[sniffer] Re: What is your oldest production CPU?

2013-12-28 Thread Colbeck, Andrew
A modern Xeon dual core, also within VMware:

PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 1, GenuineIntel

The oldest virtualized CPU is:

PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 7, GenuineIntel

Both identify as Xeon E5xxx models which are about two years old.

Despite the long service of the name Xeon these are modern Core2 based CPUs.

I don't have any servers or lab machines that are so old they'd need a Pentium 
Pro era compatible i686 build. Thanks for asking!


Andrew.



-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of 
Pete McNeil
Sent: Friday, December 27, 2013 6:44 AM
To: Message Sniffer Community
Subject: [sniffer] What is your oldest production CPU?

Hello Sniffer Folks,

We would like to know what your oldest production CPU is.

When building new binaries of SNF or it's utilities we would like to
select the newest CPU we can without leaving anybody behind.

We're also evaluating whether we should split binaries into a
compatible version base on Intel i686 (or equivalent AMD), and a
current version based on Intel Core2 (or equivalent AMD).

Please respond here.

Thanks for your time!!

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


This message (and any associated files) may contain confidential, proprietary 
and/or privileged material and access to these materials by anyone other than 
the intended recipient is unauthorized. Unauthorized recipients are required to 
maintain confidentiality. Any review, retransmission, dissemination or other 
use of these materials by persons or entities other than the intended recipient 
is prohibited and may be unlawful. If you have received this message in error, 
please notify us immediately and destroy the original.

Ce message et tout document qui y est éventuellement joint peuvent contenir de 
l’information confidentielle ou exclusive. L’accès à cette information par 
quiconque autre que le destinataire désigné en est donc interdit. Les personnes 
ou les entités non autorisées doivent respecter la confidentialité de cette 
information. La lecture, la retransmission, la communication ou toute autre 
utilisation de cette information par une personne ou une entité non autorisée 
est strictement interdite. Si vous avez reçu ce message par erreur, veuillez 
nous en aviser immédiatement et le détruire.

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] How fast is *my* MessageSniffer? (was: IP Change on rulebase delivery system)

2013-03-28 Thread Colbeck, Andrew
Answer: pretty darn fast for a system that I think is slow anyway

 

I think my MTA is a busy system, and I know that it's not MessageSniffer
that keeps the server busy. A glance with Task Manager or Process
Explorer shows very little CPU time is spent by MessageSniffer.

 

I threw some grepping etc and then Excel at the xml file for one average
business day and came up with...

 

 

 

25% of messages are scanned within 100ms

 

50% of messages are scanned within 140ms

 

99% of messages are scanned within 330ms

 

 

I also looked at the setup time. I'll spare you the graph; my results
are:

 

80% of messages are loaded so quickly that the time is recorded as zero
ms

 

85% of messages are loaded in 15ms or fewer

 

95% of messages are loaded in 30ms or fewer

 

99% of messages are loaded 125ms or fewer

 

Actually, everything above 98% of my volume takes longer to load but for
ridiculously smaller volume of messages. A spot check shows that those
are indeed rodents messages of unusual size.

 

Thanks for the nudge, Pete. I knew MessageSniffer was fast, I just
hadn't bothered to quantify it before.

 

 

Andrew.

 

 

-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Wednesday, March 27, 2013 2:43 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system

 

On 2013-03-27 17:16, Richard Stupek wrote:

 The spikes aren't as prolonged at the present.

 

Interesting. A short spike like that might be expected if the message
was longer than usual, but on average SNF should be very light-weight.

 

One thing you can check is the performance data in your logs. That will
show how much time in cpu milleseconds it is taking for each scan and
how long the scans are in bytes. This might shed some light.

 

http://www.armresearch.com/support/articles/software/snfServer/logFiles/
activityLogs.jsp
http://www.armresearch.com/support/articles/software/snfServer/logFiles
/activityLogs.jsp 

 

Look for something like p s='10' t='8' l='3294' d='84'/ in each scan.

 

From the documentation:

 

 sp//s - Scan Performance Monitoring (performance='yes') p:s = 

 Setup time in milliseconds p:t = Scan time in milliseconds p:l = Scan 

 length in bytes p:d = Scan depth (peak evaluator count)

 

 

Best,

 

_M

 

 

--

Pete McNeil

Chief Scientist

ARM Research Labs, LLC

www.armresearch.com http://www.armresearch.com 

866-770-1044 x7010

twitter/codedweller

 

 

#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com
mailto:sniffer@sortmonster.com .

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com
http://www.armresearch.com 

To unsubscribe, E-mail to: sniffer-...@sortmonster.com
mailto:sniffer-...@sortmonster.com 

To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
mailto:sniffer-dig...@sortmonster.com 

To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
mailto:sniffer-in...@sortmonster.com 

Send administrative queries to  sniffer-requ...@sortmonster.com
mailto:sniffer-requ...@sortmonster.com 

 

image001.png

[sniffer] Creeping higher on those rule numbers

2012-06-21 Thread Colbeck, Andrew
Via the GnuWin32 tools on my Windows server:

C:\MessageSniffergrep -P Match\t munged.2012062?.log | cut -f7 |
usort | uniq -c | usort -k2 -n -r 2nul | head
  2 4991501
  8 4991483
  8 4991462
  8 4991459
  8 4991457
  8 4991456
  8 4991446
  6 4991286
  3 4991284
 11 4991231

From the top down, this is the top ten highest rule numbers (column 2)
that I've seen today and yesterday, and their volume (column 1).

So, the highest rule number I've seen in the last two days is 4,991,501
and I've seen it twice.

That was the list of rules I've seen. Here's the list of rules that were
matched as the winning rule for the message scanned:


C:\MessageSniffergrep -P Final\t munged.2012062?.log | cut -f7 |
usort | uniq -c | usort -k2 -n -r 2nul | head
  2 4991501
  8 4991446
  6 4991286
  3 4991284
  3 4991231
  6 4991221
  1 4991178
  1 4991130
  1 4991120
  5 4991105


(Oh, and I replaced my License ID with the text munged before I pasted
the command line into this email.)
 

Andrew 8)






#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Ok, I'm the 3rd person to ever report the Bad Matrix error on this mailing list

2012-01-09 Thread Colbeck, Andrew
awards self a blue ribbon for 3rd place
 
From SNFclient.exe.err I saw these errors repeated for every message
processed:
 
20120107155711, arg1=C:\IMail\spool\proc\work\D016759002.smd : Could Not
Connect!

The srvany.exe was running, but the SNFserver.exe wasn't, or wasn't
healthy. Each SNFclient.exe had to read the .gbx file itself and process
mail (I think) as they could not connect to the local server.
 
There was no logging to the licence.date.log file. There was no update
to the .gbx file, because SNFserver.exe does this work, and either
wasn't running or wasn't listening on port 9001/TCP.
 
Stopping the MessageSniffer Windows service, making sure that srvany.exe
and SNFserver.exe weren't running and deleting the .state file then
restarting the service: same result.
 
Stopping the MessageSniffer Windows service, making sure that srvany.exe
and SNFserver.exe weren't running  and deleting the .state file then
starting manually with: SNFServer.exe C:\MessageSniffer\snf_engine.xml
resulted in the error message:
 
SNF Server Version 3.0 Build: Jun 26 2008 13:25:19
SNFMulti Engine Version 3.0 Build: Jun 26 2008 13:25:06
Launching with C:\MessageSniffer\snf_engine.xml
Unhandled Exception: _snf_LoadNewRulebase() TokenMatrix::BadMatrix
Thrown!
 
at this point I didn't even look at the rulebase size or date, I made
sure SNFserver.exe wasn't running, then ran my old UpdateSniffer.cmd
script, which still worked. I started the Windows service, and sniffing
was back to normal.
 
The lesson here for me is to put the update script back into service,
but to only try downloading if the rulebase is old enough to be
suspicious.
 
If there's here for the SortMonsters, it's to make sure that a bad
matrix error doesn't interfere with downloading a fresh rulebase so
that SNFserver.exe can get itself out of that jam.
 
 
Andrew from Vancouver
 
 
 
 
 
 
 


[sniffer] Re: Training GBUdb on the client IP for telus.net

2011-10-24 Thread Colbeck, Andrew
(Whups, I forgot the other important bit) Replying to my own email,
here's the snf_engine.xml snippet

header name='X-Telus-Outbound-IP:' received='.telus.net [' ordinal='0'
/

Which is in the GBUDB/Training/Source section as per:

http://www.armresearch.com/support/articles/software/snfServer/config/no
de/gbudb/training/source-header.jsp


Andrew.



-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Colbeck, Andrew
Sent: Monday, October 24, 2011 11:47 AM
To: Message Sniffer Community
Subject: [sniffer] Training GBUdb on the client IP for telus.net

Given the attached header text, would this snippet in snf_engine.xml
help me to train GBUdb on the email clients' IP address from this
specific ISP?

I tested by querying:

SNFClient.exe -test 216.218.29.230

And then re-testing the spam, and then querying GBUdb again. The second
test showed that good count had moved from zero to one and the whole
email email scan status was clean. That tells me the test is good, but
I'm not sure it's right.

Thanks,


Andrew.







#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Training GBUdb on the client IP for aol.com

2011-10-24 Thread Colbeck, Andrew

Another test, this time to update the X-AOL-IP: header, which in my last
few false-negatives have the standard X-Originating-IP: header ... I
don't know if AOL has deprecated the X-AOL-IP: header or whether it is
used under different client circumstances.

header name='X-Originating-IP:' received='.aol.com [' ordinal='0' /


Thanks,


Andrew.






Received: from ims-d13.mx.aol.com [205.188.249.150]
by mail.bentallkennedy.com (Alligate(TM) SMTP Gateway v3.11.1.27)
with ESMPT id 
b2422ac5b51ee835.91caf27363339...@mail.bentallkennedy.com
for mun...@bentall.com; Mon, 24 Oct 2011 07:57:29 -0700
Received: from oms-ma01.r1000.mx.aol.com (oms-ma01.r1000.mx.aol.com 
[64.12.140.129])
by ims-d13.mx.aol.com (8.14.1/8.14.1) with ESMTP id p9OEsXBo016219;
Mon, 24 Oct 2011 10:54:37 -0400
Received: from mtaomg-da05.r1000.mx.aol.com (mtaomg-da05.r1000.mx.aol.com 
[172.29.51.141])
by oms-ma01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 
737A43883;
Mon, 24 Oct 2011 10:54:37 -0400 (EDT)
Received: from core-dnc002b.r1000.mail.aol.com (core-dnc002.r1000.mail.aol.com 
[172.29.176.5])
by mtaomg-da05.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 
E6EA2E9B;
Mon, 24 Oct 2011 10:54:36 -0400 (EDT)
To: g...@lawkessler.com, ga...@coastalnet.com, gaum...@uniserve.com,
gayanboral...@yahoo.com, gaye@usbank.com, mun...@bentall.com,
gcr...@jfbb.com, gcr...@macquarie.com, geanne_blaz...@hodgsonruss.com
Content-Transfer-Encoding: quoted-printable
Subject: 
X-MB-Message-Source: WebUI
X-MB-Message-Type: User
MIME-Version: 1.0
From: ghang...@aol.com
Content-Type: text/plain; charset=us-ascii; format=flowed
X-Mailer: AOL Webmail 34290-PHONE
Received: from 92.231.217.255 by webmail-d011.sysops.aol.com (205.188.180.146) 
with HTTP (WebMailUI); Mon, 24 Oct 2011 10:54:36 -0400
Message-Id: 8ce6073fbc96840-1fb8-40...@webmail-d011.sysops.aol.com
X-Originating-IP: [92.231.217.255]
Date: Mon, 24 Oct 2011 10:54:36 -0400 (EDT)
x-aol-global-disposition: S
X-SPAM-FLAG:YES
X-AOL-SCOLL-SCORE: 0:2:173591936:93952408  
X-AOL-SCOLL-URL_COUNT: 0  
X-AOL-REROUTE: YES 
x-aol-sid: 3039ac1d338d4ea57c2c1502
Return-Path: ghang...@aol.com

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Training GBUdb on the client IP for telus.net

2011-10-24 Thread Colbeck, Andrew
That's a very interesting question, Pete. Are you saying that the
source section is used to override the normal hop 0 / ordinal 0 IP
address? If so, I didn't realize it, I thought this was an an additional
IP address for GBU to examine.

