[sniffer] Re: What is your oldest production CPU?

2013-12-28 Thread Colbeck, Andrew
A modern Xeon dual core, also within VMware: PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 1, GenuineIntel The oldest virtualized CPU is: PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 7, GenuineIntel Both identify as Xeon E5xxx

[sniffer] How fast is *my* MessageSniffer? (was: IP Change on rulebase delivery system)

2013-03-28 Thread Colbeck, Andrew
Answer: pretty darn fast for a system that I think is slow anyway I think my MTA is a busy system, and I know that it's not MessageSniffer that keeps the server busy. A glance with Task Manager or Process Explorer shows very little CPU time is spent by MessageSniffer. I threw some grepping

[sniffer] Creeping higher on those rule numbers

2012-06-21 Thread Colbeck, Andrew
Via the GnuWin32 tools on my Windows server: C:\MessageSniffergrep -P Match\t munged.2012062?.log | cut -f7 | usort | uniq -c | usort -k2 -n -r 2nul | head 2 4991501 8 4991483 8 4991462 8 4991459 8 4991457 8 4991456 8 4991446 6 4991286 3

[sniffer] Ok, I'm the 3rd person to ever report the Bad Matrix error on this mailing list

2012-01-09 Thread Colbeck, Andrew
awards self a blue ribbon for 3rd place From SNFclient.exe.err I saw these errors repeated for every message processed: 20120107155711, arg1=C:\IMail\spool\proc\work\D016759002.smd : Could Not Connect! The srvany.exe was running, but the SNFserver.exe wasn't, or wasn't healthy. Each

[sniffer] Re: Training GBUdb on the client IP for telus.net

2011-10-24 Thread Colbeck, Andrew
/config/no de/gbudb/training/source-header.jsp Andrew. -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Colbeck, Andrew Sent: Monday, October 24, 2011 11:47 AM To: Message Sniffer Community Subject: [sniffer] Training GBUdb on the client IP

[sniffer] Training GBUdb on the client IP for aol.com

2011-10-24 Thread Colbeck, Andrew
Another test, this time to update the X-AOL-IP: header, which in my last few false-negatives have the standard X-Originating-IP: header ... I don't know if AOL has deprecated the X-AOL-IP: header or whether it is used under different client circumstances. header name='X-Originating-IP:'

[sniffer] Re: Training GBUdb on the client IP for telus.net

2011-10-24 Thread Colbeck, Andrew
: [sniffer] Re: Training GBUdb on the client IP for telus.net On 10/24/2011 3:20 PM, Colbeck, Andrew wrote: header name='X-Telus-Outbound-IP: Hrmm... Do you want the source to be the outbound IP? _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010

[sniffer] Nice job, sortmonsters!

2011-08-08 Thread Colbeck, Andrew
Time to thwart a spam run from a fresh IP address: less than 18 minutes. The first three emails from: 216.223.207.0/25 were allowed past MessageSniffer but fewer than 18 minutes into the spam run, the content triggers rule group 60, rule id 4224795. (It is coupon spam, but probably fake

[sniffer] Re: Change in default settings

2011-05-09 Thread Colbeck, Andrew
Pete, for sample on-off='on' I wrote myself this note... !-- We can sample during a peek if passthrough = yes -- ... Is it still valid? Your sample and my own configuration have: passthrough=no On the balance of it, I suspect my own note is wrong, so it would be nice if you could verify it

[sniffer] Re: Change in default settings

2011-05-09 Thread Colbeck, Andrew
: Monday, May 09, 2011 3:05 PM To: Message Sniffer Community Subject: [sniffer] Re: Change in default settings On 5/9/2011 4:53 PM, Colbeck, Andrew wrote: Pete, for sample on-off='on' I wrote myself this note... !-- We can sample during a peek if passthrough = yes -- ... Is it still valid

[sniffer] So, another botnet bites the dust.

