rules are done.

Thanks,
Matt


Pete McNeil wrote:
On Saturday, September 18, 2004, 9:07:55 PM, Matt wrote:
M> John,
M> If you read this more carefully, I was not suggesting that
M> action betaken that would affect everyone's system in such a way
M> that it wouldrequire modifications.  The 60 result code was
M> recently changed fromGray rules to IP rules, and that change may or
M> may not suggest amodification to the standard way that Sniffer
M> operates (consideringthat the environment will only return one
M> result code).  Sniffer may ormay not follow the numerical ordering
M> of the result codes at present,but then again, it might. 
M> Regardless, it wouldn't be a bad idea toreview the precedence as a
M> part of ongoing due diligence.  I alsorecommended one potential

I agree it's not a bad idea to review these things from time to time,
and in fact we do quite frequently - though not publicly.
I also agree that making any sweeping changes would probably be a
mistake at this time.
Well guys, here is how it goes.
When more than one rule matches, the one with the lowest symbol #
wins. If there is more than one match within that symbol then the one
that is earliest in the message wins.
This is why we code white rules to symbol 0, or symbol 1 in some
cases; and also why we generally reserve the lower numbered symbols
for any specific user requests.
As much as possible we've ordered the rule groups so that the least
specific rules are found in the higher numbers and the more specific
rules are in the lower numbers.
We even have some rules (work in progress) that are "above band" in
the 65-255 range which have special meanings and functions. These will
become more important later as these features are further developed.
There are a lot of schemes out there that can be used, and in fact we
can use an entirely different scheme for each user if we wish - though
that might be a lot of work (so we might have to charge extra for the
consulting time to develop and maintain such a thing).
The scheme that we have is a little bit out of date*, but it still
seems to work for most folks, so we'll probably keep it around for a
while. We've had a number of alternate schemes suggested, some that
might even be practical to implement - but none that wouldn't cause
quite a bit of upheaval if we suddenly decided to rework everything
for our current users.
In fact, there are only a hand full of people who ever even mention it.
Since your list shows 60, 63, 62, and 61 all at the bottom of your
list I'm guessing that the current voting scheme is probably in line
with your priorities at this point. That is, more specific rules (by
symbol #) seem to line

Re: [sniffer] Test ordering/precedence

[Matt]

Pete McNeil wrote:
M> SNIFFER-EXPERIMENTAL...23.32%
M> SNIFFER-IP...9.70%
M> SNIFFER-OBFUSCATION...2.02%
M> SNIFFER-GENERAL.1.64%
I must be tired, but I don't understand these numbers in this context.
What are the percentages?
 

These are hit rates on total messages with a spam percentage of about 
87% that weekday, leaving 13% as ham of course.


M> So now might not be the time for this due to the potential of having to
M> modify configs, but please minimally consider it at the next opportunity
M> where a change such as the Gray to IP rules are done.
I've actually been thinking very strongly of reorganizing the rule
group IDs recently. Especially in light of the new changes we've made
with robots et al. The accuracy of the Experimental IP group has gone
up considerably - and most of the false positives you've discussed
should be eliminated over time (bounces especially).
All that said, I think the first step to reordering the groups might
be to change the sequence of the 4 highest numbers as follows:
63: Experimental Received [IP]
62: Obfuscation
61: Experimental Abstract
60: General
 

I've had a few more false positives recently on the Experimental 
Abstract group, however I haven't yet come to terms with what that means 
in the face of the increase in hit rates for that group.  If this group 
is populated by automated means, I would consider it to be maybe more 
wise to have it above the Obfuscation category which I have found to be 
much more accurate and not specific to a particular host, but instead 
the content.  The General rules are are also very unlikely to hit on 
personal E-mail, which makes false positives with these two groups much 
more tolerable because most such content isn't missed that much.  When 
it comes to the IP rules and the Experimental Abstract rules however, 
many of the false positives are on personal E-mail.  If I was to weight 
the accuracy of the tests considering the difference in how they might 
hit personal E-mail, I would prefer an order as follows:

63: Experimental Received [IP]
62: Experimental Abstract
61: General
60: Obfuscation
I weight the Experimental Abstract and General rules the same on my 
system, so reversing them isn't such a big deal, but the primary change 
from your recommendation would be that I would suggest putting 
Obfuscation rules the lowest result code of the four.  I think the 
likelihood that a rule can hit on a personal E-mail is key in this 
decision making process.  Also consider the hit rate of the Experimental 
Abstract rules being so high and a more exact non-automated method might 
make other tests more reliable in the long-term so they should get 
predominance.


