[sniffer] Alligate and Sniffer again

2016-01-18 Thread Bonno Bloksma
Hi,

I need to setup a spam filter server again so once again I will probably go 
with Alligate plus sniffer.
Is that still a viable combination? I have not been following the new these 
past 3-4 years when we had another solution in place.

On the Alligate site I still see Windows 2008 server as the highest recommended 
version, but we are up to Windows 2012 R2 now, it is my recommended OS for a 
new Windows server. Alligate still lists Windows 2000 and XP as a possible 
platform, I would not want to run anything on that today. Is Alligate still 
being supported as a basis platform for Sniffer?

If not, what would be a good platform for a sniffer spam filter server?
Although I have some experience with (Debian) Linux servers I rather not use 
that as I am the only one here with enough experience to know what I am doing, 
and not even that with Linux mailservers. So I would rather run Sniffer on a 
Windows platform.


With kind regards,
Bonno Bloksma
system manager

tio
university of applied sciences
julianalaan 9 / 7553 ab  hengelo / the netherlands
t +31 (0)74-255 06 10
b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/>

Follow us on Twitter<https://twitter.com/hogeschooltio> / 
Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610>
 / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / 
YouTube<http://www.youtube.com/user/hogeschooltio>



[sniffer] Re: [Alligate]Alligate and Sniffer again (NL)

2016-01-18 Thread Bonno Bloksma
Hi,

Ok, downloaded Alligate trial, installed in on a 2012 R2 server.
Made a local dns "server" (resolver) on the machine but I am not sure if I need 
it now that we can use the Google dns server by default.

How do I hook up Sniffer? I used to have Declude (and IMail) and had Sniffer 
connected that way, I now need to connect sniffer into Alligate.
I cannot find anything in the Alligate Docs I downloaded.

p.s. It seems there is still some support for Alligate, I noticed a recent 
update in the "Alligate V3 updates" zip file. But everything else seems to 
point to 2014 as the last time something was actively done.
Even the documentation lists nothing after 2014 and still talks about special 
settings for the (local) dns server on a Windows 2013 server.

With kind regards,
Bonno Bloksma
system manager

tio
university of applied sciences
julianalaan 9 / 7553 ab  hengelo / the netherlands
t +31 (0)74-255 06 10
b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/>

Follow us on Twitter<https://twitter.com/hogeschooltio> / 
Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610>
 / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / 
YouTube<http://www.youtube.com/user/hogeschooltio>

Van: discussion-ow...@alligate.com [mailto:discussion-ow...@alligate.com] 
Namens Bonno Bloksma
Verzonden: zondag 17 januari 2016 22:54
Aan: discuss...@alligate.com; sniffer@sortmonster.com
Onderwerp: [Alligate]Alligate and Sniffer again (NL)

Hi,

I need to setup a spam filter server again so once again I will probably go 
with Alligate plus sniffer.
Is that still a viable combination? I have not been following the new these 
past 3-4 years when we had another solution in place.

On the Alligate site I still see Windows 2008 server as the highest recommended 
version, but we are up to Windows 2012 R2 now, it is my recommended OS for a 
new Windows server. Alligate still lists Windows 2000 and XP as a possible 
platform, I would not want to run anything on that today. Is Alligate still 
being supported as a basis platform for Sniffer?

If not, what would be a good platform for a sniffer spam filter server?
Although I have some experience with (Debian) Linux servers I rather not use 
that as I am the only one here with enough experience to know what I am doing, 
and not even that with Linux mailservers. So I would rather run Sniffer on a 
Windows platform.


With kind regards,
Bonno Bloksma
system manager

tio
university of applied sciences
julianalaan 9 / 7553 ab  hengelo / the netherlands
t +31 (0)74-255 06 10
b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/>

Follow us on Twitter<https://twitter.com/hogeschooltio> / 
Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610>
 / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / 
YouTube<http://www.youtube.com/user/hogeschooltio>



[sniffer] Re: What is your oldest production CPU?

2013-12-27 Thread Bonno Bloksma
Hi Pete,

 Hello Sniffer Folks,
 
 We would like to know what your oldest production CPU is.

Oldest production (mail) server is a HP Proliant DL380 G6 with a Xeon E5530 
quad cpu

With kind regards,
Bonno Bloksma
Senior system engineer

tio university of applied sciences
julianalaan 9 / 7553 ab  hengelo / the netherlands


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: IPv6

2011-03-11 Thread Bonno Bloksma
Hi,

I remember reading somewhere research was being done about ipv6 block lists
using the fact that the same /64 net would probably be the same machine or
very near it. Prety much what we now Block when we list an ipv4 NATted
gateway to a private network which houses an infected PC.

Unfortunately I cannot find the reference to that article anymore, I thought
I had it bookmarked. :-(

Yours sincerely,
Bonno Bloksma
senior systeembeheerder

tio 
university of applied sciences for hospitality and tourism
julianalaan 9 / 7553 ab hengelo 
netherlands
t +31-74-255 06 10 / f +31-74-255 06 11 
b.blok...@tio.nl  / www.tio.nl 


-Oorspronkelijk bericht-
Van: Message Sniffer Community [mailto:sniffer@sortmonster.com] Namens
Peer-to-Peer (Support)
Verzonden: vrijdag 11 maart 2011 14:25
Aan: Message Sniffer Community
Onderwerp: [sniffer] IPv6


Hi everyone,

I've been thinking about the potential risk of IPv6 will have on filtering
spam.  I suspect RBL's (real time blacklists) may become obsolete once IPv6
arrives.?.