2011-03-18 Thread Colbeck, Andrew
Pete, now that Microsoft has taken down the Rustock botnet, what's your telemetry say about spam volumes? Any significant change? http://blogs.technet.com/b/microsoft_blog/archive/2011/03/18/taking-down -botnets-microsoft-and-the-rustock-botnet.aspx

[sniffer] Re: Rule Panic on 3364665

2010-08-17 Thread Colbeck, Andrew
I have seen one hit, and it looks like a false positive to me. Sent as a sample to the false@ address. Thanks for the heads-up, Darin. Andrew. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, August

[sniffer] Re: Volume spike Mon 9AM EST

2010-05-10 Thread Colbeck, Andrew
I'm not seeing any spike in inbound connections or accepted message counts. Actually, it's lower than Friday's volume and about the same as Thursday. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Peer-to-Peer (Support) Sent:

[sniffer] Re: Opening truncate.gbudb.net

2010-05-10 Thread Colbeck, Andrew
I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise

[sniffer] Re: Opening truncate.gbudb.net

2010-05-10 Thread Colbeck, Andrew
0.2, p 0.9 for [205.188.84.131] I'll send the whole header to support@ in case you are interested in this particular IP. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Colbeck, Andrew Sent: Monday, May 10, 2010 9:03 AM

[sniffer] Re: RulePanic on 3059196

2010-04-06 Thread Colbeck, Andrew
For what it is worth, there are zero hits on my two servers for this Rule. I looked back through the last 7 days. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, April 06, 2010 9:48 AM To: Message

[sniffer] Re: Bad rule alert: 2784910

2009-11-26 Thread Colbeck, Andrew
All clear here, Pete. Thanks for both of the notices, Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, November 26, 2009 8:45 AM To: Message Sniffer Community Subject: [sniffer] Bad rule alert:

[sniffer] Re: RulePanic on 2654821

2009-09-08 Thread Colbeck, Andrew
The scores over here for the messages that trigger on rule 2654821 today: spam that hit the rule: 4 ... and were porn: 0 ham that was held by my weight system: 5 ham that was allowed by my weight system: 3 subsequent panic log lines: 139 Thanks for the heads up, Darin. I was able to re-queue

[sniffer] Re: SNFMilter released and a few other updates...

2009-07-29 Thread Colbeck, Andrew
Niiice, Pete. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Wednesday, July 29, 2009 2:51 PM To: Message Sniffer Community Subject: [sniffer] SNFMilter released and a few other updates... Hello

[sniffer] Re: Bad rule: 2524136

2009-06-18 Thread Colbeck, Andrew
Thanks for the heads-up, Pete. For what it's worth, I had a hit on only one message on each of my gateways, from different senders. The Sniffer General result code wasn't weighted high enough on my Declude system to hold either message because they came from senders with clean implementations.

[sniffer] Re: Message Sniffer question

2009-04-30 Thread Colbeck, Andrew
It works for me. Thanks, Pete! I used the documentation here: http://www.armresearch.com/support/articles/software/snfServer/config/au toUpdates.jsp I wanted a simplified system that more closely reflected what the vendor ships, so I've stopped using my home-grown wget based script which was

[sniffer] overriding the GBUdb

2009-04-30 Thread Colbeck, Andrew
I recently used snfclient.exe to whitelist the IP address (actually a whole /24) of a mailing list manager that my users deem to be trustworthy. snfclient.exe -set 64.62.197.53 good - - You might argue the merits of this IP address, but that's not why I'm writing... I deliberately left alone

[sniffer] Re: overriding the GBUdb

2009-04-30 Thread Colbeck, Andrew
. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 30, 2009 1:14 PM To: Message Sniffer Community Subject: [sniffer] Re: overriding the GBUdb Colbeck, Andrew wrote: I recently used snfclient.exe

[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Colbeck, Andrew
I also have hit this. A single hit, also from AOL. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, July 18, 2008 6:37 AM To: Message Sniffer Community Subject: [sniffer] Problem with Sniffer-Porn rule

[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Colbeck, Andrew
. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 18, 2008 8:31 AM To: Message Sniffer Community Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning I also have hit this. A single hit, also from AOL. Andrew

[sniffer] Re: It's official. SNF Version 3.0 is Ready!