I think the answer is yes, I don't want to inspect the ISP's outbound
gateway, and I do want to inspect the client IP that originated the
email.


Andrew.


-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Monday, October 24, 2011 12:28 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Training GBUdb on the client IP for telus.net


On 10/24/2011 3:20 PM, Colbeck, Andrew wrote:
 header name='X-Telus-Outbound-IP:

Hrmm... Do you want the source to be the outbound IP?

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044
x7010


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Nice job, sortmonsters!

2011-08-08 Thread Colbeck, Andrew
Time to thwart a spam run from a fresh IP address: less than 18 minutes.

The first three emails from: 216.223.207.0/25 were allowed past
MessageSniffer but fewer than 18 minutes into the spam run, the content
triggers rule group 60, rule id 4224795.

(It is coupon spam, but probably fake affiliate marketing. Sent with
lots of word salad).


Andrew 8)






#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Change in default settings

2011-05-09 Thread Colbeck, Andrew
Pete, for

sample on-off='on'

I wrote myself this note...

!-- We can sample during a peek if passthrough = yes --

... Is it still valid? Your sample and my own configuration have:

passthrough=no

On the balance of it, I suspect my own note is wrong, so it would be
nice if you could verify it one way or the other.


Andrew.

-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Monday, May 09, 2011 11:56 AM
To: Message Sniffer Community
Subject: [sniffer] Change in default settings


Hello Message Sniffer Folks,

We're recommending a change in the default settings for message sniffer 
in order to improve our response times for new campaigns. The change is 
small and enhances our virtual spamtrap technology so that we see new 
spams sooner and with greater sampling coverage.

If you locate this block of code in your snf_engine.xml file:

black on-off='on' symbol='63'
edge probability='0.8' confidence='0.2'/
edge probability='0.8' confidence='1.0'/
truncate on-off='on' probability='0.9' peek-one-in='3' symbol='20'/
sample on-off='on' probability='0.8' grab-one-in='3' passthrough='no' 
passthrough-symbol='0'/
/black

You will notice that your settings are probably slightly different.

The changes we would like you to make are:

peek-one-in='3'
grab-one-in='3'

Your current settings most likely use higher numbers for these settings.

Once you make the change and save your file then Message Sniffer should 
pick up the changes right away - you do not need to restart Message 
Sniffer when making adjustments to your configuration.

Please let us know if you have any questions.

Thanks!

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044
x7010


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Change in default settings

2011-05-09 Thread Colbeck, Andrew
Great. I'll remove the erroneous comment I made in my configuration
files.

FWIW, I've set both peek-one-in='3' and grab-one-in='3' as the new
recommended default.


Andrew.

-Original Message-
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Monday, May 09, 2011 3:05 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Change in default settings


On 5/9/2011 4:53 PM, Colbeck, Andrew wrote:
 Pete, for

 sample on-off='on'

 I wrote myself this note...

 !-- We can sample during a peek if passthrough = yes --

 ... Is it still valid? Your sample and my own configuration have:

 passthrough=no

 On the balance of it, I suspect my own note is wrong, so it would be
 nice if you could verify it one way or the other.

The passthrough option is for local sampling. We have used it 
occasionally on our spamtrap processors, but not for some time. 
Passthrough takes any messages that would have been samples and instead 
of sending them to the virtual spamtrap network it lets them go through 
with a specific result code. Presumably the local system would see the 
special result code and treat the message differently.

Please leave passthrough='no'

Thanks!

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044
x7010


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] So, another botnet bites the dust.

2011-03-18 Thread Colbeck, Andrew
Pete, now that Microsoft has taken down the Rustock botnet, what's your
telemetry say about spam volumes? Any significant change?
 
http://blogs.technet.com/b/microsoft_blog/archive/2011/03/18/taking-down
-botnets-microsoft-and-the-rustock-botnet.aspx
 
http://krebsonsecurity.com/2011/03/rustock-botnet-flatlined-spam-volumes
-plummet/
 
But CommTouch doesn't think it made much of a dent:
 
http://blog.commtouch.com/cafe/anti-spam/has-the-reported-disruption-of-
rustock-affected-spam-levels/
 
 
 
Andrew from Vancouver
 
 
 
 
 
 


[sniffer] Re: Rule Panic on 3364665

2010-08-17 Thread Colbeck, Andrew
I have seen one hit, and it looks like a false positive to me. Sent as a
sample to the false@ address.
 
Thanks for the heads-up, Darin.
 
 
Andrew.
 



From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Darin Cox
Sent: Tuesday, August 17, 2010 12:11 PM
To: Message Sniffer Community
Subject: [sniffer] Rule Panic on 3364665


Hi,
 
We've had a lot of FPs on this rule, and wanted to alert everyone on it.
 
Pete, can you look into it?
 
Thanks,

Darin.
 
 


[sniffer] Re: Volume spike Mon 9AM EST

2010-05-10 Thread Colbeck, Andrew
I'm not seeing any spike in inbound connections or accepted message
counts.

Actually, it's lower than Friday's volume and about the same as
Thursday.


Andrew. 

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Peer-to-Peer (Support)
Sent: Monday, May 10, 2010 6:21 AM
To: Message Sniffer Community
Subject: [sniffer] Volume spike Mon 9AM EST


Just checking to see if anyone else is seeing a massive spike in volume.
Something started occurring around 9AM EST.  Not yet sure what's
happening.

Wondering if this is global attack or simply local on our system?

Anyone seeing unusual activity - high volume?



--Paul R.



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Opening truncate.gbudb.net

2010-05-10 Thread Colbeck, Andrew
I looked at the effectiveness of this test and I like what I'm seeing.
The volume isn't high, but it is making a difference in the edge cases
that are close to my hold weight.

In particular, I'm finding that it is triggering on pump and dump DKIM
spam from fresh netblocks that would otherwise leak into my mailboxes.
Some of those also trigger SNIFFERSCAM.

So if you don't trust the global truncate test alone, it's a good test
to combine with other weighted tests.

P.s. I'm also finding that truncate is triggering on email from some ISP
users when I check multiple hops in the header. That probably means that
I'm finding users with zombie infected computers, but I'm letting that
mail in, so checking which IP addresses were hit is a small problem if I
want to contact those people.


Andrew.

 

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, April 29, 2010 2:08 PM
To: Message Sniffer Community
Subject: [sniffer] Opening truncate.gbudb.net


Hi Sniffer Folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r
test.

You should get a result of 127.0.0.1 if the IP is well into the truncate

range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based

on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have

been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Opening truncate.gbudb.net

2010-05-10 Thread Colbeck, Andrew
Hey, Pete.

I contacted one of the recipients and ran down one of those intermediate
hops which triggered on truncate.gbudb.net ... It was an intermediate
hop at AOL (rly presumably means relay)

Received: from smtprly-dd03.mx.aol.com (smtprly-dd03.mx.aol.com
[205.188.84.131]) by cia-mb07.mx.aol.com (v128.3) with ESMTP id
MAILCIAMB071-d4074be4e089be; Fri, 07 May 2010 23:54:50 -0400

This IP address seems to bridge the gap between AOL webmail and SMTP
delivery. In this case, the user used the AOL webmail and then forwarded
the message to the mailbox on our system.

The GBU list is emitting TXT records as well as the A record, perhaps it
would be useful to actually state the IP as well in that text.

C:\tempdig @8.8.8.8 131.84.188.205.truncate.gbudb.net any

;  DiG 9.7.0rc1  @8.8.8.8 131.84.188.205.truncate.gbudb.net any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 55101
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;131.84.188.205.truncate.gbudb.net. IN  ANY

;; ANSWER SECTION:
131.84.188.205.truncate.gbudb.net. 3600 IN A127.0.0.2
131.84.188.205.truncate.gbudb.net. 3600 IN TXT  GBUdb Cloud Truncate c
 0.2, p  0.9

;; Query time: 812 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May 10 13:08:17 2010
;; MSG SIZE  rcvd: 117

I suggest that if others find this valuable as well, and you find it
reasonable, that the text could look like this:

GBUdb Cloud Truncate c  0.2, p  0.9 for [205.188.84.131]

I'll send the whole header to support@ in case you are interested in
this particular IP.


Andrew.
 

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Colbeck, Andrew
Sent: Monday, May 10, 2010 9:03 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Opening truncate.gbudb.net


I looked at the effectiveness of this test and I like what I'm seeing.
The volume isn't high, but it is making a difference in the edge cases
that are close to my hold weight.

In particular, I'm finding that it is triggering on pump and dump DKIM
spam from fresh netblocks that would otherwise leak into my mailboxes.
Some of those also trigger SNIFFERSCAM.

So if you don't trust the global truncate test alone, it's a good test
to combine with other weighted tests.

P.s. I'm also finding that truncate is triggering on email from some ISP
users when I check multiple hops in the header. That probably means that
I'm finding users with zombie infected computers, but I'm letting that
mail in, so checking which IP addresses were hit is a small problem if I
want to contact those people.


Andrew.

 

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, April 29, 2010 2:08 PM
To: Message Sniffer Community
Subject: [sniffer] Opening truncate.gbudb.net


Hi Sniffer Folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r
test.

You should get a result of 127.0.0.1 if the IP is well into the truncate

range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based

on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have

been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer

[sniffer] Re: RulePanic on 3059196

2010-04-06 Thread Colbeck, Andrew
For what it is worth, there are zero hits on my two servers for this
Rule. I looked back through the last 7 days.


Andrew. 



-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Darin Cox
Sent: Tuesday, April 06, 2010 9:48 AM
To: Message Sniffer Community
Subject: [sniffer] Re: RulePanic on 3059196


Hi Pete,

We've put a RulePanic in for 3059196, as we're getting a lot of FPs on
it.

Can you look at this rule, and/or let me know what it is?

Thanks,

Darin.

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Bad rule alert: 2784910

2009-11-26 Thread Colbeck, Andrew
All clear here, Pete.

Thanks for both of the notices,


Andrew.
 

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, November 26, 2009 8:45 AM
To: Message Sniffer Community
Subject: [sniffer] Bad rule alert: 2784910


This bad rule was created 2009-11-26 07:38:32
The bad rule was detected and removed at 11:40:00
The rule matches a binary sequence in some image file attachments.

Sorry for the inconvenience.

Best,

_M


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: RulePanic on 2654821

2009-09-08 Thread Colbeck, Andrew
The scores over here for the messages that trigger on rule 2654821
today:
 
spam that hit the rule: 4
... and were porn: 0
ham that was held by my weight system: 5
ham that was allowed by my weight system: 3
subsequent panic log lines: 139
 
Thanks for the heads up, Darin.
 
I was able to re-queue those 5 good messages without the users ever
having to call the Helpdesk.
 
 
Andrew 8)
 



From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Darin Cox
Sent: Tuesday, September 08, 2009 1:49 PM
To: Message Sniffer Community
Subject: [sniffer] Re: RulePanic on 2654821


Neglected to mention it is a Sniffer-Porn rule.

Darin.
 
 
- Original Message - 
From: Darin Cox mailto:dc...@4cweb.com  
To: Message Sniffer Community mailto:sniffer@sortmonster.com  
Sent: Tuesday, September 08, 2009 4:47 PM
Subject: [sniffer] RulePanic on 2654821

We had to put a RulePanic on 2654821.  We were getting a ton of FPs on
it.
 
Pete, let us know what's going on with this rule, please.

Darin.
 
 


[sniffer] Re: SNFMilter released and a few other updates...

2009-07-29 Thread Colbeck, Andrew

Niiice, Pete.


Andrew 8)


-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Wednesday, July 29, 2009 2:51 PM
To: Message Sniffer Community
Subject: [sniffer] SNFMilter released and a few other updates...


Hello Sniffer Folks,

Today we've officially released SNFMilter - a version of Message Sniffer

that integrates directly with sendmail and postfix servers.

Here are some links:

https://www.milter.org/milter/75

http://www.armresearch.com/products/index.jsp

We've also posted a new version of our Client/Server distribution for 
Linux, BSD,  other *nix systems. You can find snf-server-3.0.9.tar.gz 
on our products page: http://www.armresearch.com/products/index.jsp

* This update contains a fix for a minor bug in the 
CodeDweller/Networking code: Under some (rare) circumstances SNFServer 
would exit with SIGPIPE. The new code includes an appropriate use of 
MSG_NOSIGNAL or SO_NOSIGPIPE depending on the platform used to build the

software.