From what I've learned, IPv6 has 340 undecillion (1 followed by 36 zeros)
IP
addresses.  And devices can refresh every 24 hours.  IPv4 only has 4.3
billion IP addresses.


Pete: Grab a cup of coffee.  The botNet's are coming...



--Paul




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Bad Rule Event

2010-12-16 Thread Bonno Bloksma
Hi Pete,

 Hello Sniffer Folks,
 
 We have had a bad rule event.
 The bad rules were created near 0830E, and removed by 1030E.
[...]

Regarding this event A while ago we talked about sniffer installations 
exchanging rule-panic info via the GUBdb sync info as that is happening every 
(few) minute(s) in stead of every few hours.
Any idea when a new version of Sniffer with that feature will be launched?

Yours sincerely,
Bonno Bloksma
senior systemadministrator

tio 

university of applied sciences for hospitality and tourism 
julianalaan 9 / 7553 ab hengelo 
netherlands 
t +31-74-255 06 10 / f +31-74-255 06 11 

b.blok...@tio.nl  / www.tio.nl 




[sniffer] how to handle on rule panick?

2009-11-23 Thread Bonno Bloksma
Hi,

It seems the documentation on how to handle a rule panick in the Wiki is not 
complete, to put it mildly. :-(
In my opinion It gives just enough information to frustrate the user into 
finding PROBABLY the right place to enter the information but then leaves 
him/her haning.

I had several mails caught these past few days (I am not a full time 
postmaster) and reported the FP mails to sniffer. But I want to disable a rule 
until I hear back from them. So I went to the wiki and...

Sniffer site, rule panick
http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives#RulePanic
[]
2. Create a rule-panic entry in your .cfg file - this will temporarily 
deactivate the rule. 

But how???
In my Sniffer directory there is no .CFG file. Clicking on the .cfg file link 
also is misleading it seems. I have no LicenseId.cfg file. I do have an 
identity.xml file with my license in it.

Should I edit my snf_engine.xml file?
Probably.

What should I edit/enter?
At this point there is no documentation I was able to find which would help me 
solve this problem.

Grepping some more (grep panic *.xml) I finally found I indeed had to enter a 
line in the snf_server.xml file, and Oh yeah, don't add a line to the sample 
lines as they are in a comment box. ;-)
All in all I did find it I think but. mostly without using the 
documentation.

It seems the Wiki is out of date, it probably describes a older Sniffer 
version. I should either describe the current version of report the 
differences for each version.

Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder

tio 

hogeschool hospitality en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20

b.blok...@tio.nl  / www.tio.nl 




[sniffer] Re: how to handle on rule panick?

2009-11-23 Thread Bonno Bloksma
Hi Pete,

Maybe you need to do something about the default sortmonster pages as well.

When I go to http://www.sortmonster.com/MessageSniffer/ the Wiki link points to 
Sniffer v2 documentation.
You probably need to make two links there one to the new documentation aand 
explicitly starte that the Wiki is the v2 documentation. That was my second 
attempt when at first a google search for sniffer and rule panic brought me to 
the v2 wiki docs.


Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder

tio 

hogeschool hospitality en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20

b.blok...@tio.nl  / www.tio.nl 


- Original Message - 
  From: Pete McNeil 
  To: Message Sniffer Community 
  Sent: Monday, November 23, 2009 4:30 PM
  Subject: [sniffer] Re: how to handle on rule panick?


  Bonno Bloksma wrote:

  snip/

   It seems the Wiki is out of date, it probably describes a older 
   Sniffer version. I should either describe the current version of 
   report the differences for each version.

  Very sorry for your frustration. You are correct the page is out of 
  date. I have posted a note at the top of the page indicating this and 
  providing a link to the correct current page.

  Best,

  _M


  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: sniffer-...@sortmonster.com
  To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
  To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
  Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] panic rule information

2009-09-09 Thread Bonno Bloksma
Hi Pete/community,

If I understand things correctly then the detection of a panick rule is local 
to the system. So a few systems may have enough traffic to see that a rule is 
acting wrong and assume a panick for that rule. According to the WiKi that 
information is sent automatically to the folks at armresearch, but...
As far as I know there is yet no mechanism to get that information 
automatically to the Sniffer comunity. 

Might it be a good idea to propagate rule panic info via tha GRUdb mechanism? 
As far as I understand information gets updated and transmitted a lot faster 
then rulebase updates.


Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder

tio 

hogeschool hospitality en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20

b.blok...@tio.nl  / www.tio.nl 




[sniffer] how did I run as service?

2009-06-25 Thread Bonno Bloksma
Hi,

Using IMail 9.23 and Declude 4.x on a Windows 2003 server with Sniffer.

A little while after version 3 was released I upgraded and followed the 
instrunctions on the site to get the sniffer service running as a service. 
After that upgraded to the version that used curl in stead of wget to get the 
rulebase.
Now I want to upgrade to the latest version but

Does the installer detect how I'm running sniffer as a service?
I cannot find the instructions I once followed to get it up and running. So I 
have no idea which tool I used to get the service running. :-(

Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder

tio 

hogeschool hospitality en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20

b.blok...@tio.nl  / www.tio.nl 




[sniffer] Re: New IMPROVED getRulebase.cmd script

2009-03-12 Thread Bonno Bloksma
Hi Pete,

I get what you said. But:
 I'm nowhere near your timezone, I'm at GMT+1 or +2. So should there not have 
been a problem long before where my system would see older files at your system 
several times a day when in fact there would be a newer one?
Does that mean my system has been getting only two or three updates a day where 
it should have gotten over a dozen?

I've switched curl so everything should work ok by now. According to my logs 
I'm getting a new rulebase about every hour.



Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder

tio 

hogeschool hospitality en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20

b.blok...@tio.nl  / www.tio.nl 


- Original Message - 
  From: Pete McNeil 
  To: Message Sniffer Community 
  Sent: Wednesday, March 11, 2009 1:57 PM
  Subject: [sniffer] Re: New IMPROVED getRulebase.cmd script


  Bonno Bloksma wrote: 
Why does this problem start just now with a DST shift somewhere? I'n 
nowhere near your timezone (GMT+1 or +2) so should there not have been a 
problem long before where my system would see older files at your system 
several times a day when in fact there would be a newer one? Does that mean my 
system has been getting only two or three updates a day where it should have 
gotten over a dozen?
Unfortunately I disabled logging a while ago when everything seemed to run 
smoothly. :-(

Someone to your west would have seen a new rulebase every time they checked 
no matter what DST.
Or is it just that you finally noticed it due to the DST shift?

  The reason DST is an issue is because the previous wget based script stamps 
the downloaded rulebase with the local clock instead of the timestamp that came 
with the file from the delivery server. As a result the timestamps might not 
agree.

  The recent change in the start of DST in the US is not reflected everywhere 
AND some locations use different DST start dates. The result of this is that 
when using the old script the local timestamp created using the local clock is 
likely to be behind the delivery server's timestamp by an hour.

  The new update-script mechanism in SNFServer compares the local file's 
timestamp to the timestamp reported by the delivery server once every minute.

  When the local timestamp is used and the local time is behind the clock on 
the delivery server then the freshly downloaded rulebase file _appears_ to be 
an hour old and this does not change no matter how many times the file is 
downloaded.

  Before DST the local clock and the delivery server's clock would generally 
agree and so there was no problem.

  Hope this helps,

  _M



[sniffer] Re: New IMPROVED getRulebase.cmd script

2009-03-12 Thread Bonno Bloksma
Hi Pete,

In your first mail about this problem you wrote:
There has long been a bug in the getRulebase script using wget which 
causes the rulebase file that is downloaded to have the local system's 
timestamp. Under normal circumstances this does not cause a problem 
because most system clocks are synchronized and the local timestamp is 
generally newer than the timestamp of the rulebase file on our servers.

What I was getting at:
If the rulebase with the old wget software were to get a local timestamp on my 
server when downloaded, mine would always be far into the future from your 
original as my server is at GMT+1 or +2 during DST.
So if your server is at GMT-5 my rulebase would get a timestamp of the original 
+6 hours. So it would then NOT download another rulebase for the next 6 hours 
as every new rulebase would still be in it's past.

Or should wget have compensated for timezones as should curl? Because my 
rulebase files on my server seem to have a local timestamp.
However, this is where we probably get beond my techlevel.
Does Windows allways use UTC internally and then calculate the local time when 
displaying the timestamp for a file?
Is that what I'm missing? Because I think I've read that somewhere about 
problems with timestamps on FAT and NTFS.

Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder

tio 

hogeschool hospitality en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20

b.blok...@tio.nl  / www.tio.nl 


- Original Message - 
  From: Pete McNeil 
  To: Message Sniffer Community 
  Sent: Thursday, March 12, 2009 3:33 PM
  Subject: [sniffer] Re: New IMPROVED getRulebase.cmd script


  Bonno Bloksma wrote: 
Hi Pete,

I get what you said. But:
 I'm nowhere near your timezone, I'm at GMT+1 or +2. So should there not 
have been a problem long before where my system would see older files at your 
system several times a day when in fact there would be a newer one?
Does that mean my system has been getting only two or three updates a day 
where it should have gotten over a dozen?

  If two systems agree on the time, and then only one of them advances their 
clock by an hour the two clocks will still be different. Anyway - we've learned 
more since then (below)



I've switched curl so everything should work ok by now. According to my 
logs I'm getting a new rulebase about every hour.

  Once per hour is just about right. 
  Pacing is currently set to 55 minutes.

  ---

  More that has been learned (technical stuff) and a story (skip if you like, 
but some might find this interesting):

  Yesterday while working on this problem and testing on one of our inbound 
spamtrap processors I noticed that things still weren't quite right. This 
discovery led me to break a paradigm in my thinking and begin to see another 
problem (perhaps the key problem). 

  Paradigm: I had been very focused on the one hour time difference, DST, and 
the obvious coincidence with the DST storm -- Our countermeasures at the 
server and deployment of the new getRulebase script had essentially mitigated 
the problem... so I was expecting everything to work fine.

  Having loaded the new getRulebase script on the system I was monitoring it 
didn't make sense that there was still a problem. Even worse, the telemetry was 
showing timestamps that were close, but off by a few minutes -- as if the 
server had picked up the time shifted file instead of the original posting... 
but that didn't make sense. I wondered if something else was going on and so I 
loaded up the UTC as a reference:

  http://www.worldtimeserver.com/current_time_in_UTC.aspx

  To my wonder and amazement the telemetry I was looking at showed the UTC 
reference for the ruelbase on the server in the future by one hour! That can't 
be right, I said to myself, and then I checked the timestamp again on the 
delivery server. I rechecked the math and sure enough the timestamp on the 
delivery server was correct! I hate a mystery.

  I went to the main SYNC server to see if something had happened to it -- Why 
would it report the file's timestamp in the future when the timestamp on the 
file system is correct? We hadn't made any changes to the software. The only 
thing that had happened was DST.

  I made my priority getting the reported timestamp correct, and I made the 
assumption that there might be some obscure DST bug in this version of RedHat 
or one of the libraries that I would solve later. I began looking for a way to 
tweak the SYNC server code to adjust the time stamp before reporting it when 
these conditions were detected... A way to work around the bug. I would fix the 
bug later.