2008-06-26 Thread Colbeck, Andrew
Congratulations on shipping, Pete! Andrew 8) p.s. Hey, I love the new mascot. Much cuter than the old SortMonster... -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, June 26, 2008 12:24 PM To: Message Sniffer

[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Pete, if we have a significant number of hits, they'll be from all kinds of IP sources. Should we dump the GBUdb? If so, how? The documentation is perfectly clear on how to tweak an IP or dump an IP in the GBUdb, but doesn't mention a wholesale clearing of it. Andrew. -Original

[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Thanks, Pete. I had very few actual hits; I have lots of lines that indicate the rule panic in place, but the number of actual hits is quite small. How I found my hits: cd /d C:\MessageSniffer gawk ($6 == \Final\) ($7 == 1940812) *.20080617.log Andrew. -Original Message- From:

[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Thanks, Pete. I had four actual false positives on one server, versus 324 unique hits for the bad rule. So yes, I'd say that the autopanic feature worked quite well. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent:

[sniffer] Re: Test

2008-05-26 Thread Colbeck, Andrew
pong ... From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T Sent: Monday, May 26, 2008 9:08 AM To: Message Sniffer Community Subject: [sniffer] Test Ping Testing as I have not received any list messages for a while. John T

[sniffer] Re: XYNTService -- Any Problems?

2008-05-09 Thread Colbeck, Andrew
I've never used it, Pete. My first reaction was... don't go to a third party (XYNTService, SrvAny, FireDaemon) just make the executable a full fledged Windows Service. I do realize that you'd be reluctant to do that given the additional complexity of the code, none of which is portable to the

[sniffer] Re: Ideal config for scaleable solution?

2008-02-22 Thread Colbeck, Andrew
Paul, since you're working in a Windows world, check out Alligate from alligate.com as a Windows platform based email gateway. I've put Alligate in front of my Declude setup and it drastically reduced the number of emails I had scan for content and sender in Declude, and gained back a lot of disk

[sniffer] Re: Rule Database copy question

2008-01-16 Thread Colbeck, Andrew
It appears that both the reload and the rotate options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. Andrew.

[sniffer] Re: Rule Database copy question

2008-01-16 Thread Colbeck, Andrew
Thanks for the response, Pete! I was using both parameters in my scheduled pattern download script, which would tell Sniffer that there was a new pattern, and would rotate the logs before uploading them back to you. With the new (beta) version, both extras have become redundant, so I've

[sniffer] Re: No email updates.

2007-11-21 Thread Colbeck, Andrew
For what it's worth, it is working for my two licences. I received email update notifications at: 90 minutes ago 3 18 minutes ago 4 38 minutes ago 6 hours 13 minutes ago Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Frederick

[sniffer] Re: Sniffer codes

2007-11-09 Thread Colbeck, Andrew
The Ugly value returned by the beta Message Sniffer you're using with the Good, Bad and Ugly database has a result code of 40, and this code is missing from your list. (The White value overlaps with result code 0, which internally to Message Sniffer will mask any other spam result code on your

[sniffer] Re: Beta

2007-10-17 Thread Colbeck, Andrew
Pete, one of the questions I had right away when I looked at the documentation accompanying the software package was about the communication channel. The documentation clearly pointed out that ports 25 is the default and that 80 is selectable, but didn't go further. I just answered my own

[sniffer] Re: Bad Rule: 1604021

2007-10-16 Thread Colbeck, Andrew
Thanks for reporting this, Pete! My numbers were more extreme than Pi-Web's. That bad rule triggered on 18,023 messages yesterday. Due to the rest of my spam software, two-thirds were either passed (as presumed ham) or deleted (as very spammy). So the one-third that was held, I re-scanned

[sniffer] Spammers turning to PDF attachments?

2007-06-21 Thread Colbeck, Andrew
See this article at the Internet Storm Center: http://isc.sans.org/diary.html?storyid=3012 Pump and dump scams now in PDF Published: 2007-06-20, Last Updated: 2007-06-20 21:33:39 UTC by Maarten Van Horenbeeck (Version: 1) Apparently the groups behind what we know as pump and dump spam have

[sniffer] Re: Downloads are not working....

2007-05-17 Thread Colbeck, Andrew
My last upload averaged a lame 6 KB/s. My last download varied widely in the speed obtained: 0K .. .. .. .. .. 17.85 KB/s 50K .. .. .. .. ..9.58 KB/s 100K .. .. .. ..

[sniffer] Re: Downloads are not working....

2007-05-17 Thread Colbeck, Andrew
Thanks for the update, Pete. Over on the Declude JunkMail support mailing list, it's like déjà vu all over again. Andrew 8) p.s. For the many of us here that don't subscribe to that list... The small number of recently active messages have been re-queued to the list several times.