The SIGPIPE bug does not affect Windows systems... However a new update 
to the windows installer is due relatively soon just to keep all of the 
versions up to date and to update some documentation for some of the 
integrated platforms.

* This update includes improved control scripts that provide for a 
special debug mode. The debug mode runs SNFServer with a number of 
debugging options enabled to capture detailed information about how 
SNFServer is running. Most folks will never need this ;-)

Other improvements to the source code have also been included.

That's all for now.

Please let us know if there's more we can do.

Thanks!

_M


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Bad rule: 2524136

2009-06-18 Thread Colbeck, Andrew
Thanks for the heads-up, Pete.

For what it's worth, I had a hit on only one message on each of my
gateways, from different senders.

The Sniffer General result code wasn't weighted high enough on my
Declude system to hold either message because they came from senders
with clean implementations.

I put the rule-panic into each of my snf_engine.xml files and after a
several rulebase updates, I've taken it out again. While the rule-panic
was in place, I had several more hits, which were of course passed.


Andrew.
 

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, June 18, 2009 1:13 PM
To: Message Sniffer Community
Subject: [sniffer] Bad rule: 2524136


Hello Sniffer Folks,

Rule ID 2524136 was coded for an image binary segment and was pulled 
shortly after it was created when false positives were detected.

If you use a quarantine system and you are able to re-scan quarantined 
messages then you may be able for avoid further FP reports and even 
prevent the detection of these false positives.

If you are using the latest version of SNF then your rulebase is most 
likely already up to date.

If you are using a scheduled task and the previous version of SNF then 
you may need to trigger an update manually first. Please upgrade as soon

as possible.

What we have done:

* As with all false positives, this rule is retained to prevent any 
future events of the same kind.

* We have researched the process that created this rule and adapted the 
process to prevent similar cases in the future.

We are sorry for any inconvenience.

Thanks,

_M


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Message Sniffer question

2009-04-30 Thread Colbeck, Andrew
It works for me. Thanks, Pete!
 
I used the documentation here:
 
http://www.armresearch.com/support/articles/software/snfServer/config/au
toUpdates.jsp
 
I wanted a simplified system that more closely reflected what the vendor
ships, so I've stopped using my home-grown wget based script which was
run hourly from the Windows Task Scheduler with a dedicated local user
account.
 
 
Andrew.
 



From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Tuesday, April 21, 2009 3:25 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Message Sniffer question


Scott Fisher wrote: 

If I remember correctly...

I have an email account with a Imail program alias, that when it
gets a mail from Message Sniffer triggers an update.

It's still getting mail and triggering updates.

 

I'm thinking this isn't need with Sniffer v3 anymore?

That's correct.

Version 3 has an update script launcher that fires when SNF detects a
newer rulebase is ready. If you have that configured properly then no
other update mechanism is needed.

If you want to disable update notifications then send a note to support@
and we will turn them off for you.

Best,

_M




[sniffer] overriding the GBUdb

2009-04-30 Thread Colbeck, Andrew
I recently used snfclient.exe to whitelist the IP address (actually a
whole /24) of a mailing list manager that my users deem to be
trustworthy.
 
snfclient.exe -set 64.62.197.53 good - -
 
You might argue the merits of this IP address, but that's not why I'm
writing...
 
I deliberately left alone the last two parameters, so as to not disturb
the counts, given that I'm whitelisting by forcing the good flag.
 
I assume that this does not affect the GBU community at all, because
it's the good and bad counts that are shared, not the flag. Is this
correct?
 
Does the ARMResearch support notice when an administrator does this, and
research whether the findings are good?
 
The Bad count and Good count I see when I do a:
 
snfclient.exe -test 64.62.197.53
 
are results only on my own server, and not the GBU community. Is this
correct?
 
I assume that condensation affects the counts, and not the flag. So I
will only lose this good flag if the GBUdb is dumped (or I build a new
server). Is this correct?
 
 
Andrew 8)
 
 
 


[sniffer] Re: overriding the GBUdb

2009-04-30 Thread Colbeck, Andrew
That will do! I've created a batch file in which I'll put my snfclient
commands and my dated documentation/rationale for those, but I'll keep
using the standard GBUdbIgnoreList.txt for documenting my gateways.
 
I'll also suggest that in the online documentation, that a link in the
GBU section goes back to the SNFClient section so that it's easier for
an admin to find the right syntax for using the client to manipulate the
GBUdb, e.g.
 
http://www.armresearch.com/support/articles/technology/GBUdb/index.jsp
 
perhaps directly here on on the Maintenance page that shows how to use
the ignore parameter, a link would go back to:
 
http://www.armresearch.com/support/articles/software/snfClient/commandLi
ne.jsp
 
which is where the detailed command line documentation is listed.
 
And although it rarely comes up as a support issue, I'll also suggest
that the quick help for SNFclient could be clarified. It currently is
this:
 
 To update GBUdb records use:
 SNFClient.exe -set IP4Address flag bad good
 
and my suggested easier-to-read version is this:
 
 To update GBUdb records use:
 SNFClient.exe -set IP4Address good|bad|ignore|ugly|-
badcount|- goodcount|-
 
 
 
Andrew.



From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of Pete McNeil
Sent: Thursday, April 30, 2009 1:14 PM
To: Message Sniffer Community
Subject: [sniffer] Re: overriding the GBUdb


Colbeck, Andrew wrote: 

I recently used snfclient.exe to whitelist the IP address
(actually a whole /24) of a mailing list manager that my users deem to
be trustworthy.
 
snfclient.exe -set 64.62.197.53 good - -
 
You might argue the merits of this IP address, but that's not
why I'm writing...
 
I deliberately left alone the last two parameters, so as to not
disturb the counts, given that I'm whitelisting by forcing the good
flag.
 
I assume that this does not affect the GBU community at all,
because it's the good and bad counts that are shared, not the flag. Is
this correct?


That is correct.



 
Does the ARMResearch support notice when an administrator does
this, and research whether the findings are good?


No. We wouldn't know how to evaluate that anyway-- each system has it's
own policies.

GBUdb traffic consists only of good/bad counts at specific intervals. If
the IP is not ugly it doesn't get evaluated in this way so we stop
seeing data about that IP from that system.



 
The Bad count and Good count I see when I do a:
 
snfclient.exe -test 64.62.197.53
 
are results only on my own server, and not the GBU community. Is
this correct?


They were built up using primarily data from your server with some
hinting from the cloud. The cloud's influence is diminished
significantly as your system gains experience with a particular IP.



 
I assume that condensation affects the counts, and not the flag.
So I will only lose this good flag if the GBUdb is dumped (or I build
a new server). Is this correct?


If you wipe out your GBUdb data then it will be gone. Flags other than
ugly are preserved in GBUdb. If you buid a new server and you want to
preserve your GBUdb data then you can copy the .gbx file to the new
server before you start it. The .gbx file is a binary snap-shot of your
GBUdb data. By default it is created about once per hour so that your
SNF node does not have to start learning again from scratch if it is
abruptly restarted.

Please let us know if you have other questions.

Best,

_M





[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Colbeck, Andrew
I also have hit this. A single hit, also from AOL.
 
 
Andrew.
 



From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Darin Cox
Sent: Friday, July 18, 2008 6:37 AM
To: Message Sniffer Community
Subject: [sniffer] Problem with Sniffer-Porn rule this morning


Pete,
 
There appears to be a problem with rule 1984485 this morning.  I'm
getting a number of FP hits on it from AOL users.

Darin.
 


[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Colbeck, Andrew
I've just used proper channels and submitted the message and the snippet
from the MessageSniffer log to the false@ email address.
 
I've also added this:
 
rule id='1984485'/
 
to the
 
rule-panics
 
section of the snf_engine.xml file on each of my servers.
 
 
Andrew.
 
 



From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Friday, July 18, 2008 8:31 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning


I also have hit this. A single hit, also from AOL.
 
 
Andrew.
 



From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Darin Cox
Sent: Friday, July 18, 2008 6:37 AM
To: Message Sniffer Community
Subject: [sniffer] Problem with Sniffer-Porn rule this morning


Pete,
 
There appears to be a problem with rule 1984485 this morning.  I'm
getting a number of FP hits on it from AOL users.

Darin.
 


[sniffer] Re: It's official. SNF Version 3.0 is Ready!

2008-06-26 Thread Colbeck, Andrew
Congratulations on shipping, Pete!


Andrew 8)

p.s. Hey, I love the new mascot. Much cuter than the old SortMonster...

 

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Thursday, June 26, 2008 12:24 PM
To: Message Sniffer Community
Subject: [sniffer] It's official. SNF Version 3.0 is Ready!


Hello Sniffer folks,

Back in Q1 we were sure we'd be ready with the new SNF after nearly a
year of testing on both large and small systems. What a surprise!

After publishing the first release candidate we went from version 1-5
to version 2-27 at a breathtaking pace!

Thank you to everyone who has tested, poked, prodded, and twisted the
new SNF -- not to mention keeping up with all of those updates during
the final phase of testing. I can't imagine getting to this point
without your patience, trust, attention to detail, and persistence!
Bravo!



Without further fanfare: Today the latest release candidate becomes
the official production release of Message Sniffer (SNF) Version 3.0.

The changes:

-- Minor updates to readme files.

-- Changed the build / version information and recompiled.

-- Removed redundant comments from the configuration file.

We have been bug free for more than 2 months with several hundred
systems using the new engine.

You can download the latest distributions from this page:

http://www.armresearch.com/products/index.jsp

You may also notice that we've published our new web site! There are a
few bits of documentation still under construction here and there, but
we're well on our way to filling those in along with a stream of
continues improvements and additions based on our work with you!

Once again, Thanks to everyone for a fantastic job!

Thanks for all of your support, comments, and efforts!

As always we're hear to help. Now, onward to the next upgrade...
always work to do ;-)

Cheers!

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Pete, if we have a significant number of hits, they'll be from all kinds
of IP sources.

Should we dump the GBUdb? If so, how?

The documentation is perfectly clear on how to tweak an IP or dump an IP
in the GBUdb, but doesn't mention a wholesale clearing of it.


Andrew.

 

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Tuesday, June 17, 2008 12:46 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Bad rule alert: 1940812


Hello, --- following up.

Intended to make the original post with a high priority flag.

Also - the rule was removed at approximately 15:10:00 EDT

Hope this helps,

_M

Tuesday, June 17, 2008, 3:35:47 PM, you wrote:

 Hello Message,

 Rule 1940812 has already been removed from the core rulebase.

 You can render the rule inert immediately by adding it to your rule
 panics list.

 Rule was coded at 13:03:17 EDT

 The rule was coded for an obfuscated version of the word Tuesday and
 was coded with a bad abstraction character.

 We sincerely apologize for the inconvenience.

 Best,

 _M




-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Thanks, Pete.

I had very few actual hits; I have lots of lines that indicate the rule
panic in place, but the number of actual hits is quite small.

How I found my hits:


cd /d C:\MessageSniffer

gawk ($6 == \Final\)  ($7 == 1940812) *.20080617.log


Andrew.
 

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Tuesday, June 17, 2008 1:31 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Bad rule alert: 1940812


Hello Andrew,

Tuesday, June 17, 2008, 4:21:49 PM, you wrote:

 Pete, if we have a significant number of hits, they'll be from all
kinds
 of IP sources.

 Should we dump the GBUdb? If so, how?

It is unlikely that good IPs will be moved to into the black ranges
with a short event like this-- so you should not need to dump GBUdb
unless you see GBUdb false positives.

The design of GBUdb is such that there is significant inertia for well
known IPs -- if they are known to be good -- or at least solidly not
bad, then the IPs will not be easily moved into the black ranges.

 The documentation is perfectly clear on how to tweak an IP or dump
 an IP in the GBUdb, but doesn't mention a wholesale clearing of it.

If you do decide to dump your GBUdb then follow this procedure:

Stop SNFServer

Delete the .gbx file in the SNF working directory.

Restart SNFServer

That procedure will cause SNF to build a new GBUdb file from scratch
based on what it is learning from that point on.

Best,

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Thanks, Pete.

I had four actual false positives on one server, versus 324 unique hits
for the bad rule.

So yes, I'd say that the autopanic feature worked quite well.


Andrew.
 