  Of course, to do this tweak I would need to find a way to detect the 
condition so I started to look for ways to do that reliably. I know it's a 
funny notion -- looking for a reliable way to leverage a system that you have 
already determined is unreliable... but that is the nature of what we

[sniffer] Re: New IMPROVED getRulebase.cmd script

2009-03-11 Thread Bonno Bloksma
Hi,

First one comment about the script.
Just before the CLEANUP label the lck file is deleted. Right after that it is 
deleted again in the CLEANUP section.
The first can savely be removed.

Second,
Why does this problem start just now with a DST shift somewhere? I'n nowhere 
near your timezone (GMT+1 or +2) so should there not have been a problem long 
before where my system would see older files at your system several times a day 
when in fact there would be a newer one? Does that mean my system has been 
getting only two or three updates a day where it should have gotten over a 
dozen?
Unfortunately I disabled logging a while ago when everything seemed to run 
smoothly. :-(

Someone to your west would have seen a new rulebase every time they checked no 
matter what DST.
Or is it just that you finally noticed it due to the DST shift?

Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder

tio 

hogeschool hospitality en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20

b.blok...@tio.nl  / www.tio.nl 


- Original Message - 
  From: Pete McNeil 
  To: Message Sniffer Community 
  Sent: Tuesday, March 10, 2009 2:40 PM
  Subject: [sniffer] New IMPROVED getRulebase.cmd script


  Hello Sniffer Folks,

  At the following link you will find a zip file containing the open 
  source CURL utility and an updated version of the new getRulebase.cmd 
  script. The old getRulebase.zip file has been replaced with the new one 
  in the same location (you may want to clear your browser cache if you 
  downloaded the previous version):

  http://www.armresearch.com/message-sniffer/download/CURL-getRulebase.zip

  The new getRulebase.cmd script produces a getRulebase.txt file each time 
  it is run so that you can see what happened.

  No errors are reported to the screen. If there are errors they will show 
  up in the getRulebase.txt file.

  There is a comment at the bottom of the script where you can add a line 
  to email the getRulebase.txt file to yourself if you want to have the 
  script inform you each time it runs.

  _M


  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: sniffer-...@sortmonster.com
  To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
  To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
  Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] files in the Sniffer dir

2009-01-04 Thread Bonno Bloksma
Hi,

I was wondering about something and could not find info about it on the Sniffer 
documentation page.

I have several files in my sniffer directory with a date of today. Logfiles, 
rulesbases etc.
The next most recent files are my GBUdbIgnoreList.txt getrulebase.cmd, etc. 
which I have made changes to.

But there are at least three strange files file no filename part: .handshake, 
.state, and .tmp of which the .handshake has a dat of today but the other two 
are of july 2008 (aroung my installation date for sniffer 3)
What are those three files for and should those dates indeed be that old?



Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer
tio 
hogeschool hospitality en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
b.blok...@tio.nl  / www.tio.nl




[sniffer] upgraded to 3.0

2008-07-18 Thread Bonno Bloksma
Hi,

Well I did it, upgraded to 3.0 as well. The automatic rule panic feature and 
all the other stuff seemed a good idea. :-)
Setting it up turned out to be straight forward, just follow the instructions. 
Ran into just 2 things and one question.

1)
Forgot to set correct path to identity file, was set to a nonexisting path. 
Started server.
-start screenshot--
C:\IMail\declude\Sniffer3c:\IMail\declude\Sniffer3\SNFServer3.0.exe 
c:\IMail\declude\Sniffer3\snf_engine.xml
SNF Server Version 3.0 Build: Jun 26 2008 13:25:19
SNFMulti Engine Version 3.0 Build: Jun 26 2008 13:25:06
Launching with c:\IMail\declude\Sniffer3\snf_engine.xml
Unhandled Exception: snf_LoadNewRulebase() Zero length SecurityKey Thrown!
-end screenshot--
Should have said something like error in path to identity file

2)
On page
http://www.armresearch.com/support/articles/software/snfServer/core.jsp
resultcode 63 is still listed as Received IPs from spamtraps  research. in 
stead of Black..

Question:
Is there still a log file for me to ZIP every night or is all logging now at 
ARM research?

p.s. Aren't we at version 3.01? This one I just downloaded still reports 3.0 as 
it's version. Ot was that just the *nix version?



Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer
tio 

hogeschool hospitality en toerisme

begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl




[sniffer] Re: Integration with Mailenable - Domain Keys

2007-03-19 Thread Bonno Bloksma
Hi,

ErrorLevel is a variable as of Windows 2000 so:

call C:\Program Files\FSI\F-Prot\fpcmd.exe -silent -auto -ai -archive 
-saferemove -disinf -del -append -report=C:\SmarterMail\logs\virusscan.log %1
Set ERR=%ErrorLevel%
IF %ERR% EQU 0 GOTO CLEAN
@REM echo Virus scanned by F-Prot (%ERR%) viruses found %1
MOVE /Y %1 C:\SmarterMail\Viruses
GOTO END
:CLEAN
@REM echo Virus scanned by F-Prot (%ERR%) viruses found  %1
:END

Would work as well, just not on NT4 or lower.


Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer



tio hogeschool hotelmanagement en toerisme 
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
[EMAIL PROTECTED]  / www.tio.nl 
  - Original Message - 
  From: Jay Sudowski - Handy Networks LLC 
  To: Message Sniffer Community 
  Sent: Sunday, March 18, 2007 1:36 AM
  Subject: [sniffer] Re: Integration with Mailenable - Domain Keys


  I really don't see why it wouldn't be possible to do.  Here is the script 
that's used for f-prot:

  -
  SET ERR=0
  call C:\Program Files\FSI\F-Prot\fpcmd.exe -silent -auto -ai -archive 
-saferemove -disinf -del -append -report=C:\SmarterMail\logs\virusscan.log %1
  IF NOT ERRORLEVEL 1 GOTO CLEAN
  IF ERRORLEVEL 1 SET ERR=1
  IF ERRORLEVEL 2 SET ERR=2
  IF ERRORLEVEL 3 SET ERR=3
  IF ERRORLEVEL 4 SET ERR=4
  IF ERRORLEVEL 5 SET ERR=5
  IF ERRORLEVEL 6 SET ERR=6
  @REM echo Virus scanned by F-Prot (%ERR%) viruses found %1
  MOVE /Y %1 C:\SmarterMail\Viruses
  GOTO END
  :CLEAN
  @REM echo Virus scanned by F-Prot (%ERR%) viruses found  %1
  :END
  -

  I think you should be able to modify it so that it calls Sniffer, rather than 
FProt.  %1 is the path to the mail file.  Based upon the error code/return 
code, you could then delete/hold spam detected by Sniffer accordingly. 

  As for SM not having a GUI, it really hasn't be an issue for us...

  -Jay

  -Original Message-
  From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Chris 
Bunting
  Sent: Saturday, March 17, 2007 4:03 PM
  To: Message Sniffer Community
  Subject: [sniffer] Re: Integration with Mailenable - Domain Keys

  The other issue with SmarterMail is it doesn't have any gui.  Which I guess 
isn't a bad thing.  But I sometimes like a gui for certain things.  Also 
Declude seemed very expensive to use with sniffer

  Sent via my BlackBerry
  - Ask me about it!  

  -Original Message-
  From: E. H. \(Eric\) Fletcher [EMAIL PROTECTED]
  Date: Sat, 17 Mar 2007 14:42:43 
  To:Message Sniffer Community sniffer@sortmonster.com
  Subject: [sniffer] Re: Integration with Mailenable - Domain Keys

  Phil / Jay:

  I am also looking at SmarterMail as an addition to or replacement for 
  several IMail servers and looking at calling MessageSniffer from it without 
  Declude because of the Declude bundling of things we don't want or see value 
  in.  While doing a little more reading on the SmarterTools site I saw a link 
  that addresses your discussion on domain keys:

  http://smartermail.exhalus.net/domainkeys/


  Eric

  - Original Message - 
  From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED]
  To: Message Sniffer Community sniffer@sortmonster.com
  Sent: Saturday, March 17, 2007 1:43 PM
  Subject: [sniffer] Re: Integration with Mailenable


  Hi Phil -

  Good question.  We integrate Sniffer into SmarterMail via Declude.
  However, SmarterMail does have the capability to run a program against a
  message before it is delivered.  We have some customers that use a batch
  file to call f-prot and get virus scanning integrated into their mail
  server on the cheap.  I believe it would likely be possible to make use
  of the same functionality to call Sniffer directly, and thus avoid
  having to purchase Declude.  I have just never had a need to attempt
  this.

  As for domain keys, I don't believe so.  However, you can setup
  SPFyou're your domains simply by adding the appropriate DNS records to
  said domains zone files.

  -Jay

  -Original Message-
  From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
  Behalf Of Phillip Cohen
  Sent: Friday, March 16, 2007 12:01 PM
  To: Message Sniffer Community
  Subject: [sniffer] Re: Integration with Mailenable


  Jay,

  Thanks for the heads up on Mailenable. I took a look at SmarterMail
  and it looks pretty good. How does it interface with Message Sniffer
  or does it require and external gateway such as EWall? How has
  support been with it and how have they been as far as updates. Also
  does it have domain keys capability and SPF support for sending
  mail to yahoo.com etc...

  Thanks,

  Phil


  At 07:26 PM 3/15/2007, you wrote:
  Stay Away From MailEnable.
  
  There are so many exploits out there for MailEnable, and there are more
  exploits found monthly, if not weekly.  At one particular interval,
  MailEnable had to re-release the same patch several times in the *same*
  week because it kept on not actually fixing the root

[sniffer] Re: My rulebase download and log upload script

2006-07-10 Thread Bonno Bloksma

Hi John,


Weekend, what is that?


That's the days where those pesky users are usualy not messing with the 
network so YOU can mess with it. ;-)



Groetjes,


Bonno Bloksma



-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf

Of

Colbeck, Andrew
Sent: Friday, July 07, 2006 6:24 PM
To: Message Sniffer Community
Subject: [sniffer] My rulebase download and log upload script

The last thing before I leave for the weekend...

[..]

Andrew 8)






#
This message is sent to you because you are subscribed to
 the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Spam Storm - It's a big one.

2006-05-26 Thread Bonno Bloksma

Hi Pete,


Watch out for today's spam storm -- it's a lot bigger than we've seen
in a long while. 48 hour image attached.


This has low priority but. I've tried to find a live version of that 
graph you've sent but I cannot find it at 
http://kb.armresearch.com/index.php?title=Message_Sniffer.LiveReports which 
would seem to be the logical place.


Is it nowhere live to be found or am I looking at the wrong place?


Groetjes,


Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]



#
This message is sent to you because you are subscribed to
 the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer] [Fwd: Diann Helms]

2006-02-15 Thread Bonno Bloksma
Hi Pete,

[]
 If you wish, it is possible to create a local black rule for any
 geocities link. On many ISP systems this would cause false positives,
 but on more private systems it may be a reasonable solution.