[sniffer] Re: SPAM Storm?

2007-03-19 Thread Colbeck, Andrew
... Not in my neck of the network. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Monday, March 19, 2007 3:19 PM To: Message Sniffer Community Subject: [sniffer] Re: SPAM Storm? Is it me, or is

[sniffer] Re: Files in Sniffer Directory

2007-03-08 Thread Colbeck, Andrew
Would it be a good idea in a future version to delete files that are older than a certain date automatically? I disagree. Having MessageSniffer delete the old files would hide the problem. With the messages left behind, you have a valuable symptom that something is wrong with your

[sniffer] Re: Pictures worth a few words...

2007-01-16 Thread Colbeck, Andrew
Postini posts some statistics here, but their conclusions can lag by months: http://www.postini.com/stats/index.php global spam traffic is a big concept... Postini did however process over 650 million messages in the last 24 hours. Andrew. -Original Message- From: Message Sniffer

[sniffer] Re: Sniffer White List

2006-12-12 Thread Colbeck, Andrew
Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result.

[sniffer] Re: Configuring Sniffer in declude....

2006-11-30 Thread Colbeck, Andrew
If you don't mind, does WeightGate add any noticeable CPU cycles to run on top of running Sniffer? Thanks for the aid. On a 100,000 emails per day on a 2.8 GHz Xeon, no, it doesn't. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On

[sniffer] Zombie message volume

2006-11-07 Thread Colbeck, Andrew
This diary entry over at the Internet Storm Center points to an increased volume of traffic from probable zombies, and they posit that the increase in this traffic would coincide with the spam increase that people are seeing. http://isc.sans.org/diary.php?storyid=1828 Their graph shows a sharp

[sniffer] Re: Yahoo! Is Retarded

2006-10-26 Thread Colbeck, Andrew
I like your new sig, John. How's this for an addendum? "Experience is that which you acquire, just after you needed it." Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Thursday, October 26, 2006 8:13 AMTo: Message

[sniffer] Re: Increase in spam

2006-10-25 Thread Colbeck, Andrew
For another organization's graph of spam trends as received by them, check out the updated graphs at TQM cubed: http://tqmcube.com/tide.php Their graph shows a sharp uptick at the end of June 2006. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL

[sniffer] Re: Version 2-3.5 Release -- Faster Engine

2006-10-23 Thread Colbeck, Andrew
That's good news, Pete. And with the WeightGate executable and source thrown in at no extra charge! Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 23, 2006 9:26 AM To: Message Sniffer

[sniffer] Re: Significant increase in false positives

2006-10-17 Thread Colbeck, Andrew
I'm attaching an old message to this list which may come in handy. It's from my perspective, which is using Declude and IMail, with the spam messages in d:\imail\spool\spam and needing to be moved to d:\imail\spool to be re-scanned. Now that I use a newer version of Declude, my

[sniffer] Re: yahoo mail problems

2006-10-17 Thread Colbeck, Andrew
I had a similar problem with Hotmail once upon a time; the details were different, but the remedy was the same. I run a caching DNS server on my outbound DNS host, so I simply addeda DNS zone forYahoo.com on it, and populated only enough MX record information so that I could reliably get

[sniffer] Re: Paypal failing SNIFFER-GENERAL

2006-08-23 Thread Colbeck, Andrew
Column 7 is the one that contains the rule that was hit. In this case, it was 1100444. Column 8 is the one that contains the group. In this case, it was 60 Ungrouped Black Rules (Sniffer General). Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL

[sniffer] Re: Lots of drug spam getting through

2006-08-21 Thread Colbeck, Andrew
Would that be the Laugh in the subject line pharmaceutical spam campaign? That was mentioned by Dave Doherty on the Declude.JunkMail mailing list, and when I checked my logs I found many hundreds with clear variations on the keywords in the text, e.g. there is a joke about lawyers and they are

[sniffer] Re: AW: [sniffer] Re: Update pacing...

2006-06-22 Thread Colbeck, Andrew
FWIW I take the belt and suspenders approach. The rulebase notification by email does trigger a Message Sniffer update script on my system, but I don't rely on it solely. In addition, I also use an "at" schedule every four hours. As in Markus' (and Bill's) sample, I use the -N parameter

[sniffer] Re: Weight Gate Success? Failure?