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Tuesday, June 17, 2008 1:47 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Bad rule alert: 1940812


Hello Andrew,

Tuesday, June 17, 2008, 4:41:41 PM, you wrote:

 Thanks, Pete.

 I had very few actual hits; I have lots of lines that indicate the
rule
 panic in place, but the number of actual hits is quite small.

 How I found my hits:


 cd /d C:\MessageSniffer

 gawk ($6 == \Final\)  ($7 == 1940812) *.20080617.log

I haven't checked telemetry yet -- still very busy here battling the
stock-push spam  other storms.

However, you were likely protected by the Auto-Panic feature in the
new SNF.

The first time the bad rule hit a message with an IP source in the
white range it would have been automatically added to your node's
internal panic list rendering it inert.

That probably explains why you have very few hits.

Best,

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Test

2008-05-26 Thread Colbeck, Andrew
pong ...



From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of John T
Sent: Monday, May 26, 2008 9:08 AM
To: Message Sniffer Community
Subject: [sniffer] Test


Ping

Testing as I have not received any list messages for a while.



John T
eServices For You




[sniffer] Re: XYNTService -- Any Problems?

2008-05-09 Thread Colbeck, Andrew
I've never used it, Pete.

My first reaction was... don't go to a third party (XYNTService, SrvAny,
FireDaemon) just make the executable a full fledged Windows Service.

I do realize that you'd be reluctant to do that given the additional
complexity of the code, none of which is portable to the *nix version
where the SNFServer would run as a daemon.

Since you, as a the developer, start with XNTService with the source
code,

http://www.codeproject.com/KB/system/xyntservice.aspx

then you can modify it and deploy it any way you want (yes, I read the
Terms of Service at the site), including giving it a Message Sniffer
name and localizing the installation in your folder to prevent
versioning issues if the server is already using XNTService for
something else.

So it does seem less bad that at first, but if you're going to be
supporting XNTService because you built it, and you're going to be
supporting your own SNFServer.exe because you built it... you'd aim
higher and write SNFServer.exe as a Windows Service anyway.


Andrew.


-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Friday, May 09, 2008 12:56 PM
To: Message Sniffer Community
Subject: [sniffer] XYNTService -- Any Problems?


Hello Sniffer Folks,

We are working on an installer for the command-line version of SNF
V3.0.

We are considering re-distributing XYNTService to setup the
SNFServer.exe as part of the installation. There are some rumblings
here and there about XYNTService not working the same way on some
versions of Windows.

If any of you have experience with XYNTService then we would sure like
to hear about it.

If anyone knows of an alternative that we can bundle with our
installer then please let us know that too...

(Why don't you just write something?? -- ) We'd prefer not to reinvent
that particular wheel right now -- not that it's hard, just that it's
not necessary and we'd rather do other important stuff.

Thanks!

_M

-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Ideal config for scaleable solution?

2008-02-22 Thread Colbeck, Andrew
Paul, since you're working in a Windows world, check out Alligate from
alligate.com as a Windows platform based email gateway.

I've put Alligate in front of my Declude setup and it drastically
reduced the number of emails I had scan for content and sender in
Declude, and gained back a lot of disk time and cpu time. The product
can share your existing server, but is recommended for a dedicated
gateway. It can scale to many gateways while sharing a central database.
It'll do everything you want, actually.

That's as much as I'm going to say here, because this list is all about
Message Sniffer.

If you were a *nix shop, you would still lean towards having a dedicated
gateway server (or many) and your CPU hog would be spamassassin, which
you would run in a client/server model to shift the CPU usage to other
boxes.

Meanwhile, you might check the Declude support list for scalability tips
with your existing setup.


Andrew.



 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Paul Rogers
 Sent: Thursday, February 21, 2008 4:53 PM
 To: Message Sniffer Community
 Subject: [sniffer] Ideal config for scaleable solution?
 
 
 Ie, ideal for processing/serving 10+ million emails per day in an
 imail/declude/snf configuration.  SNF seems to generally be the big
 processor hog (though the new beta has definitely made huge 
 performance
 improvements over the prior version).
 
 OK...this is a bit off-topic, but I'm looking for some 
 feedback in how to
 plan for handling this type of load (current load is between 1.3m and
 1.8m/day).
 
 Should I just throw more high performance hardware at it?
 
 Scale out perhaps by dedicating a server to just the junk 
 mail scanning.
 Then have a relatively wimpy server taking care of normal Imail stuff
 (recipient of the declude/snf clean and/or tagged emails).  
 
 Along that line of thought, can SNF be configured to work 
 directly with the
 MS/IIS SMTP server?  This combo could work great as a 
 spam-killing gateway.
 
 Has anyone assembled this sort of configuration in a load 
 balanced/redundant
 environment?
 
 Paul ---
 
 
 
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Rule Database copy question

2008-01-16 Thread Colbeck, Andrew
It appears that both the reload and the rotate options in the
sniffer executable are still accepted by SNFClient.exe but are
deprecated, as neither parameter appears in the help or in the
contextual help when SNFClient.exe is run without parameters.
 
Andrew.
 
 




From: Message Sniffer Community [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Wednesday, January 16, 2008 11:41 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Rule Database copy question



Hello Shawn,




Wednesday, January 16, 2008, 2:26:14 PM, you wrote:






Hello,




I am using the latest beta version of Message Sniffer.  I am asking this
question because I thought I read this somewhere but I can not find
where I read it.







If I copy my rule database file to the c:\snf directory while
SNFServer.exe is running, does SNFServer automatically load the new
updated rule database?




Yes.






 




If so, how long does it usually take before SNFServer realizes that
there is a new rule database that was copied to that directory?




Within about a second of seeing the new file it will load and
check the new rulebase. If there is something wrong with the rulebase
file it will keep the current rulebase active until a better one shows
up.












Is there anyway to verify that SNFServer has loaded the latest rule
database that was copied?  I know I can run a SNF2check.exe on the rule
database to check the file before I copy it, but it would be great to
know if SNFServer.exe has loaded the latest copy that I have copied to
the c:\snf directory.




SNFServer will indicate that the new rulebase was loaded in it's
log file.




Hope this helps,




_M







-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.


#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to
[EMAIL PROTECTED]

Send administrative queries to
[EMAIL PROTECTED]





[sniffer] Re: Rule Database copy question

2008-01-16 Thread Colbeck, Andrew
Thanks for the response, Pete!
 
I was using both parameters in my scheduled pattern download script,
which would tell Sniffer that there was a new pattern, and would rotate
the logs before uploading them back to you.
 
With the new (beta) version, both extras have become redundant, so I've
removed them from my script.
 
 
Andrew.
 
 




From: Message Sniffer Community [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Wednesday, January 16, 2008 12:43 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Rule Database copy question



Hello Andrew,




Wednesday, January 16, 2008, 3:02:16 PM, you wrote:






It appears that both the reload and the rotate options in the
sniffer executable are still accepted by SNFClient.exe but are
deprecated, as neither parameter appears in the help or in the
contextual help when SNFClient.exe is run without parameters.




True -- if you called the SNFClient with rotate or reload then
it would interpret those as the names of files to scan; would most
likely not find them; and would produce a harmless error in the log
file.




SNFServer automatically reloads configuration files and rulebase
files when they are altered or replaced.




SNFServer can rotate log files on a per-day basis by including a
date stamp in their name. If you move a log file manually or by a script
then a new one will be created as needed.




_M







-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.


#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to
[EMAIL PROTECTED]

Send administrative queries to
[EMAIL PROTECTED]





[sniffer] Re: No email updates.

2007-11-21 Thread Colbeck, Andrew
For what it's worth, it is working for my two licences.

I received email update notifications at:

90 minutes ago
3 18 minutes ago
4 38 minutes ago
6 hours 13 minutes ago

Andrew 8)




 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli
 Sent: Wednesday, November 21, 2007 5:47 AM
 To: Message Sniffer Community
 Subject: [sniffer] No email updates.
 
 Fred
 
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Sniffer codes

2007-11-09 Thread Colbeck, Andrew
The Ugly value returned by the beta Message Sniffer you're using with
the Good, Bad and Ugly database has a result code of 40, and this code
is missing from your list.
 
(The White value overlaps with result code 0, which internally to
Message Sniffer will mask any other spam result code on your system.
The White return value also indicates did not find a reason to call
this spam, so do not use a return value of zero to reward an email with
negative points in your weighting system... because zero means it wasn't
hammy, it does not mean that it was hammy).
 
(The Bad value replaces the existing return value 63, which is
experimental IP).
 
I suggest you re-read the descriptions for the return values and adjust
your test names for values 60 to 63.
 
The documentation for the return values in the production version of
Message Sniffer is here:
 
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai
ls.ResultCodes
 
And the supplementary documentation for the return values in the beta
version of Message Sniffer is here:
 
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai
ls.GBUdb
 
 
You should find that your total for the test SNIFFER which triggers on
all non-zero values equals the total of all the other non-zero tests
(e.g. the count of return value 40 plus the counts for each of the
return values for values 47 through 63). If not, then there are errors
for the command line or with writing to the Message Sniffer logfile
(return values 65 and 66).
 
Andrew.
 
 




From: Message Sniffer Community [mailto:[EMAIL PROTECTED]
On Behalf Of Serge
Sent: Friday, November 09, 2007 4:49 PM
To: Message Sniffer Community
Subject: [sniffer] Sniffer codes


 
Hi
I have many messages failling Sniffer (0) but not any of the
others
meaning i'm missing some codes
Suggestions ?
TIA
 
 
SNIFFER  external nonzero E:\snfsrv\snfClient.exe 0 0
SNIFWHTLST external 000 E:\snfsrv\snfClient.exe 0 0
SNIFFER-TRAVEL  external 047 E:\snfsrv\snfClient.exe 12 0
SNIFFER-INSUR  external 048 E:\snfsrv\snfClient.exe 15 0
SNIFFER-AVPUSH  external 049 E:\snfsrv\snfClient.exe 12 0
SNIFFER-WAREZ  external 050 E:\snfsrv\snfClient.exe 15 0
SNIFFER-SPMWRE  external 051 E:\snfsrv\snfClient.exe 15 0
SNIFFER-SNAKEO  external 052 E:\snfsrv\snfClient.exe 15 0
SNIFFER-SCAMS   external 053 E:\snfsrv\snfClient.exe 15 0
SNIFFER-PORN   external 054 E:\snfsrv\snfClient.exe 17 0
SNIFFER-MALWARE external 055 E:\snfsrv\snfClient.exe 17 0
SNIFFER-Toner  external 056 E:\snfsrv\snfClient.exe 15 0
SNIFFER-SCHEMES external 057 E:\snfsrv\snfClient.exe 15 0
SNIFFER-CREDIT  external 058 E:\snfsrv\snfClient.exe 15 0
SNIFFER-GAMBL external 059 E:\snfsrv\snfClient.exe 15 0
SNIFFER-GREYM external 060 E:\snfsrv\snfClient.exe 14 0
SNIFFER-OBFUS external 061 E:\snfsrv\snfClient.exe 17 0
SNIFFER-SPAM   external 062 E:\snfsrv\snfClient.exe 12 0
SNIFFER-GENERAL external 063 E:\snfsrv\snfClient.exe 17 0




[sniffer] Re: Beta

2007-10-17 Thread Colbeck, Andrew
Pete, one of the questions I had right away when I looked at the
documentation accompanying the software package was about the
communication channel.

The documentation clearly pointed out that ports 25 is the default and
that 80 is selectable, but didn't go further. I just answered my own
question by sniffing the traffic...

The question was: Ok, so I can govern the port, but will my stateful
firewall like it? The answer is yes and no; if my firewall is expecting
SMTP application layer traffic outbound on port 25/TCP then it won't
like Sniffer's GBU/synch traffic.

Which means that a firewall:

* That does outbound packet filtering will be fine if it lets out
25/TCP.

* That does stateful inspection will be fine if it lets out 25/TCP.

* That does application layer filtering of SMTP on 25/TCP will not be
fine.

I suspect that the same would be true of 80/TCP if Sniffer is so
configured.

I doubt that this is a problem for most environments, but it is an
important point for environments that have application layer filtering.
These environments would be able to update their Sniffer database, but
not participate in GBU, nor would they be able to use the synch system
to report their logs or spam samples.

Presumably, the affected environment could implement a new rule or
override the application inspection and drop down their security to just
allowing outbound 25/TCP without applying SMTP application layer
inspection.