I think I could use such a black rulw without getting to may FPs, but in
which catagoeries would that rule then go? I score the several Sniffer
results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63
would put it several points below my hold weight. An extra hit would be
needed to get it held.

 If you want such a black rule added to your rulebase please send a
 request off-list to [EMAIL PROTECTED]

As the above information might be of interest to others I'll ask here first.

Groetjes,

Bonno Bloksma


---
[E-mail scanned at tio.nl for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: Re[2]: [sniffer] auto update tmp files

2005-09-23 Thread Bonno Bloksma

Hi,


I had trouble for a while with the del %1  functionality, but I
had a problem with the script running in the wrong directory. I

[]

Yeah, my script does explicitly enter the sniffer directory, and the
line to delete the file is explicit as well:

Del s:\imail\spool\%1

...but that never worked.  Maybe if I cd into the spool first it might


It would not work because..

I have the %1 parameter in the email sent to me as part of the reporting. 
Using IMail 8.21 Here is what's in the email:

Rulefile OK, updated
C:\IMail\spool\tmp6C40.tmp

As you can see the %1 is a complete path. So just Del %1 should do the 
trick.


Groetjes,


Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] auto update tmp files

2005-09-19 Thread Bonno Bloksma



Hi,


Ok, I had auto update pretty much in the air. Seems 
all I needed was a program alias that fired the script. ;-)
There's just one thing, I end up with alot of 
"tmpID.tmp" files in my spool directory. Any way of deleting those 
automagically?

I could simply delete all tmp.tmp files in my 
midnight run. Would that be a problem? The only program alias I have is the 
sniffer update.

Met vriendelijke 
groet,
Bonno Bloksma
hoofd 
systeembeheer

tio hogeschool toerisme en 
hospitality
julianalaan 9 / 7553 ab 
hengelo
t 074 255 06 10 / f 074 255 
06 16
[EMAIL PROTECTED] / www.tio.nl


[sniffer] false positives which catagories?

2005-08-04 Thread Bonno Bloksma



Hi,

I'd like to make a difference in the ways I score 
the varions sniffer catagories in Declude.
I hold at 20 and have had the several sniffer 
catagories all at 19.
As we are a school for tourism I score sniffer 
travel lower but I would like to score some catagories higher, at 
20.
If we have a false positive it's mostly in the 
general, exp-abstract, ip-rules catagorie is my feeling.

Someone must have made a comparison of false 
positives against sniffer and in which catagories those fp's are mostly. 
Right?
Which catagories have virtually no FPs and which 
should I keep (well) below my hold level?
Of course all held mail gets reviewed by be, unless 
it scrores enough other points te get deleted (at 27 points).
Groetjes,

Bonno Bloksma


Re: [sniffer] Declude and Sniffer

2005-07-20 Thread Bonno Bloksma
Hi,

 I currently tag subject lines at 10 and delete at 20.  Sniffer results are
 scored at 9.  No two tests currently result in more than 18 and therefore
it
 takes three failed tests to delete.

I tag at 12, hold on 20 and delete on 27.
Sniffer is at 19, just 1 under hold.
If anything agrees with sniffer it is held, is several sources agree with
sniffer it is deleted.

We are a prepschool/university and process about 4K to 5K msg a day. I have
one to two false positives in the held mail each year.

Met vriendelijke groet,

Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] midnight ftp upload

2005-01-24 Thread Bonno Bloksma



Hi,

When I started using sniffer, April 2004, uploading 
the log took about 20 seconds. Then on June 19th 2004 it suddenly took over 13 
minutes. After that it has consistently taken arround 13 minutes to upload the 
small logfile. I've never found a reason, the suggestion overhere was it might 
be because of the load arround midnight Central European time.

About a week ago, Jan 18th, I did some 
experimenting with the time. At first I rotated the logs a minute later to get 
them rotated closer to midnight, the upload started and finished one minute 
later. Then a few days later, Jan 21th,I delayed the ftp upload by 10 
minutes to get a better timeslot. To my surprise it STILL took 13 minutes to 
upload the small logfile.

Anybody ANY idea where I, or Pete, can start to 
look for a clue about what is going on?

Groetjes,

Bonno Bloksma Back up my hard drive? How do I put it in 
reverse?