2006-06-13 Thread Colbeck, Andrew
Pete, I plan to use it or something similar in non-production once I set up a new test system. A quick test with a batch file worked fine. Although I'm no programmer, I have reviewed the source and saw no obvious logical problems or coding flaws. Rigorous testing on the command line showed that

[sniffer] Numeric spam source has been revealed

2006-06-09 Thread Colbeck, Andrew
It was broken code in the latest Bagel/Beagle: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.ht ml Andrew 8) # This message is sent to you because you are subscribed to the mailing list

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Colbeck, Andrew
(sniff) Aw, cut it out, Matt. You're making me all weepy. p.s. Pete, that's pretty darned amazing! From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Re[2]:

Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through

2006-06-06 Thread Colbeck, Andrew
David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. I've seen the free version

Re: [sniffer]A design question - how many DNS based tests?

2006-06-06 Thread Colbeck, Andrew
I use just shy of 60 DNS based tests against the sender, both IP4R and RHSBL. Perhaps 10-12 matter. Due to false positives, I rate most of them relatively low and have built up their weights as a balancing act. That act is greatly assisted by using a weighting system and not reject on first

Re: [sniffer]Numeric spam

2006-06-06 Thread Colbeck, Andrew
So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Colbeck, Andrew
? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 9:38 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal

Re: [sniffer]Ebay Phishing Emails getting through

2006-05-17 Thread Colbeck, Andrew
Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. I've just manually submitted the ~35 messages that my filters triggered on for phishing that

RE: Re[2]: [sniffer] New Rulebot F001

2006-03-06 Thread Colbeck, Andrew
Pete, One of these was EarthLink [207.217.120.227], and one of these was Google Mail [64.233.166.182]. SpamBag lists the EarthLink address as a source of bogus bounces, and I posit that this would be the source of the mail to the spamtraps that would trigger the F001 bot. I would like to state

RE: [sniffer] Sniffer, MDLP, and invURIBL?

2006-02-25 Thread Colbeck, Andrew
Joe, Are you using MDLP to autotune your weights in Declude? If so, you can exclude invURIBL and other tests which you don't want to change, whether because you think the weight is perfect, or because their randomness doesn't fit MDLP's idea of a weighting system. Check out this snippet

RE: Re[4]: [sniffer] When to go persistent

2006-02-24 Thread Colbeck, Andrew
Goran, When you issue a reload you can tell that the new rulebase is being used because the *.svr file's date and time will change to the current time. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday,

RE: [sniffer] When to go persistent

2006-02-23 Thread Colbeck, Andrew
Goran, I'd be interested in Pete's technical answer, too. The practical answer is that you should always go with the persistent instance of Message Sniffer. From reading Pete's previous screeds and monitoring the list here in the last year and from having my own troubles, it's pretty clear to me

RE: [sniffer] Bad Rule - 828931

2006-02-07 Thread Colbeck, Andrew
Thanks for the update, Pete. I also appreciate that you expanded on how that rule went wild. I can see that the intent was good but the unintended consequences were not so good. Here's how it played out on my server: How many messages hit the FP rules: 2,042 How many messages Declude decided

RE: [sniffer] Bad Rule - 828931

2006-02-07 Thread Colbeck, Andrew
Thanks for the update, Pete.I also appreciate that you expanded on how that rule went wild. I can see that the intent was good but the unintended consequences were not so good.Here's how it played out on my server:How many messages hit the FP rules: 2,042How many messages Declude decided

[sniffer] Rulebots gone wild

2006-01-19 Thread Colbeck, Andrew
By the way, Pete, thank you very much for publicly posting the URL where we could download FPSigIDs.csv so that we could work on recovering our own false positives. I was able to use this information to selectively re-test all of the messages detected by those rules. That was 2,449 messages.

RE: [sniffer] Rollback of bot rules..