Andrew.


 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Wednesday, October 17, 2007 5:35 AM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Beta
 
 Hello John,
 
 Wednesday, October 17, 2007, 1:41:18 AM, you wrote:
 
  Our SYNC server software rejects connections by default. If an SNF
  node follows the expected connection protocols and authenticates
  properly and consistently then it will be allowed to 
 communicate with
  the system. If it fails to do any of these things or looks 
 suspicious
  in any way then it will be automatically black listed for 
 increasingly
  extended periods and potentially null routed by our fire-walls. The
  security mechanisms are fully automatic and constantly monitored.
 
  If something goes wrong on my server, either by a mistake I 
 make in a
  configuration file or a bug or whatever, and my server in 
 connecting to the
  SYNC server should be rejected and subsequently black 
 listed, is there a
  notification that takes place that some one will review to 
 see if that
  sniffer license is otherwise valid and otherwise no known 
 problems are seen
  so that I will then be notified saying hey there is a 
 problem contact us
  so that the problem can be resolved?
 
 Yes.
 
 The system is completely automated and reliable. There is nothing to
 be concerned about. Quite simply, nothing can go wrong, go wrong, go
 wrong... go..
 
 Seriously though--
 
 In order to be black-listed by our system you would have to be abusing
 the SNF software or using some alternative software to attempt to gain
 access or deny access to the SYNC servers. Otherwise the most you
 could do would be to loose contact for some time.
 
 That said, if any system does something to become black-listed then
 you can be sure it will have our attention.
 
 It is basically impossible for you to cause a properly functioning SNF
 node to become black-listed by altering the configuration file. It is
 far more likely that your SNF node would simply fail to connect.
 
 Chances are that if you were making an adjustment that could cause
 this you would also be watching to make sure that things were working
 correctly when you finished.
 
 In case you did cause the system to lose it's connection with us, the
 system is designed so that SNF nodes will remain reliable and
 effective for extended periods even if they are unable to contact the
 SYNC server. It is also designed to recover gracefully when the
 problem is corrected.
 
 The GBUdb system is highly effective even when it does not share it's
 information with the other SNF nodes. Each GBUdb node learns first
 about it's local traffic. As long as your SNF rulebase file is up to
 date - or even close to being up to date, your system is likely to be
 very effective at filtering spam.
 
 If your SNF/GBUdb node becomes detached from the main system for an
 extended period, it will degrade in it's performance. Once the problem
 is corrected it should recover in a very short time.
 
 In the event we detect any IPs being black listed or acting
 suspiciously we will be watching closely so that we can analyze any
 potential threats and take appropriate actions. If we can identify a
 customer involved in such a case we will contact them to investigate
 and correct the problem.
 
 Locally, your status reports indicate when the last sync event
 occurred. This is one of the ways you can check the status of your
 system. Consider this example from recent telemetry:
 
 timers
 

[sniffer] Re: Bad Rule: 1604021

2007-10-16 Thread Colbeck, Andrew
Thanks for reporting this, Pete! 

My numbers were more extreme than Pi-Web's.

That bad rule triggered on 18,023 messages yesterday.

Due to the rest of my spam software, two-thirds were either passed (as
presumed ham) or deleted (as very spammy).

So the one-third that was held, I re-scanned today.

MessageSniffer today would catch 6,419, and ignore 218.

Of the 218 that MessageSniffer would ignore today, 17 are spam and the
rest really are ham.


Andrew.



 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Monday, October 15, 2007 1:00 PM
 To: Message Sniffer Community
 Subject: [sniffer] Bad Rule: 1604021
 
 Hello Sniffer Folks,
 
 This is an alert about a potentially bad rule 1604021.
 
 The rule was an abstract pattern for some of today's image spam.
 
 Indications are that the final coding was too broad. The rule was in
 place for approximately 5 hours ending about 30 minutes ago. Some
 differences in timing are inevitable since all rulebases are compiled
 individually.
 
 If you have the ability to release and rescan from quarantine based on
 SNF rule IDs then we recommend executing that process against this
 rule id: 1604021.
 
 Hope this helps,
 
 Thanks,
 
 _M
 
 -- 
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Spammers turning to PDF attachments?

2007-06-21 Thread Colbeck, Andrew
See this article at the Internet Storm Center:

http://isc.sans.org/diary.html?storyid=3012


Pump and dump scams now in PDF
Published: 2007-06-20,
Last Updated: 2007-06-20 21:33:39 UTC
by Maarten Van Horenbeeck (Version: 1)

Apparently the groups behind what we know as pump and dump spam have
found a new way to bypass spam filters. As of yesterday, we've been
observing e-mails with bogus text, often in german, each with a PDF in
attachment...



Andrew.






#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Downloads are not working....

2007-05-17 Thread Colbeck, Andrew
My last upload averaged a lame 6 KB/s.

My last download varied widely in the speed obtained:

0K .. .. .. .. ..   17.85
KB/s
   50K .. .. .. .. ..9.58
KB/s
  100K .. .. .. .. ..   11.12
KB/s
  150K .. .. .. .. ..   20.96
KB/s
  200K .. .. .. .. ..   14.76
KB/s
  250K .. .. .. .. ..5.15
KB/s
  300K .. .. .. .. ..   10.10
KB/s
  350K .. .. .. .. ..   12.67
KB/s
  400K .. .. .. .. ..  221.93
B/s
  450K .. .. .. .. ..3.18
KB/s
  500K .. .. .. .. ..2.30
KB/s
  550K .. .. .. .. ..  816.78
B/s
  600K .. .. .. .. ..   10.43
KB/s
  650K .. .. .. .. ..5.69
KB/s
  700K .. .. .. .. ..  132.17
B/s
  750K .. .. .. .. . 8.55
KB/s

PathPing.exe shows me sub 80ms per hop between my firewall and
ftp.sortmonster.net

So my guess is that the ftp server itself is busy.
 
Andrew.



 -Original Message-
 From: Message Sniffer Community
 [mailto:sniffer@sortmonster.com mailto:sniffer@sortmonster.com ] On
Behalf Of Chuck Schick
 Sent: Thursday, May 17, 2007 11:11 AM
 To: Message Sniffer Community
 Subject: [sniffer] Downloads are not working

 Speeds are really slow and the connection is lost before
 completionEverything checks out good on our end.  Is
 something going on with the sortmonster end of things?

 Chuck Schick
 Warp 8, Inc.
 (303)-421-5140
 www.warp8.com


 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED] To
 switch to the DIGEST mode, E-mail to
 [EMAIL PROTECTED] To switch to the INDEX mode,
 E-mail to [EMAIL PROTECTED] Send administrative
 queries to  [EMAIL PROTECTED]

 



[sniffer] Re: Downloads are not working....

2007-05-17 Thread Colbeck, Andrew
Thanks for the update, Pete.

Over on the Declude JunkMail support mailing list, it's like déjà vu all over 
again.

Andrew 8)

p.s. For the many of us here that don't subscribe to that list... The small 
number of recently active messages have been re-queued to the list several 
times.

 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Thursday, May 17, 2007 12:50 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Downloads are not working
 
 Hello Chris,
 
 Thursday, May 17, 2007, 2:30:13 PM, you wrote:
 
  Oh god, that would explain why I put in a support request with 
  appriver and it bounced back. One of our clients exchange 
 servers was 
  down today and they queue mail until it is back up, but I'm 
 trying to 
  get someone to release it now.
  This isn't good
 
 The good news is that the problem has been corrected now. We 
 are still seeing some after-effects from it, but those should 
 be gone before too long.
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: SPAM Storm?

2007-03-19 Thread Colbeck, Andrew
... Not in my neck of the network.


Andrew.
 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support
 Sent: Monday, March 19, 2007 3:19 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: SPAM Storm?
 
 Is it me, or is there an unbelievable spam storm going on 
 this afternoon??
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 

#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Files in Sniffer Directory

2007-03-08 Thread Colbeck, Andrew
 Would it be a good idea in a future version to delete files 
 that are older than a certain date automatically?

I disagree.

Having MessageSniffer delete the old files would hide the problem.  With
the messages left behind, you have a valuable symptom that something is
wrong with your infrastrucure.

If you ignore them, they are cosmetic and do not consume any disk space
(relative to your normal disk space consumption of logging and spam
holding).

Andrew.
 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman
 Sent: Thursday, March 08, 2007 11:19 AM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Files in Sniffer Directory
 
 Would it be a good idea in a future version to delete files 
 that are older than a certain date automatically?  For 
 example, if the file date is older than the current date 
 minus [Insert Number of Days Here] days, it could 
 automatically remove it.
 
 - Original Message -
 From: Pete McNeil [EMAIL PROTECTED]
 To: Message Sniffer Community sniffer@sortmonster.com
 Sent: Thursday, March 08, 2007 12:24 PM
 Subject: [sniffer] Re: Files in Sniffer Directory
 
 
  Hello Keith Johnson,
 
  Thursday, March 8, 2007, 10:55:27 AM, you wrote:
 
   Periodically I will check the Sniffer directory for misc. 
 files that may
   be there and remove them.  These files include .FIN .ERR 
 .WRK, etc.  I
   only remove those that have older time stamps on them.  
 Yesterday when I
   logged in, I had well over 150 of .AMT files.  Does 
 anyone know what
   these files are and what causes them?  By them being 
 present as well as
   old .FIN, etc., would it have an impact on Sniffer's processing
   performance?  Thanks for the aid on this.
 
  .AMT ?? Could you mean .ABT ?
 
  If so - then .ABT indicates a job that was aborted by a client
  instance of SNF.
 
  The extensions to SNF job files change to represent the 
 status of the
  job.
 
 
 http://kb.armresearch.com/index.php?title=Message_Sniffer.Tech
 nicalDetails.Peer-Server#What_file_extensions_that_are_used_fo
r_the_various_temporary_files_that_are_created_in_the_Sniffer_folder.3F
 
  explanation about=where these files come from and how cellular
  peer-server technology works
 
  When an SNF instance is launched it looks to see if there are any
  instances currently acting as servers. If there is a server present
  then it will submit it's job to be processed (.QUE) -- it 
 has become a
  client instance.
 
  It takes a look around to see how busy the system is by checking the
  number of job files present and the information in the 
 .stat file (if
  present). Based on what it sees it sets an alarm clock and goes to
  sleep - expecting to find it's job has been completed when it wakes
  up. If it wakes up and the job is not done - it will give it another
  try, maybe a few,... but if it decides it's waited too long then it
  gives up-- (ABT).
 
  An aborting SNF instance will try to take out the server 
 instance that
  failed to respond by changing that server's job file from 
 .SVR to .ERR
  -- this prevents other instances from seeing that server 
 instance and
  trying to use it; and it lets the server instance know that 
 it's got a
  problem (if it is still alive).
 
  Next, the client instance will load the rulebase itself and 
 scan it's
  own message. After that - it _SHOULD_ remove it's job file. 
 HOWEVER --
  if something kills off the instance before it has a chance to finish
  then the .ABT file will be left behind (if it's gotten to 
 this stage).
 
  (In some cases, Windows will fail to delete the file at all even
  though it will tell the client instance it has deleted the file!)
 
  When a system gets too busy to handle the load it may start to kill
  off SNF instances before they are finished - this leaves 
 orphaned job
  files in the workspace.
 
  /explanation
 
  Deleting old job files that have been left behind is a good 
 thing. It
  shouldn't be necessary on most systems. However, as long as you only
  delete older files that are not active you will not get into any
  trouble.
 
  If you leave orphaned job files to build up in the SNF 
 workspace then
  SNF client instances will sleep longer than they should because they
  will see the extra files as evidence of a heavy traffic 
 load. This can
  effect performance by increasing the number of active 
 processes on the
  system. Also, the extra files slow down directory scanning and this
  can also reduce performance and bring the system closer to having a
  problem.
 
  Hope this helps,
 
  _M
 
 
 
  -- 
  Pete McNeil
  Chief Scientist,
  Arm Research Labs, LLC.
 
 
  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED]
  To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
  To switch to the INDEX mode, E-mail to 

[sniffer] Re: Pictures worth a few words...

2007-01-16 Thread Colbeck, Andrew
Postini posts some statistics here, but their conclusions can lag by
months:

http://www.postini.com/stats/index.php

global spam traffic is a big concept... Postini did however process
over 650 million messages in the last 24 hours.

Andrew.


