[sniffer] Re: Direct SmarterMail integration -- Some Testers ?
Folks, Having integrated Sniffer into MxScan for SmarterMail, I would like to shared some of my thoughts : 1. From what I can see at the moment neither Commtouch nor Declude has direct hooks into the SMTP sessions. Any integration at SMTP session level would definitely require some changes from SmarterMail's end. 2. The PROC folder is basically another way for 3rd party utilities to interface to the MTA, however take note this happens after the SMTP session has been completed and NOT during. 3. The command line option works but as someone pointed out earlier it is also being used by other 3rd party apps/processes for customer jobs. While it would be possible to encapsulate all 3rd party command line applications using a script it would be not be ideal. SM command line also has its own timeout settings. It tends to get message when u have more than 1 command line application in use. Cheers -Matt -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of E. H. (Eric) Fletcher Sent: Thursday, June 10, 2010 10:06 AM To: Message Sniffer Community Subject: [sniffer] Re: Direct SmarterMail integration -- Some Testers ? I'd definitely favor B. Sniffer is so good at what it does that there is some real potential there depending on the degree to which you integrate with the SM anti-spam features like SMTP blocking for example. This would take some real work of course. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Wednesday, June 09, 2010 6:46 PM To: Message Sniffer Community Subject: [sniffer] Re: Direct SmarterMail integration -- Some Testers ? On 6/9/2010 6:54 PM, E. H. (Eric) Fletcher wrote: I wonder whether it doesn't become a solution in search of a problem. We're asked about it frequently, and since the command line option already exists it's worth fleshing out a bit. We've avoided building an interface for the proc hooks because: A. There are already solutions there for that (as you point out). B. We would really like to see a much tighter integration with SM that can take full advantage (during SMTP, not after). If enough folks are interested in a proc hook based implementation of SNF then we will do it, of course. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Outgoing spam filtering
I would recommend putting in place a throttling and alert mechanism so that when the outgoing emails exceed a certain threshold the server limits the outgoing SMTP for the particular account and alerts the admin. I have never been a fan of outright filtering of outbound emails as these normally lead to a higher rate of false positives. Cheers -Matt From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Kaj Søndergaard Laursen Sent: Sunday, February 21, 2010 7:10 PM To: Message Sniffer Community Subject: [sniffer] Outgoing spam filtering Hi I have now twice had users who are sending spam. One of them I am very certain must be a phishing victim a connection from an IP in Nigeria at the same time the users was connected from her home DSL. We are using Microsoft Exchange and sending through a Microsoft SMTP server on the DMZ. We do not have any spam-filtering on-premise at the moment. Only inbound smtp is filtered by our colleagues in another part of the organization (we are part of a university). So Im just asking on this list because I know that there is a lot of experts on this list (and I used sniffer when I ran the spam-filtering myself). I talked with the support at one of the bigger Danish spam-filtering providers that were listing all our mail as spam. The only recommendation they could give was to change the IP-address that I was using to send mail. That wont help the receivers of the spam much J So can you recommend anything to stop outbound spam? Should I just run it through a spam-filter like I do with inbound, or is there a better solution? Venlig hilsen Kaj Laursen IT-chef Telefonnr.: 9629 6229 _ Aarhus Universitet, Handels- og IngeniørHøjskolen | Birk Centerpark 15 | 7400 Herning 97 20 83 11 | mailto:i...@hih.au.dk i...@hih.au.dk | http://www.hih.au.dk/ www.hih.au.dk _
[sniffer] Re: New IMPROVED getRulebase.cmd script
Pete Have you considered using Rsync as the delivery mechanism for the downloads instead of CURL/WGET?
[sniffer] Re: ClamAID
As a correction to my previous post, both of the win32 build oss.netfarm.it and hideout.ath.cx is actually a port from clamwin.com. Thanks -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Andy Schmidt Sent: Friday, February 06, 2009 1:14 AM To: Message Sniffer Community Subject: [sniffer] Re: ClamAID Hi, http://oss.netfarm.it/clamav seems to be ideal. I just installed it. a) runs as a Windows Service (using clamd --install) b) has registry settings to point to db and conf subfolders c) accepts trailing backslash The only remaining issue with Declude is the Declude's inability of extracting the infected file name and virus name from the Reports.txt file - but that's really a problem with Declude's lack of parsing ability. Gee - I wish Sniffer had a configuration option to tie into ClamD... Best Regards, Andy # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: ClamAID
Hi Just to add to the following topic. We've been bundling win32 builds of ClamD together with our product since the beginning and have some experience working with the win32 versions. These are my observations and thoughts : 1. http://w32.clamav.net/ has not been updated quite awhile and is rather outdated. 2. There are no official Win32 builds of ClamAV at the moment but from what I understand/read the next release .95 will have a native official win build 3. There are 3 popular updated win32 builds that include ClamD. One that runs in Cygwin (http://www.sosdg.org/clamav-win32) by Brielle Burns and the other 2 native win32 builds available at http://hideout.ath.cx/clamav and http://oss.netfarm.it/clamav. If i am not mistaken both of these win32 builds were actually built from http://w32.clamav.net and then updated to the current versions The Sosdg build has been extremely solid but sometime back Brielle mentioned that the project would be discountinued. But Later decided to continue with the project. The only shortcoming is that if you have other Cygwin daemon/services running you might have issues if there are different versions of the cygwin1.dll in use. For what its worth, SmarterMail uses this build. Overall, I have not found a lot of difference in both the other 2 native win32 builds. And they appear to be updated fairly quickly and frequently. Its fairly straightfoward to have clamD running as services but the ClamD daemon (in my experience) has known to have crashed once in awhile and as such you will need to have a watchdog/recovery service monitor the daemon and restart when necessary. Cheers -Matt -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Andrew Wallo Sent: Thursday, February 