2006-01-17 Thread Colbeck, Andrew
Thank you, Pete. In my spelunking, I've found too many rules to put in as panic entries my .cfg file, and this morning I dropped the weight for my experimental class tests to low values, and heavily edited my combo tests that build on Sniffer hits. I'm attaching a report showing the number of

RE: [sniffer] POP3 Account Question

2005-12-05 Thread Colbeck, Andrew
(nuts, to fast on the "Send" button). ... plus, future hits on spam that is already detected can accumulate hits on, say, SNIFFEREXPIP that weren't already hitting. Therefore, trying to save bandwidth and processing power over at sortmonster.com by submitting less spam is not helpful.

RE: [sniffer] OT: MDaemon HELO greeting

2005-10-28 Thread Colbeck, Andrew
Thanks, Dave! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave KoontzSent: Thursday, October 27, 2005 8:39 AMTo: sniffer@SortMonster.comSubject: RE: [sniffer] OT: MDaemon HELO greeting Find or add the following Section to your MDaemon.ini file,

[sniffer] OT: MDaemon HELO greeting

2005-10-26 Thread Colbeck, Andrew
Can anybody give me the short and sweet "how-to" change the HELO in MDaemon withoutchanging the hostname of the mail server? I don't use MDaemon, I'm trying to help someone else. Thanks, Andrew 8)

RE: [sniffer] New virus...

2005-10-06 Thread Colbeck, Andrew
I suppose it depends on just deep the sniffer signature goes... Previous viruses including Sober.* have come in waves, with variants that skirt all but the most intrusive antivirus blocking schemes. I submitted a sample to the Norman Sandbox, which turned up different information than the

RE: [sniffer] YAhoo mails failing sniffer?

2005-09-22 Thread Colbeck, Andrew
Inversely, I just had a 419 scam come from a legitimate hotmail account, with a Yahoo! Email address as payload, and for the record, that email address (nor anything else) trigger a Sniffer detection. I've just submitted it to the spam@ address. Andrew 8) -Original Message- From:

RE: [sniffer] Integration with today's new ORF version:

2005-09-15 Thread Colbeck, Andrew
I just thought I'd revive this thread and say that on a tiny organization for whom I also administer the mail, this was welcome news. They have ORF plus Exchange 2000. I added the free eval version of sniffer to their mix with the new ORF External Agent feature. Despite the delay in patterns,

RE: [sniffer] Sniffer Resources

2005-09-06 Thread Colbeck, Andrew
Richard, are you rotating your sniffer logs daily? I had the same experience a very log time ago, and found that without rotating the logs, appending to a monster text file was soaking up a lot of cpu and disk on my server. Bill Landry worked with a lot of people here to make his download script

RE: [sniffer] Test

2005-08-04 Thread Colbeck, Andrew
Ping? Pong. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert MathiasSent: Thursday, August 04, 2005 3:59 PMTo: sniffer@SortMonster.comSubject: [sniffer] Test Apologies, but need to test. Robert

RE: Re[2]: [sniffer] Sniffer taking a long time?

2005-08-03 Thread Colbeck, Andrew
So basically, what you are saying is that my volume is really too low to take advantage of the persistent sniffer (and such may actually decrease my performance), and I should stick with the non-service version. Is that right? That is about what I thought (without the details of how

RE: [sniffer] FireDaemon

2005-07-31 Thread Colbeck, Andrew
FireDaemon is dirt cheap. Yes, you can have one service for free if you find an older version. If you want free and will settle forno interface, then check out the free SrvAny.exe that is downloadable from Microsoft as part of their Windows Server Resource Kit. Andrew 8) From:

[sniffer] New, but broken worm?

2005-07-22 Thread Colbeck, Andrew
My email server has received about 200 of a certain message since 8:30 AM PDT. The Subject line is merely 1, the forged mailfrom is approximately the first 8 characters of the target address plus a forged domain. There is an attachment called 1.txt and a message text body that begins on a new

RE: [sniffer] New, but broken worm?