 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Paul Rogers
 Sent: Tuesday, January 16, 2007 8:32 AM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Pictures worth a few words...
 
 Along these same lines...are there any public sites which do 
 realtime monitoring of global spam traffic?  I googled but 
 really didn't find much.
 I'd be very surprised if there wasn't even a single 
 organization monitoring global spam traffic.
 
 Paul ---
  
 
  -Original Message-
  From: Message Sniffer Community
  [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
  Sent: Tuesday, January 16, 2007 10:43 AM
  To: Message Sniffer Community
  Subject: [sniffer] Pictures worth a few words...
  
  Hello Sniffer Folks,
  
  I'm sure most of you already know about the recent dramatic 
 increases 
  in blackhat activity. These two graphs show what it looks like from 
  our spamtrap  submission data-- graphs represent new spam and/or 
  variants in messages per hour, past
  48 hours and past 30 days.
  
  Note on the 48 hour graph that 20 hours ago the rates 
 doubled (as if 
  somebody flipped a switch) and this does not appear to be a spike 
  (It's not coming down).
  
  _M
  
  --
  Pete McNeil
  Chief Scientist,
  Arm Research Labs, LLC.
 
 
 ---
 [This E-mail scanned for viruses by Declude EVA]
 
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED] To switch to the INDEX mode, 
 E-mail to [EMAIL PROTECTED] Send administrative 
 queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Sniffer White List

2006-12-12 Thread Colbeck, Andrew
Serge, what return value are you using for this snifferwhitelist?

The official and current list of return codes is here:

http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai
ls.ResultCodes

If you're using 0, then don't do that, because zero is also used for
no result.  According to this page, it would only be useful if you
were checking the log file and also see WHITE in the row.

Andrew 8)
 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Serge
 Sent: Tuesday, December 12, 2006 11:22 AM
 To: Message Sniffer Community
 Subject: [sniffer] Sniffer White List
 
 We started using tests for the different sniffer categories 
 recently and are finding that snifferwhitelist is very 
 innacurate ot is substracting wheight from more real spam 
 than it does of non-spam messages should we just drop it ? 
 what are you guys doing about this ?
 TIA 
 
 
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED] To switch to the INDEX mode, 
 E-mail to [EMAIL PROTECTED] Send administrative 
 queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Configuring Sniffer in declude....

2006-11-30 Thread Colbeck, Andrew
 If you don't mind, does WeightGate add any noticeable 
 CPU cycles to run on top of running Sniffer?  Thanks for the aid.

On a 100,000 emails per day on a 2.8 GHz Xeon, no, it doesn't.

Andrew 8)


 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
 Sent: Thursday, November 30, 2006 11:29 AM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Configuring Sniffer in declude
 
 Pete,
If you don't mind, does WeightGate add any noticeable 
 CPU cycles to run on top of running Sniffer?  Thanks for the aid.
 
 Keith Johnson
 
 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Wednesday, November 29, 2006 4:57 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Configuring Sniffer in declude
 
 Hello Chuck,
 
 If I might jump in here -- you are basically correct but 
 you'll have to rename ShowMe.exe to the original weightgate 
 name. When it is named ShowMe.exe it only records the command 
 line parameters in a log file as a debugging aid.
 
 Second, with that done this should work fine as long as each 
 command line is identical in Declude.
 
 Third, I noticed that your group IDs are out of date (based 
 on the names you've used) and most likely you will want to 
 revisit your weights also.
 
 A reference to the current group IDs (result codes) can be found here:
 
 http://kb.armresearch.com/index.php?title=Message_Sniffer.Tech
 nicalDetai
 ls.ResultCodes
 
 Hope this helps,
 
 _M
 
 Wednesday, November 29, 2006, 3:48:21 PM, you wrote:
 
  Darrell:
 
  If I want to use Weightgate I assume that I put it in for each 
  instance of sniffer. Such as -
 
  SNF external 063 c:\tool\ShowMe.exe -50 %WEIGHT% 30 
  c:\SNF\sniffer.exe authenticationxx 10 0
 
 
  Chuck Schick
  Warp 8, Inc.
  (303)-421-5140
  www.warp8.com
 
 
 
  -Original Message-
  From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On 
  Behalf Of Darrell ([EMAIL PROTECTED])
  Sent: Wednesday, November 29, 2006 12:33 PM
  To: Message Sniffer Community
  Subject: [sniffer] Re: Configuring Sniffer in declude
 
 
  Chuck,
 
  Declude will only call Sniffer one time as long as the path and 
  executable are identical which they are.
 
  Darrell
 
  
 --
  -- Check out http://www.invariantsystems.com for utilities 
 for Declude
 
  And Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
  integration, MRTG
 
  Integration, and Log Parsers.
 
  - Original Message -
  From: Chuck Schick [EMAIL PROTECTED]
  To: Message Sniffer Community sniffer@sortmonster.com
  Sent: Wednesday, November 29, 2006 2:16 PM
  Subject: [sniffer] Configuring Sniffer in declude
 
 
  Several years ago when we first started using message 
 sniffer I set it
 up
  for in the following manner in my global.cfg file.
 
 
  SNIFFER-GENERALexternal063
  F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode 7
  SNIFFER-EXPERIMENTALexternal062
  F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode 12
 0
  SNIFFER-OBFUSCATIONexternal061
  F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode11
 
  So one and so forth.
 
  With the increase in spam and CPU load is there any advantage load
 wise to
  just call sniffer once using nonzero instead of the return code.  It
 seems
  like someone told me that sniffer was only called once and not
 seperately
  for each return code.
 
  Could someone confirm that.
 
  Chuck Schick
  Warp 8, Inc.
  (303)-421-5140
  www.warp8.com
 
 
 
  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to 
  the DIGEST mode, E-mail to [EMAIL PROTECTED] 
 To switch 
  to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send
  administrative queries to  [EMAIL PROTECTED]
 
 
 
 
  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to 
  the DIGEST mode, E-mail to [EMAIL PROTECTED] 
 To switch 
  to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send
  administrative queries to  [EMAIL PROTECTED]
 
 
 
 
  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to 
  the DIGEST mode, E-mail to
 [EMAIL PROTECTED]
  To switch to the INDEX mode, E-mail to 
 [EMAIL PROTECTED] 
  Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 

[sniffer] Zombie message volume

2006-11-07 Thread Colbeck, Andrew
This diary entry over at the Internet Storm Center points to an
increased volume of traffic from probable zombies, and they posit that
the increase in this traffic would coincide with the spam increase that
people are seeing.

http://isc.sans.org/diary.php?storyid=1828

Their graph shows a sharp ramp-up on October 14th, 2006.

Andrew.







#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Yahoo! Is Retarded

2006-10-26 Thread Colbeck, Andrew



I like your new sig, John.

How's this for an addendum?

"Experience is that which you acquire, just after you 
needed it."


Andrew 8)


  
  
  From: Message Sniffer Community 
  [mailto:[EMAIL PROTECTED] On Behalf Of John T 
  (Lists)Sent: Thursday, October 26, 2006 8:13 AMTo: 
  Message Sniffer CommunitySubject: [sniffer] Re: Yahoo! Is 
  Retarded
  
  
  Youre preaching to 
  the choir.
  
  
  John 
  T
  eServices For 
  You
  
  "Life is a succession 
  of lessons which must be lived to be understood."
  Ralph Waldo Emerson 
  (1802-1882)
  
  
  
  -Original 
  Message-From: Message 
  Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan HickmanSent: Thursday, October 26, 2006 7:24 
  AMTo: Message Sniffer 
  CommunitySubject: [sniffer] 
  Yahoo! Is Retarded
  
  
  Now, myword choice of 
  'Retarded' is merely to illuminate the slowness of Yahoo! in regards to this 
  issue and the severity of their decision and not to indicate that they are 
  mentally handicapped which is an accusation for which I have no basis. 
  However, as evidence of this, please review the following 
  URLs:
  
  
  
  http://ca.answers.yahoo.com/question/index?qid=20061024160658AAAh0QY
  
  http://answers.yahoo.com/question/index?qid=20061024080547AAf54ah
  
  
  
  Jonathan 
  Hickman


[sniffer] Re: Increase in spam

2006-10-25 Thread Colbeck, Andrew
For another organization's graph of spam trends as received by them,
check out the updated graphs at TQM cubed:

http://tqmcube.com/tide.php

Their graph shows a sharp uptick at the end of June 2006.

Andrew 8)



 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Wednesday, October 18, 2006 6:23 AM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Increase in spam
 
 Hello K,
 
 Wednesday, October 18, 2006, 8:52:17 AM, you wrote:
 
I've been seeing a massive increase in spam over the last 2 days 
  getting through with minimal scores. Could this be due to 
 the drawback 
  of the filter involved with false positives, or something else?
 
 It's hard to pin down, but not likely to be the pulled rule. 
 We have seen a relative increase in new spam campaigns over 
 the past 2 days preceded by a lull. That may be what you're noticing.
 
 I've attached a graph to illustrate.
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Version 2-3.5 Release -- Faster Engine

2006-10-23 Thread Colbeck, Andrew
That's good news, Pete.

And with the WeightGate executable and source thrown in at no extra
charge!

Andrew 8)




 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Monday, October 23, 2006 9:26 AM
 To: Message Sniffer Community
 Subject: [sniffer] Version 2-3.5 Release -- Faster Engine
 
 Hello SNF Folks,
 
 The plan was to hold off until the next major release, 
 however in light of recent increases in spam traffic we are 
 pushing out a new version with our faster engine included. 
 All other upgrades are will wait for the major release ;-)
 
 The scanning engine upgrade results in a 2x speed increase 
 that hopefully will help with the higher volumes we are seeing now.
 
 Version 2-3.5 also rolls up 2-3.2i1 which included the timing 
 and file locking upgrades.
 
 You can find version 2-3.5 here:
 
 http://kb.armresearch.com/index.php?title=Message_Sniffer.Gett
 ingStarted.Distributions
 
 Thanks,
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Significant increase in false positives

2006-10-17 Thread Colbeck, Andrew



I'm attaching an old message to this list which may come in 
handy. It's from my perspective, which is using Declude and IMail, with 
the spam messages in d:\imail\spool\spam and needing to be moved to 
d:\imail\spool to be re-scanned. Now that I use a newer version of 
Declude, my pathsared:\imail\spool\spam for the source and 
d:\imail\spool\proc for the destination.
Replace "828931" with "1174356" in the gawk 
line.

Replace the date embedded in the sniffer log file name 
wildcard with today's date. I went through the 15th, 16th and 17th to be 
safe.

If you'rearchiving your logs, you'll of course have 
to unpack them first. And if you don't rotate your logs often, 
youmay not need the wildcard on the log filename at 
all.

I think I had 267 hits in my msgids.txt 
file.

Andrew 8)



  
  
  From: Message Sniffer Community 
  [mailto:[EMAIL PROTECTED] On Behalf Of Computer House 
  SupportSent: Monday, October 16, 2006 8:09 PMTo: Message 
  Sniffer CommunitySubject: [sniffer] Re: Significant increase in 
  false positives
  
  Dear Pete,
  
  Sniffer blocked 35,000 messages today, and 
  roughly 7200 of them were blocked by the 1174356 rule.
  
  Do you think many of these were false 
  positives?Do you know a way of searching through 35,000 
  Imail messages to find the FP's ?
  
  What would you suggest in this 
  situation.
  
  
  Thank you,
  
  Michael SteinComputer House
  
  
  
  
  - Original Message - 
  
From: 
Pete McNeil 
To: Message Sniffer Community 
Sent: Monday, October 16, 2006 8:46 
PM
Subject: [sniffer] Re: Significant 
increase in false positives

Hello Darin,

Monday, October 16, 2006, 5:17:26 PM, you wrote:



  
  

  

  Anyone else seeing a sudden increase in FPs? 
  We normally report a few each day, but we're seeing a 10x 
  increase in FPs for the past three 
days.