Log snippets:
2004/04/16 23:59:02 : Running logrotate 
2004/04/16 23:59:21 : Ready rotating logs 2004/04/17 23:59:00 : Running 
logrotate 2004/04/17 23:59:21 : Ready rotating logs 2004/04/18 23:59:00 
: Running logrotate 2004/04/18 23:59:23 : Ready rotating logs 2004/04/19 
23:59:01 : Running logrotate 2004/04/19 23:59:20 : Ready rotating logs 
2004/04/20 23:59:00 : Running logrotate 2004/04/20 23:59:20 : Ready 
rotating logs 2004/04/21 23:59:01 : Running logrotate 2004/04/21 
23:59:20 : Ready rotating logs []2004/06/16 23:59:02 : Running 
logrotate 2004/06/16 23:59:21 : Ready rotating logs 2004/06/17 23:59:00 
: Running logrotate 2004/06/17 23:59:20 : Ready rotating logs 2004/06/18 
23:59:01 : Running logrotate 2004/06/19 00:12:27 : Ready rotating logs 
2004/06/19 23:59:01 : Running logrotate 2004/06/20 00:12:27 : Ready 
rotating logs 2004/06/20 23:59:00 : Running logrotate 2004/06/21 
00:12:26 : Ready rotating logs 2004/06/21 23:59:01 : Running logrotate 
2004/06/22 00:12:26 : Ready rotating logs 2004/06/22 23:59:01 : Running 
logrotate 2004/06/23 00:12:26 : Ready rotating logs []
2004/06/28 23:59:01 : Running logrotate 
2004/06/28 23:59:01 : Starting ftp upload 2004/06/29 00:12:27 : Finished 
ftp upload 2004/06/29 00:12:27 : Ready rotating logs 2004/06/29 23:59:00 
: Running logrotate 2004/06/29 23:59:00 : Starting ftp upload 2004/06/30 
00:12:26 : Finished ftp upload 2004/06/30 00:12:26 : Ready rotating logs 
[.]2005/01/16 23:59:00 : Running logrotate 2005/01/16 23:59:00 : 
Starting ftp upload 2005/01/17 00:12:14 : Finished ftp upload 2005/01/17 
00:12:14 : Ready rotating logs 2005/01/17 23:59:01 : Running logrotate 
2005/01/18 00:00:01 : Starting ftp upload 2005/01/18 00:13:12 : Finished 
ftp upload 2005/01/18 00:13:12 : Ready rotating logs 2005/01/18 23:59:00 
: Running logrotate 2005/01/19 00:00:01 : Starting ftp upload 2005/01/19 
00:13:11 : Finished ftp upload 2005/01/19 00:13:11 : Ready rotating logs 
2005/01/19 23:59:01 : Running logrotate 2005/01/20 00:00:01 : Starting 
ftp upload 2005/01/20 00:13:12 : Finished ftp upload 2005/01/20 00:13:12 
: Ready rotating logs 2005/01/20 23:59:00 : Running logrotate 2005/01/21 
00:00:01 : Renaming logfile 2005/01/21 00:10:04 : Starting ftp upload 
2005/01/21 00:23:15 : Finished ftp upload 2005/01/21 00:23:15 : Ready 
rotating logs 2005/01/21 23:59:03 : Running logrotate 2005/01/22 
00:00:04 : Renaming logfile 2005/01/22 00:10:07 : Starting ftp upload 
2005/01/22 00:23:18 : Finished ftp upload 2005/01/22 00:23:18 : Ready 
rotating logs 2005/01/22 23:59:00 : Running logrotate 2005/01/23 
00:00:01 : Renaming logfile 2005/01/23 00:10:04 : Starting ftp upload 
2005/01/23 00:23:15 : Finished ftp upload 2005/01/23 00:23:15 : Ready 
rotating logs 2005/01/23 23:59:01 : Running logrotate 2005/01/24 
00:00:01 : Renaming logfile 2005/01/24 00:10:05 : Starting ftp upload 
2005/01/24 00:23:15 : Finished ftp upload 2005/01/24 00:23:15 : Ready 
rotating logs 


[sniffer] log rotation

2005-01-19 Thread Bonno Bloksma
Hi,

I recently changed a bit in my rotate script in order to rotate it closer to
midnight. I start the script at 23:59 to get the current date in some
variables. As of the 17th I have added a sleep 1m to get the rotation
for the logfile at midnight.

Somehow the sniffer log still covers the same timepriod, I think. Looking at
the log for the 16th, it starts at 15-jan-2005, 23:00:09 and stops at
16-jan-2006, 22:58:18.
The log for the 18th, it starts at 17-jan-2005, 23:01:56 and stops at
18-jan-2005, 22:57:37. Still an hour short for the day. I'm not running any
persistent instances, we only process aboy 4K messages a day.

Am I doing something wrong, I want my logfile for a certain day to contain
the log for that day, from midnight till midnight.

My log for the job, renaming the id.log file to snfmmdd.log occurs just
before the ftp upload, which at night from the 17th to the 18th happens
indeed one minute later.
LOGROT.LOG
2005/01/15 23:59:00 : Running logrotate
2005/01/15 23:59:00 : Starting ftp upload
2005/01/16 00:12:11 : Finished ftp upload
2005/01/16 00:12:11 : Ready rotating logs
2005/01/16 23:59:00 : Running logrotate
2005/01/16 23:59:00 : Starting ftp upload
2005/01/17 00:12:14 : Finished ftp upload
2005/01/17 00:12:14 : Ready rotating logs
2005/01/17 23:59:01 : Running logrotate
2005/01/18 00:00:01 : Starting ftp upload
2005/01/18 00:13:12 : Finished ftp upload
2005/01/18 00:13:12 : Ready rotating logs
2005/01/18 23:59:00 : Running logrotate
2005/01/19 00:00:01 : Starting ftp upload
2005/01/19 00:13:11 : Finished ftp upload
2005/01/19 00:13:11 : Ready rotating logs

snf0115.log
idnum 20050114230001 D4ee10334027cb259.SMD 125 16 Match 236533 60 841 880
34
idnum 20050114230001 D4ee10334027cb259.SMD 125 16 Match 271368 61 1508
1526 34
[...]
idnum 20050115225621 D9f8e16bb0206d48a.SMD 125 0 Final 273425 61 0 2441 34
idnum 20050115225659 D61a81450b30.GSC 125 0 Clean 0 0 0 2126 31

snf0116.log
idnum 20050115230009 Da076099d015660ce.SMD 125 0 Clean 0 0 0 3886 38
idnum 20050115230143 Da0d509ac0156d108.SMD 125 16 Match 215399 63 1 54 39
[]
idnum 20050116225610 D3401d7f0c2c.GSC 140 0 Clean 0 0 0 4823 30
idnum 20050116225818 D34211fc0c70.GSC 188 0 Clean 0 0 0 1265 31

snf0117.log
idnum 20050116230728 Df3af11310234769b.SMD 125 47 Match 272652 57 1849
1877 37
idnum 20050116230728 Df3af11310234769b.SMD 125 47 Match 272654 57 2023
2088 37
[]
idnum 20050117225648 D42a90f2801a6f844.SMD 203 0 Clean 0 0 0 2704 38
idnum 20050117225756 D06817510b08.GSC 125 0 Clean 0 0 0 1348 31

snf0118.log
idnum 20050117230156 D43e008580160b509.SMD 250 46 White 73573 0 1 497 41
idnum 20050117230156 D43e008580160b509.SMD 250 46 Final 73573 0 0 12715 41
[...]
idnum 20050118225648 D58d6a4d0a98.GSC 141 0 Clean 0 0 0 2536 34
idnum 20050118225737 D58e27340b80.GSC 218 16 Clean 0 0 0 9468 33