05, 2009 4:38 AM To: Message Sniffer Community Subject: [sniffer] Re: ClamAID Sniffer Folks, - ASchmidt... snip ClamAV's web site states that they won't [ continue to support] and development has been stopped? http://w32.clamav.net/ /snip Oddly, I would have bet hard cash that page didn't say that just a week ago. I went there just recently in order to affirm I had the same dated MSI as was on their site prior to release of ClamAID. Plus a live webinar I attended with ClamAV folks at the end of Dec, personally reassured me that they intended to move forward on the Win Updates. ( Which is why that page out-and-out shocked me. ) Nevermind the fact that a lot of the emulation ports were dieing off because of the 'official' native win32 was easier to utilize. However, all is not lost. If you read the ClamAV site... Nigel Horn has been recently promoted in their organization and it was his efforts that kept the Windows port alive. I've included a recent letter from him to the ClamAV win32 list below, ( just posted ) which claims they will resume support at some (undefined) time in the future. Based on other expectations, probably not until after their main codebase rewrite releases in March of 09. Add deadline extentions etc. and you are probably well into fall. ( Clearly to long to rely on an outdated engine. ) But Nigel seems inclined to enable interested parties to push the ports independantly. Since the other two independant win32 ports do not include the clamd.exe port, Pete and I are in discussion about whether it will be more efficient to take on an ArmResearch port to win32, and throwing out the ClamAV MSI altogether. This would solve a lot of the ClamAID's complexity in fixing the install issues that come with the existing ClamAV MSI and it would get us an updated engine a lot sooner than is likely with the waiting list of upgrades from ClamAV. We'll keep you posted. Andrew Wallo Folks, I'm sorry that I've not been able to put time and effort into continuing the support of ClamAV on the Windows system. The ClamAV team intend to restart support for Windows as soon as we can. In the meantime I am also aware that not much has been happening on the Powertools front. For those of you that don't know, the Powertools is a suite of programs that enhance the features of ClamAV under Windows. * clamdService - a service to start clamd and freshclam * clamAVShellExt - an extension to Windows Explorer to add the option to right-click any file/folder and have that file/folder scanned by ClamAV * clamOffice - an extension to Microsoft Word to use ClamAV to scan for viruses when a document is opened * clamAVaddin - an extension to Microsoft Office to use ClamAV to scan for viruses when an email is received. Given that I'm aware that people use the above tools, I've uploaded the code to https://sourceforge.net/projects/clamav-power/. The sources are available under SVN, at https://clamav-power.svn.sourceforge.net/svnroot/clamav-power/. -Nigel # This message is sent to you because you are subscribed to the mailing list
[sniffer] Re: Sniffer Helper App?
I will have to second this. I've moved off Imail to other Windows based Email servers (MailEnable and Smartermail) and no regrets in the past. If you are looking to block based on countries you can still use the Reverse DNSBLs that are country specific. However, this will only work well if you selectively block a few countries because if you have a long list of countries to block it would add to your overall processing time Cheers -Matt From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Moore Sent: Wednesday, July 02, 2008 7:03 AM To: Message Sniffer Community Subject: [sniffer] Re: Sniffer Helper App? I MOVED FROM Imail 8 to SmarterMail 4.3 and then 5.1, best thing I ever did ( the cost of an Imail maintenance contract for Enterprise unlimited users / domains). SmarterMail has grey listing built in so 90-95% spam gets killed at source the other spam is handled out of the box by SpamAssassin. I do have mXGuard and Sniffer full licences but as yet I haven't had to enable them. (mainly because I have only just installed SmarterMail v5.1) Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 Skype Phone: ADSLDIRECT POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. - From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve Guluk Sent: Wednesday, 2 July 2008 5:18 AM To: Message Sniffer Community Subject: [sniffer] Sniffer Helper App? Hello, I run iMail 9.0 and would like a program that can do GeoIP to screen foreign countries before they even get to iMail. I used to use MXGuard (still have an active license) but my server could not handle the CPU draw. I moved to eWall which really has some great potential as it is a nice light gateway client that works with Sniffer but it also crashes and has a few other problems (this program also introduced me to GeoIP). Any other suggestions as I am beat after trying to get some decent spam relief as well as relief from an aging server. My server is an AMD 2.0 with Raid and 2 gigs of Ram It's faired well over the last couple years but the spam levels ramping up are starting to take their toll and I don't want to move to a new server just yet. eWalls got me spoiled on the GeoIP feature where it polls a DB for country info based on the incoming IP and can delete emails before they reach iMail. Any suggestions on what I should consider to help with spam and also use Sniffer. Is Declude worth while? Some other light gateway like eWall ? Thanks in advance for any suggestions, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Backscatter Spam
Intersting idea but the BATV appears to be something that you would need to run on the MTA level (i.e the MailServer would need to support the functionality) because it rewrites the return address on outgoing emails. On a side note, I have noticed a significant drop in backscatter when SPF is implemented for the particular domain. Most of the backscatter appears to come from valid antispam appliances like the Barracuda boxes which would normally use SPF. These devices perform the SPF test during the SMTP connection and rejects it immediately as opposed to bouncing the message back. So the SPF does help. -Matt From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Matthew J. Grim Sent: Sunday, June 29, 2008 1:25 AM To: Message Sniffer Community Subject: [sniffer] Re: Backscatter Spam As an aside, Mdaemon has an excellent backscatter prevention system. They appear to be using BATV http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validationhttp:/en.wikipedi a.org/wiki/Bounce_Address_Tag_Validation , an internet draft at the moment. Matt in Tampa
[sniffer] Backscatter Spam
Off lately I have noticed a large increase of backscatter. Is anyone else running into issues with these? Some of these get caught by Sniffer but a bulk of it also makes it through