Not sure if this is it, but there was an image segment rule that went in 
over the weekend and resulted in an unusual number of false positives today. 
The rule was removed. IIRC the rule id was: 1174356

Hope this helps,

_M

--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

Send administrative queries to  [EMAIL PROTECTED]



---BeginMessage---



Goran, this is pretty much what I did to get to 
re-queuing:gawk "$0 ~ /Final\t828931/ {print 
substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe 
file msgids.txt will now contain just the GUID part of the D[guid].SMD from 
column 3 in the tab delimited Message Sniffer log files.I then used a 
batch file I had previously created called qm.cmd (for queue and move). 
Note that the folders I specify are for Declude 1.x, which has an overflow 
folder. I use the overflow folder so that Declude will re-analyze the 
message:Rem this is the qm.cmd file 
listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove 
d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI 
then issued from the command line:for /F %i in 
(msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held 
messages. I am using a move instead of a copy because I want Declude to be 
able to move a message it deems spam to the spam folder. If I used a copy, 
it would fail to do the move because the file is already in the spam folder, and 
Declude would then pass control back to Imail, which would then deliver the spam 
inbound.After my queue went back to normal, I then set to work on my 
dec0207.log file to determine if the entirety of the message was spam or ham 
based on whether it was held or not (which is the simple scenario I 
have).I hope that helps,Andrew 8)
p.s. Another re-posting in HTML so as to 
preserve the line breaks. Sorry for the duplication, 
folks.
 -Original 
Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf 
Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM To: 
sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 
828931 I just ran the grep command on my log and I got 850 
hits. Now is there a way to take the output of the grep command 
and use it pull out the total weight of corresponding message 
from the declude log file, or maybe the subject? Goran 
Jovanovic Omega Network Solutions 
 -Original Message-  From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
 On Behalf Of David Sullivan  Sent: Tuesday, February 07, 2006 
7:47 PM  To: Landry, William (MED US)  Subject: Re[4]: 
[sniffer] Bad Rule - 828931   Hello William, 
  Tuesday, February 7, 2006, 7:39:05 PM, you wrote: 
  LWMU grep -c "Final.*828931" 

[sniffer] Re: yahoo mail problems

2006-10-17 Thread Colbeck, Andrew



I had a similar problem with Hotmail once upon a time; the 
details were different, but the remedy was the same.

I run a caching DNS server on my outbound DNS host, so I 
simply addeda DNS zone forYahoo.com on it, and populated only enough 
MX record information so that I could reliably get tojust a few 
hosts.

The same dummy 
zone technique could be used here to consistently deliver mail to the same 
Yahoo! mail hosts and therefore their greylisting will work as they 
expect.

If you try it and it works, please let us 
know.

Andrew 8)



  
  
  From: Message Sniffer Community 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tech 
  SupportSent: Tuesday, October 17, 2006 9:12 AMTo: 
  Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail 
  problems
  
  
  Heres what we have 
  found so far
  
  Yahoo is grey listing 
  but instead of running a centralized GL database each of their servers has 
  its own
  
  A lookup for their MX 
  shows
  
  Mx1.mail.yahoo.com
  Mx2.mail.yahoo.com
  Mx3.mail.yahoo.com
  
  So your server grabs 
  one of these and does a lookup which returns a round robin response for 
  mx1.mail.yahoo.com of
  
  4.79.181.14
  4.79.181.15
  4.79.181.168
  67.28.113.71
  67.28.113.73
  67.28.113.19
  
  Each of which has a 
  TTL of 1800
  
  So your server tries 
  one of these and gets deferred to try again. It waits and tries again  
  but depending on your retry frequency TTL may have 
  expired
  
  And so the process 
  starts over with a new MX1.mail.yahoo.com server
  
  
  Not sure if this is 
  all correct but it is the best we can figure out as of 
  yet
  
  
  
  
  
  
  
  From: 
  Message Sniffer Community 
  [mailto:[EMAIL PROTECTED] On Behalf 
  Of Computer House SupportSent: Tuesday, October 17, 2006 12:11 
  PMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail 
  problems
  
  
  Now that I've looked into it 
  further,yes! Our E-mails to Yahoo have also been bouncing back as 
  undeliverable with the same error.
  
  
  
  I have sent out a few test 
  messages and will report back when I have some more 
  info.
  
  
  
  
  
  Michael SteinComputer 
  House
  
  
  

- Original Message - 


From: Tech 
Support 

To: Message 
Sniffer Community 

Sent: 
Tuesday, October 17, 2006 11:52 AM

Subject: 
[sniffer] Re: yahoo mail problems


Thanks, but were 
not blacklisted and there are no entries other than message has been 
deferred L






From: 
Message Sniffer Community 
[mailto:[EMAIL PROTECTED] On 
Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 11:54 
AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail 
problems


I would recommend checking your 
mail server logs for a more detailed description of the bounce error. 
You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good 
resource.





Michael SteinComputer 
House



  
  - Original Message - 
  
  
  From: Tech 
  Support 
  
  To: Message Sniffer Community 
  
  
  Sent: 
  Tuesday, October 17, 2006 10:50 AM
  
  Subject: 
  [sniffer] yahoo mail problems
  
  
  Im sorry to post this here 
  but we are desperately looking for opinions quickly as this has becoming a 
  real issue to us and I could not think of any better place to find truly 
  technical mail server folks J
  
  
  We seem to be having multiple mail servers on 
  multiple networks having issues sending to yahoo servers for going on 36 
  hours nowthese are a variety of server types on a variety of 
  networks telnet on port 25 is usually getting this 451 
  Message temporarily deferred - 4.16.50keep in mind that some of 
  our servers are having no issues sending mail any one else having 
  this issue
  


[sniffer] Re: Paypal failing SNIFFER-GENERAL

2006-08-23 Thread Colbeck, Andrew
Column 7 is the one that contains the rule that was hit.  In this case,
it was 1100444.

Column 8 is the one that contains the group.  In this case, it was 60
Ungrouped Black Rules (Sniffer General).


Andrew 8)
 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
 Sent: Wednesday, August 23, 2006 12:24 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Paypal failing SNIFFER-GENERAL
 
 Hi Pete,
 
 I'm not sure which column is which, but here are the log 
 lines for the message (minus the authorization code)
 
  20060823163449 D83a20d3001502962.SMD 0 32 Match 
 1100444 60 1502
 1551 98
  20060823163449 D83a20d3001502962.SMD 0 32 Final 
 1100444 60 0 3798
 98
 
 The FP was submitted at 1:34pm ET.
 
 Darin.
 
 
 - Original Message -
 From: Pete McNeil [EMAIL PROTECTED]
 To: Message Sniffer Community sniffer@sortmonster.com
 Sent: Wednesday, August 23, 2006 2:22 PM
 Subject: [sniffer] Re: Paypal failing SNIFFER-GENERAL
 
 
 Hello Darin,
 
 I may be behind... but I don't see an FP report on this. Do you have
 the rule id?
 
 _M
 
 Wednesday, August 23, 2006, 1:36:08 PM, you wrote:
 
 
 
  FYI... I just reported one of these, so watch  out.
 
 
  Darin.
 
 
 
 
 
 
 
 
 -- 
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Lots of drug spam getting through

2006-08-21 Thread Colbeck, Andrew
Would that be the Laugh in the subject line pharmaceutical spam
campaign?

That was mentioned by Dave Doherty on the Declude.JunkMail mailing list,
and when I checked my logs I found many hundreds with clear variations
on the keywords in the text, e.g. there is a joke about lawyers and they
are using a list of synonyms for lawyer (and many other words/phrases)
so that each mailing is permuted.

MesageSniffer was catching at least some of these yesterday but I don't
know if the permutations are being caught.

Andrew 8)


 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Monday, August 21, 2006 8:38 AM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Lots of drug spam getting through
 
 Hello Nick,
 
 There have been a couple new very aggressive spikes today... 
 most likely these are part of that. I will dig-in with the 
 rule-techs and see what is what.
 
 Thanks,
 
 _M
 
 Monday, August 21, 2006, 11:27:37 AM, you wrote:
 
  We're seeing similar - I keep submitting them to 
 [EMAIL PROTECTED], 
  but the same type of spam keeps getting through...
 
 
  Nick Marshall
 
 
  Legally privileged/confidential information may be 
 contained in this 
  message.  If you are not the addressee(s) legally indicated in this 
  message (or responsible for delivery of the message to such 
 person), 
  you may not copy or deliver this message to anyone.  In 
 such case, you 
  should destroy this message, and notify us immediately.  If you or 
  your employer does not consent to Internet e-mail messages of this 
  kind, please advise us immediately.  Opinions, conclusions 
 and other 
  information expressed in this message are not given or 
 endorsed by my 
  firm or employer unless otherwise indicated by an 
 authorised representative independent of this message.
  Please note that neither my employer nor I accept any 
 responsibility 
  for viruses and it is your responsibility to scan attachments (if 
  any). This email and any files transmitted are confidential and 
  intended solely for the use of the individual or entity to 
 which they 
  are addressed. If you have received this email in error, 
 please notify me by returning the email.
   
   
 
  -Original Message-
  From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On 
  Behalf Of Chuck Schick
  Sent: 21 August 2006 15:33
  To: Message Sniffer Community
  Subject: [sniffer] Lots of drug spam getting through
 
  We are seeing tons of spam coming through with the subject 
 Re: new ...  
  and advertising drugs.  Any luck on stopping this?
 
  Chuck Schick
  Warp 8, Inc.
  (303)-421-5140
  www.warp8.com
 
 
 
  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to 
  the DIGEST mode, E-mail to [EMAIL PROTECTED] 
 To switch 
  to the INDEX mode, E-mail to [EMAIL PROTECTED] Send 
  administrative queries to  [EMAIL PROTECTED]
 
 
 
 
  _
  Giacom mail management by MessageStar
 
 
 
  --
  [This e-mail was scanned for viruses by Giacom Anti-Virus]
 
 
 
 
  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to 
  the DIGEST mode, E-mail to [EMAIL PROTECTED] 
 To switch 
  to the INDEX mode, E-mail to [EMAIL PROTECTED] Send 
  administrative queries to  [EMAIL PROTECTED]
 
 
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: AW: [sniffer] Re: Update pacing...

2006-06-22 Thread Colbeck, Andrew



FWIW I take the belt and suspenders 
approach.

The rulebase notification by email does trigger a Message 
Sniffer update script on my system, but I don't rely on it solely. In 
addition, I also use an "at" schedule every four hours.

As in Markus' (and Bill's) sample, I use the -N parameter 
for wget so as toavoid bandwidth abuse by only downloading the file if it 
is newer than the one I've already got.

The specific time I schedule it for I determined from this 
page:

http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.LogFiles.Submit

because after I download a rulebase, I upload my 
logs.

Still on my to-do list is updating my script so as to 
compress my logs before I upload them.


Andrew 8)



  
  
  From: Message Sniffer Community 
  [mailto:[EMAIL PROTECTED] On Behalf Of Markus 
  GuflerSent: Thursday, June 22, 2006 2:15 AMTo: Message 
  Sniffer CommunitySubject: [sniffer] Re: AW: [sniffer] Re: Update 
  pacing...
  
  Instead of sending a mail 
  for each update I've disabled the email-notifcation (REM) and changed the 
  wget-line as followswget -N -nv http://www.sortmonster.net/Sniffer/Updates/%LicenseID%.snf -O %LicenseID%.new.gz --header=Accept-Encoding:gzip 
  --http-user=sniffer --http-passwd=ki11sp8m -a snfupd.txt
  As Alex sugested I've 
  added the -nv switch in order to avoid unneccessary data. 
  