According to a recent spam test quality analysis the accuracy and
coverage for these groups in this order follows like this:
63: Experimental Received [IP]SA = 0.81 Coverage =  7.63%
62: Obfuscation   SA = 1.00 Coverage =  2.58%
61: Experimental Abstract SA = 0.92 Coverage = 25.82%
60: General   SA = 0.81 Coverage =  1.82%
 

Please take note that Markus' stats are generated from European traffic 
and I have found at times that there can be a measurable difference 
between what he is seeing on his system and what I am seeing on my 
system where about 95% of the legitimate traffic is from North American 
hosts and to local domains all ending with .com, .net and .org.  His FP 
rate on the General group for instance is many times higher than my 
own.  I would be happy to share my Declude logs with you if you wish to 
process stats that come from about 200 domains, mostly based in the US.  
If it doesn't take too long, I would be willing to set up the beta of 
the stats package for comparative purposes.

As far as making changes go, I wouldn't rush into anything, especially 
since this change would likely mean readjusting all of your clients at 
once instead of having them download a new release and following 
instructions.  I think it would be a good idea to alert your customers 
further and more frequently in advance than was done with the Gray to IP 
rule change.  Of course the change wouldn't have a large effect on many 
systems, but this is definitely something that would affect my own.  It 
is of course easily remedied with some very quick changes in my Declude 
config file.

Thanks,
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

[Matt]

Andrew,
You would also need to lock the file so that the queue didn't steal it.  
You might be able to just simply rename the Q* file to get the same effect.

Pete's being a good friend of Declude by not suggesting a modification, 
but also a good friend of the user to recommend a much better solution 
that also brings with it the benefit of weighting, RBL's and other 
scoreable hits.  If you already own Declude and are sticking with IMail, 
there is absolutely no reason to abandon it.

IMO, Ipswitch is about to change their tune on the matter of bundling 
after signs that they recognize the miscalculation in the response.  A 
miscalculation of this magnitude however points to a more systematic 
problem, and their claim that service agreements are money losers for 
them is preposterous, and then to place the burden on the customer when 
your product is already premium priced is an indication of an 
organization in total disarray.

Matt
Colbeck, Andrew wrote:
Well, to play devil's advocate ...
A poor man's way to run IMail and Message Sniffer without Declude could
certainly be done without a massive re-write.  I'm not going to claim that
it would be *reliable* or *flexible* but you could certainly mimic what
Declude does and change one registry key to have IMail call a batch file.
Then have your batch file call Message Sniffer, run through multiple "if
errorlevel" statements, and take whatever action you deem appropriate, like
moving the two message files to a quarantine or just deleting them.  If a
message passes, you call IMail's original executable (from the original
registry entry) to deliver the message.
Sure, saying it is easier than doing it, but it is do-able.
As for me, I prefer to use Declude & Sniffer.  A weighted system rocks.
Andrew 8)
p.s. Now, if SpamAssassin has a way to shell out to call Sniffer ... hm
...
-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 27, 2004 8:52 AM
To: Jim Matuska
Subject: Re: [sniffer] Integrating Sniffer with new Imail Collaboration
Suite

On Wednesday, October 27, 2004, 11:30:27 AM, Jim wrote:
JM> Is there a way to integrate message sniffer directly with the new 
JM> Imail Collaboration Suite.  We are currently using it with Imail via 
JM> declude, but that may change soon due to this latest Imail fiasco.  
JM> If we decide to migrate to the new Collaboration suite I need to 
JM> know if we can use message sniffer directly or if we would need to 
JM> use a 3rd party add in still such as declude (if a version is 
JM> released that will work with the collaboration suite).  Any 
JM> thoughts?

Sniffer won't be making a direct connection to IMail because it won't be
necessary. It is my understanding the Declude and mxGuard will continue to
function with ICS just as they have. There is no good reason for us to
duplicate that effort when such a fine job has already been done.
_M

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Your Sniffer Setup

[Matt]

Andy, Bill, et al.

When the persistent Sniffer was first offered, I typed up the attached
directions that I cribbed from the KB when alerted to it by Bill.  I am
forwarding this as a message attachment since the archives are down
currently.

I haven't yet upgraded to the latest version, but at least on previous
versions it has been running fine.  I'm still waiting to figure out
what the issues might be relating to this thread.

An export of my registry relating to the Sniffer service is as follows:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer]
"Type"=dword:0010
"Start"=dword:0002
"ErrorControl"=dword:0001
"ImagePath"=(removed: hex encoded path to srvany.exe)
"DisplayName"="Sniffer"
"ObjectName"="LocalSystem"
  
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]
"Application"="C:\\IMail\\Declude\\Sniffer\\MyExecutableName.exe
MyIDNumber persistent"
  
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Security]
"Security"=(removed: hex encoded value)
  
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Enum]
"0"="Root\\LEGACY_SNIFFER\\"
"Count"=dword:0001
"NextInstance"=dword:0001
  

Sorry to keep this going, but I would like to figure out what the best
practices would be, and also help Andy and/or others figure out the
same.