2005-07-22 Thread Colbeck, Andrew
I'm on updates this evening. I'll watch for this. It sounds like something that requires an abstract rule --- probably not enough content for the other coders to try it safely... I am surprized I didn't hear about it though... Please send me another note with a few of these as

[sniffer] Phishers Jump On MasterCard Breach

2005-06-21 Thread Colbeck, Andrew
FYI http://www.securitypipeline.com/news/164901324 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Spam blocks loading me up with spam

2005-06-17 Thread Colbeck, Andrew
Title: Message Gotta catch 'em all (not Pokemon, spam)... Sniffer caught all of them today: gawk "$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log temp.txt fgrep -ftemp.txt dec0617.log | fgrep "Total weight" If your volume is quite high, that second line, instead of

RE: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Title: Message I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm

RE: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Title: Message Also, thedomains in the body textare not hitting on SURBL tests. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34 PMTo: sniffer@SortMonster.comSubject: RE:

RE: Re[2]: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Today I saw hits from this campaign on another IP block as well, and plugging that into SenderBase.org gives me: http://www.senderbase.org/search?searchString=200.49.37.130 Note in the top right that they list: 200.49.36.0/22 belonging to Network Access Point S.R.L., and following that link

RE: [sniffer] New Spam/Virus?

2005-06-06 Thread Colbeck, Andrew
Title: Message I'm seeing what Scott sees, but the payload is an encrypted zip. VirusTotal.com says: This is a report processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file. Antivirus Version Update Result

RE: [sniffer] New Spam/Virus?

2005-06-06 Thread Colbeck, Andrew
Title: Message http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] This is the virus that I was seeing. The one that Jim and others are seeing may be this MyTob, whose description was

RE: [sniffer] Declude Question

2005-05-26 Thread Colbeck, Andrew
PM Spam volumes in general are up quite a bit since the german sober PM incident. In the past few days there have been a few new campaigns PM that have had a very aggressive delivery schedule For what it's worth, I'm seeing this more today, and in particular, from a wide number of IPs, instead of

RE: [sniffer] Rule 353039 - .comcast.net

2005-05-10 Thread Colbeck, Andrew
Thanks for the quick work, Pete. I put in the Rule-panic entry as soon as you sent the email to this list. For what it's worth, I just finished with all my held mail for the last two days, and I had no false positives from messages with a mailfrom that included c o m c a s t. Lots of mail that

RE: [sniffer] Latest medication campaign

2005-04-13 Thread Colbeck, Andrew
On the weekend and since, I saw a lot of them get through but Sniffer was dutifully catching them, unfortunately, they also served to highlight Sniffer hyperaccuracy because those messages just weren't reaching my HOLD weight. Check out the Message Sniffer change rates for the last few days:

RE: [sniffer] MDLP Tests

2005-04-02 Thread Colbeck, Andrew
Jay, here's more web information on the mxrate tests: http://www.mxrate.com/lookup/dns.htm Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, April 02, 2005 1:43 PM To: Jay Sudowski - Handy Networks LLC Subject: Re:

[sniffer] Money, drugs, and sex

2005-03-22 Thread Colbeck, Andrew
http://www.sophos.com/spaminfo/articles/spamwords.html Interesting, but a pity they didn't publish a list of, say, their 1,000 most popular obfuscations. Andrew 8) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to

[sniffer] mini-obfuscation

2005-03-22 Thread Colbeck, Andrew
time for my cat since I implemented Sniffer. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, March 22, 2005 4:37 PM To: Colbeck, Andrew Subject: Re: [sniffer] Money, drugs, and sex On Tuesday, March 22, 2005, 4:47:30

RE: [sniffer] New change rates analysis

2005-02-20 Thread Colbeck, Andrew
http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp Oooh, pretty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Sunday, February 20, 2005 3:52 PM To: sniffer@sortmonster.com Subject: [sniffer] New change rates

RE: [sniffer] Determine Version

2005-02-19 Thread Colbeck, Andrew
Title: Message Yup, just type the executable's filename in a command window, and the version information is on the last couple of lines in the resulting help. Andrew 8) p.s. My version says build - v2-3.2 Nov 23 2004 01:21:33 -Original Message-From: Keith Johnson

RE: [sniffer] Lists Ping?

2005-02-10 Thread Colbeck, Andrew
Hey, John. Who are you talking to? Gee the lists are quiet. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, February 10, 2005 9:46 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Lists Ping?

[sniffer] OT - Microsoft Patch Day - Exchange and SMTP updates

2005-02-10 Thread Colbeck, Andrew
Hello, all. Aside from the usual Internet Explorer and Office patches, this patch cycle also includes an update to the October update MS04-035 which affects a DNS query vulnerability in the SMTP handling in Windows 2000/2003 as well as Exchange 2003.

  1   2   >