Groetjes,

Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: Re[2]: [sniffer] Test ordering/precedence

2004-12-03 Thread Bonno Bloksma
Hi Pete,
The false positive rates for all of these rule groups have fallen
dramatically over the past 8 months and at this point they are all
comparable. Different systems see different rates, but all rates are
low.
Yup, I used to rate the sixties series different in declude but I have 
stopped to do so. Most spam that came through had been tagged by one of 
those sixties sniffer returncodes. Saved myself some work by just scoring 
all sniffer returns with the same high score, it's JUST below my hold 
weight. Any additional points by Declude will trip it into my hold weight.

Groetjes,
Bonno Bloksma
 Back up my hard drive? How do I put it in reverse?
---
[E-mail scanned at tio.nl for viruses by Declude Virus]
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.

2004-11-24 Thread Bonno Bloksma
Hi,

[]
 I understand. I have no reasonable explanation for your experience.
 There have been no other reported problems and I have been unable to
 recreate your conditions.

 BB I just once more installed the 2.3.2 exe, we'll see what happens. As
it is
 BB close to 9 PM overhere it should not disrupt any business going on and
let
 BB me do some testing.

 Thanks for your efforts.

Well, still no problems so far so I'll write it up to . earth rays,
solar spots, pick whatever you want.
It seems it was a one time thing.

[]
 One change you should make is to adjust your Declude configuration so
 that your message file name is emitted into your message headers. This
 way when a false positive does occur we can match the message up to
 the log entries and identify the rule or rules that fired.

Did that, so for the next time something like this happens.. ;)

Met vriendelijke groet,

Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.

2004-11-24 Thread Bonno Bloksma
Hi,

  Well, still no problems so far so I'll write it up to . earth rays,
  solar spots, pick whatever you want.
  It seems it was a one time thing.

 You must be referring to the RAW law.

RAW? Random Answer Whatchamacallit?

 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You

Met vriendelijke groet,

Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: Re[2]: [sniffer] New Version 2-3.2 has been officially released.

2004-11-23 Thread Bonno Bloksma
Hi,

 BB Just to let you know. We had a problem after updating to 2.3.2 this
morning
 BB where suddenly a lot of our internal mail got caught as spam by
sniffer. Ive
 BB allready sent a report to the support address. For whatever reason I
could
 BB net send to the false@ address.

 BB All I did was replace the 2.3.1 exe with the 2.3.2 exe (of course with
the
 BB correct id name).

 I am unable to duplicate your results.
 I have re-verified my testing.
 I have version 2-3.2 running on our test server without any problems
 and it is capturing 9+ / 10 messages which is typical.

 Please verify that you have the correct executable in place by running
 the program from the command line with no parameters. The correct
 build information is:

 build - v2-3.2 Nov 23 2004 01:21:33

 Then please also verify that you have the correct rulebase in place.

The version is the same as you say. The rulebase was downloaded last night
and later that morning once more but not updated because there were no
changes. I verify every downloaded rulebase. Like I wrote, all I did was
early thismorng replace the 2.3.1. exe with the 2.3.2 exe. After that the
problems started. When I replace the 2.3.2 exe with the 2.3.1 exe all
problems disappeared. As I had to attend a seminar this afternoon I did not
any time for further testing.

I just once more installed the 2.3.2 exe, we'll see what happens. As it is
close to 9 PM overhere it should not disrupt any business going on and let
me do some testing.

Did you receive the mail I sent along with the caught e-mail and the
logfiles? Anything that pointed to a special rule? Should I change the
logging when this happens so as to provide more information about what might
be happening?

 Hope this helps,
 _M

We'll see.

Groetjes,

Bonno Bloksma
 Back up my hard drive? How do I put it in reverse?

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] Automatic update snafu

2004-08-18 Thread Bonno Bloksma
Hi,

 c:\winnt\wget.exe http://www.sortmonster.net/Sniffer/Updates/mysnfcode.snf
 -N -O mysnfcode.new.gz --header=Accept-Encoding:gzip --http-user=sniffer
 --http-passwd=password -o snfupd.txt

 I'm doing something wrong. Everytime the script fires it pulls the file,
 even if it isn't newer. I thought the -N parameter was supposed to limit
 that. What am I missing?

As I don't know anything about the internals of wget only one thing comes to
mind. When you process the mysnfcode.new.gz file does it get deleted? If so,
wget has nothing to compare.

Groetjes,

Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] logrotate

2004-04-14 Thread Bonno Bloksma



Hi,

In the default logrotate.cmd script is a move in 
stead of a ren command. Is there any special reason for that? As Ren is an 
internal command and move an external command I would have expected Ren to be 
used.

p.s. Did my comment about an updated AutoSNF.cmd 
file make it to you Pete? I sent it to the list friday april 9th but it never 
made it back overhere?

Groetjes,

Bonno Bloksma