Matt
-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


--- Begin Message ---




Ok, I think I did it.  Only took a minute (thanks Bill).  Here are some
more precise directions, but consider them to be "beta" directions
(please correct them if you find a problem):

1)    Install the Windows 2000 Resource Kit, or download
and install the INSTSRV.exe and SRVANY.exe files in a permanent
location, preferably within your path.  The individual files can be
found at the following location:
            http://www.pyeung.com/pages/win2k/userdefinedservice.html
  
2)    Open a command prompt (Click on the Start Button, Select Run, and
type CMD)
  
3)    Enter the following command (customize for the paths of the
executables)
            C:\Progra~1\Resour~1\INSTSRV Sniffer
C:\Progra~1\Resour~1\SRVANY.exe
  
4) Open up the Registry Editor (Click on the Start Button, select Run,
and type REGEDIT)
  
5) Locate the following key:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer
  
6) From the Edit menu, select New, select Key, and name the new key
Parameters
  
7) Highlight the Parameters key
  
8) From the Edit menu, select New, select String Value, and name the
new value Application
  
9) From the Edit menu, select Modify, and type in the full path name
and application name, including the drive letter and file extension
(don't use quotes, customize path, executable name and authentication
code)
  Example: C:\IMail\Declude\Sniffer\[yourlicx].exe
[authenticationxx] persistent
  
       [yourlicx] = your license ID
       [authenticationxx] = your authentication string
  
10) Open the Services MMC
  
11) Start the Sniffer service
  
12) Set the Sniffer service to Automatic


Matt



Matt wrote:
I'm
going to give this one a try right now since I have the Resource Kit
installed already.  Just one question...do I need to change the
arguments in my Declude config, or will the service definition take
care of the 'persistence'?
  
  
Thanks,
  
  
Matt
  
  
  
  
Bill Boebel wrote:
  
  
  We've been using svrany for years with
several custom applications and it

works great.  This utility has been around since the NT4 Resource
Kit...


 http://www.pyeung.com/pages/win2k/userdefinedservice.html


Bill



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]]On Behalf Of Pete McNeil

Sent: Friday, March 19, 2004 12:25 AM

To: [EMAIL PROTECTED]

Subject: [sniffer] RunExeSvc for Persistent sniffer.



Hello folks,


We've been continuing to test the new persistence enabled sniffer
engine

and some utilities that will allow it to run as a service.


We found a free utility that seems to be very solid, and very simple.


http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html


One of the scripts we used is:


debug=false

cmdline=c:\Projects\sniffer2-3\TestBed\snfrv2r2.exe xnk05x5vmipeaof7

persistent

home=c:\Projects\sniffer2-3\TestBed


(Note: The mismatch between the sniffer2-3 directory and the
snfrv2r2.exe

is not a type-o. We re-branded the 2-3 to use the snfrv2r2 license in
our

example - it was easier that than creating a new license. Note also
that

the cmdline parameter i

Re: [sniffer] Your Sniffer Setup

[Matt]

This might be there in the event that you need to quote certain 
arguments or handle special characters???  I've found some different 
requirements for command line arguments and special characters such as 
"&" which require either quoting them or using an octal encoded value 
(I'm no expert on this stuff).  Maybe the alternate field helps in this 
instance.  Anyway, it looks like it is unnecessary although functional 
in this instance.  Considering that there are many places where you 
enter both path and arguments in the same registry value, I would assume 
that there is no problem with doing it that way for the service.

Matt

Andy Schmidt wrote:
Yes, I too suspect that SRVANY actually allows the specifying of the entire
command line in the "Appliation" string, even though both the Knowledgebase
article and the full documentation implies otherwise.  (The KB article and
the documentation are very precise in what the "Application" string should
be: just the path, name and extension of the executable.)
The question is whether Microsoft ever intended it to work that way or if
that possibly "accidental" capability may cease working at a later time.
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
http://www.HM-Software.com/
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mark E. Smith
Sent: Monday, November 01, 2004 02:27 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Your Sniffer Setup
Looks like both work. If you examine the difference you'll probably see why.
One (just with the Application setting specifies all of the parameters in
the SZ string.
The other specifies the .exe in the App string and the Auth Code and
"persistent" parameter in the parameters string. I'm also guessing that
Sniffer really doesn't care about the app path so it's probably working in
this case.
The "proper" way is probably the way where multiple SZ values are specified
although both will work with Sniffer.

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html