  I've also changed the 
  last parameter from -o to -a in order to append the results of each update to 
  snfupd.txt. So I have a logfile where I can easily see time and result of each 
  update.
  Her's an example:
  
  13:32:22 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf 
  [2923892] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 
  15:43:22 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf 
  [2929252] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 
  17:54:41 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf 
  [2943056] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 
  20:08:18 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf 
  [2952731] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 
  
  Markus
   -Original 
  Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On 
  Behalf Of Hirthe, Alexander Sent: Tuesday, June 20, 2006 9:46 
  AM To: Message Sniffer Community Subject: [sniffer] AW: 
  [sniffer] Re: Update pacing... Hello, I 
  switched from just downloading the file every xx hours to the 
  snfupd.cmd form the Imail Package. The only thing I 
  additionally modified is a '-nv' switch for wget. With this you'll 
  only get the result of the download, not a line for every 50 
  kB. Alex  -Ursprüngliche 
  Nachricht-  Von: Message Sniffer Community  [mailto:sniffer@sortmonster.com] Im 
  Auftrag von Pete McNeil  Gesendet: Montag, 19. Juni 2006 
  23:46  An: Message Sniffer Community  Betreff: 
  [sniffer] Re: Update pacing...   Hello Harry, 
Monday, June 19, 2006, 4:47:14 PM, you wrote: 
 My script does not check for update first. Is 
  there a sample that   does do that that you can point 
  me to?   This page describes automated updates and 
  lists several scripts.   http://kb.armresearch.com/index.php?title=Message_Sniffer.Tech 
  nicalDetails.AutoUpdates   The one I recommend most 
  for Winx based systems is  ImailSnifferUpdateTools.zip 
Don't let the name fool you - if you are NOT using 
  IMail the scripts  are still great --- you will only need 
  to find another way to call  them if your system does not provide 
  a "program alias" functionality.   Hope this 
  helps,   _M   --  
  Pete McNeil  Chief Scientist,  Arm Research Labs, 
  LLC.
  #  
  This message is sent to you because you are subscribed to 
   the mailing list sniffer@sortmonster.com. 
   To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
  switch to  the DIGEST mode, E-mail to 
  [EMAIL PROTECTED] To switch  to the 
  INDEX mode, E-mail to [EMAIL PROTECTED] Send  
  administrative queries to 
  [EMAIL PROTECTED]   
 
  # This 
  message is sent to you because you are subscribed to the 
  mailing list sniffer@sortmonster.com. To unsubscribe, E-mail 
  to: [EMAIL PROTECTED] To switch to the DIGEST mode, 
  E-mail to [EMAIL PROTECTED] To switch to the 
  INDEX mode, E-mail to [EMAIL PROTECTED] Send 
  administrative queries to 
  [EMAIL PROTECTED] 



[sniffer] Re: Weight Gate Success? Failure?

2006-06-13 Thread Colbeck, Andrew
Pete, I plan to use it or something similar in non-production once I set
up a new test system.

A quick test with a batch file worked fine.

Although I'm no programmer, I have reviewed the source and saw no
obvious logical problems or coding flaws.

Rigorous testing on the command line showed that it works perfectly.

Command line testing also showed that it dealt with extremely large
numbers correctly.

Command line testing also showed that when passed values that are out of
bounds or doggerel, no executable is launched and a safe value of 0 is
returned as the return value.

Command line testing also showed that it handles long file names (even
if Declude doesn't like quotes in filenames) which makes it more
generally useful.

I think you've done a great job, Pete!

Andrew 8)


 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Tuesday, June 13, 2006 8:49 AM
 To: Message Sniffer Community
 Subject: [sniffer] Weight Gate Success? Failure?
 
 Hello Sniffer Folks,
 
   Is anyone successfully using the WeightGate utility?
 
   Anyone having trouble with it?
 
   I've literally heard nothing so far ;-)
 
   Thanks,
 
   _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Numeric spam source has been revealed

2006-06-09 Thread Colbeck, Andrew
It was broken code in the latest Bagel/Beagle:

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.ht
ml


Andrew 8)







#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Colbeck, Andrew



(sniff) Aw, cut it out, Matt.

You're making me all weepy.

p.s. Pete, that's pretty darned 
amazing!


  
  
  From: Message Sniffer Community 
  [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: 
  Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer 
  CommunitySubject: Re: [sniffer]Re[2]: [sniffer]Re[2]: 
  [sniffer]Re[2]: [sniffer]FP suggestions
  Pete,I think that you just broke Scott's record with his 
  two hour feature request with your own a two hour program :)Anyone 
  remember those days???Thanks,MattPete McNeil 
  wrote: 
  Hello Matt,

Wednesday, June 7, 2006, 4:22:05 PM, you wrote:

  
   
 Pete,
 
 Since the %WEIGHT% variable is added by Declude, it might make
sense to have a qualifier instead of making the values space
delimited.

I don't want to mix delimiters... everything so far is using spaces,
so it makes sense to continue that way IMO.

  
 Errors in Declude could cause values to not be inserted,
and not everyone will want to skip at a low weight. I haven't seen
any bugs with %WEIGHT% since shortly after it was introduced, but
you never know. I have seen some issues with other Declude inserted variables though.

Well, errors are always a possibility, but in this case it _should_ be
reasonably safe. For example, if this is used to gate SNF, then a
missing %WEIGHT% would result in trying to launch a program with the
same name as the authentication string, and it is highly unlikely that
would be found, so the result would be the "program not found" error
code. That's not perfect because it's a nonzero result, but it is safe
in that it is not likely to launch another program.

  
 One other thing that I came across with the way that Declude calls
external apps...you can't delimit the data with things like quotes.
There is no mechanism for escaping a functional quote from a quote
that should appear in the data that you pass to it...so don't use
quotes as delimiters :)

Not a problem...

I just whipped together a utility called WeightGate.exe that can be
downloaded here (for now):

http://www.messagesniffer.com/Tools/WeightGate.exe

Suppose you wanted to use it in Declude to skip running SNF if your
weight was already ridiculously low (perhaps white listed) or already
so high that you want to save the extra cycles. Then you might do
something like this:

SNF external nonzero "c:\tool\WeightGate.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0

(hopefully that didn't wrap, and if it did you will know what I meant ;-)

To test this concept out you might first create a copy of
WeightGate.exe callled ShowMe.exe (case matters!) and then do
something like this:

SNF external nonzero "c:\tool\ShowMe.exe -50 %WEIGHT% 30 c:\SNF\sniffer.exe authenticationxx" 10 0

The result of that would be the creation of a file c:\ShowMe.log that
contained all of the parameters ShowMe.exe was called with -- that way
you wouldn't have to guess if it was correct. ShowMe.exe ALWAYS
returns zero, so this _should_ be safe ;-)

If you run WeightGate on the command line without parameters it will
tell you all about itself and it's alter ego ShowMe.exe.

That description goes like this (I may fix the typo(s) later):

WeightGate.exe
(C) 2006 ARM Research Labs, LLC.

This program is distributed AS-IS, with no warranty of any kind.
You are welcome to use this program on your own systems or those
that you directly support. Please do not redistribute this program
except as noted above, however feel free to recommend this program
to others if you wish and direct them to our web site where they
can download it for themselves. Thanks! www.armresearch.com.

This program is most commonly used to control the activation of
external test programs from within Declude (www.declude.com) based
on the weigth that has been calculated thus far for a given message.

As an added feature, if you rename this program to ShowMe.exe then
it will emit all of the command line arguments as it sees
them to a file called c:\ShowMe.log so that you can use it
as a debugging aid.

If you are seeing this message, you have used this program
incorrectly. The correct invocation for this program is:

WeightGate low weight hight program arg 1, arg 2,... arg n

Where:
  low = a number representing the lowest weight to run progra.
  weight = a number representing the actual weight to evaluate.
  high = a number representing the highest weight to run program.
  program = the program to be activated if weight is in range.
  arg 1, arg 2, ... arg n = arguments for program.

If weight is in the range [low,high] then WeightGate will run
program and pass all of arg 1, arg 2,... arg n to it. Then
WeightGate will collect the exit code of program and return it as
WeightGate's exit code.

If WeightGate gets the wrong number of parameters it will display
this message and return FAIL_SAFE (zero) as it's exit code.

If weight is not in range (less than low or greater than high)
then WeightGate will NOT launch program and will return 

Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through

2006-06-06 Thread Colbeck, Andrew
David,

Are you using the free version of sniffer? Or did you deliberately change your 
.exe name in your posting to sniffer.exe to hide your licence number?

I certainly expect that the rulebase lag with the free version will result in 
lower Message Sniffer hit rates.

I've seen the free version with hit rates as low as 10% on the remaining 
messages that have been already filtered by a gateway, which I thought was 
still decent because these were the messages that had already evaded the 
blacklist tests.  And free is good.

On the same system, I noted that this made Sniffer about half as effective as 
fresh SURBL/URIBL testing, but I had no way to compare their overlap.

Andrew 8)
 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of David Waller
 Sent: Tuesday, June 06, 2006 5:46 AM
 To: Message Sniffer Community
 Subject: Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned 
 about amount of spam going through
 
 We just use a single test, we don't categorise. If SNIFFER 
 returns a result we weight it. However, SNIFFER oftens 
 returns a zero result when the email is obviously junk i.e. 
 SNIFFER returns a positive result (spam) in about 30% of all 
 identified junk mail.
 
 SNIFFER external nonzero \declude\sniffer\sniffer.exe 23  0
 
 
 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
 Sent: 06 June 2006 11:17
 To: Message Sniffer Community
 Subject: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about 
 amount of spam going through
 
 Hi
 
 There mus be something wrong with your configuration of the 
 sniffer test(s)
 
 Here are my numbers from yesterday based on 24462 processed messages
 
 Date  TestSS  SH  HH  
 HSIMP
 0605  SNIFFER-TRAVEL  12  0   0   23  2
 0605  SNIFFER-INSUR   4   0   0   0   0
 0605  SNIFFER-AV  0   0   0   
 0 0
 0605  SNIFFER-MEDIA   13450   0   0   8
 0605  SNIFFER-SWARE   73  0   0   0   0
 0605  SNIFFER-SNAKE   83860   0   0   9
 0605  SNIFFER-SCAMS   138 0   0   2   3
 0605  SNIFFER-PORN908 0   0   1   3
 0605  SNIFFER-MALWARE 12  0   0   2   3
 0605  SNIFFER-INK 2   0   0   
 0 0
 0605  SNIFFER-RICH28650   0   2   219
 0605  SNIFFER-CREDIT  363 0   0   0   1
 0605  SNIFFER-CASINO  300 0   0   0   0
 0605  SNIFFER-GENERAL 28810   0   41  41
 0605  SNIFFER-EXP-A   450 0   0   36  7
 0605  SNIFFER-OBFUSC  4   0   0   5   0
 0605  SNIFFER-EXP-IP  28  0   0   8   5
 
 
 SSSniffer says spam, final result too
 SHSniffer says spam, final result not
 HHSniffer says ham, final result too
 HSSniffer says ham, final result not
 
 IMP   Sniffer says spam and final result is slight above the 
 hold weight.
   (This column is a part of the SS-column: 100-150% of hold)
   So
   a.) it's an important test because it's able to bring 
 the spam above the hold 
   weight and without this test it wasn't hold as spam.
   or
   b.) it's a risky test because it brings legit messages 
 above the hold weight
 
 What result codes are you using in your test configuration? 
 (please not publish your sniffer-id!)
 
 Markus
 
 
 
 
  -Ursprüngliche Nachricht-
  Von: Message Sniffer Community
  [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller
  Gesendet: Dienstag, 6. Juni 2006 11:51
  An: Message Sniffer Community
  Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam 
  going through
  
  Of all SPAM identified SNIFFER is finding about 30%. We see 
 an awful 
  lot of junk email not being caught by SNIFFER, it's being 
 processed by 
  Declude and failing some technical tests but not by SNIFFER.
  
  -Original Message-
  From: Message Sniffer Community
  [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
  Sent: 06 June 2006 09:41
  To: Message Sniffer Community
  Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going 
  through
  
   I only see Sniffer catching about 30% of SPAM and that's
  the highest
   it's ever been.
  
  30% of spam or 30% of all processed messages?
  Sniffer is still one of the best tests in my arsenal.
  
  Markus
  
  
  
  #
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to 
  the DIGEST mode, E-mail to [EMAIL PROTECTED] 
 To switch 
  to the INDEX mode, E-mail to [EMAIL PROTECTED] Send 
  administrative queries to  

Re: [sniffer]A design question - how many DNS based tests?

2006-06-06 Thread Colbeck, Andrew
I use just shy of 60 DNS based tests against the sender, both IP4R and
RHSBL.

Perhaps 10-12 matter.

Due to false positives, I rate most of them relatively low and have
built up their weights as a balancing act.  That act is greatly assisted
by using a weighting system and not reject on first hit, and furthered
by being able to do combo tests such as the example Nick offered on a
different thread this morning.

SPAMHAUS XBL (CBL and the Blitzed OPM), SPAMCOP, FIVETEN, MXRATE-BL are
consistent good performers for me.

Tests that I try out tend to stay in my configuration after they've
become inutile as long as they do no harm.  I groom the lists perhaps
four times per year.

Andrew 8)



 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Tuesday, June 06, 2006 6:26 AM
 To: Message Sniffer Community
 Subject: [sniffer]A design question - how many DNS based tests?
 
 Hello Sniffer Folks,
 
 I have a design question for you...
 
 How many DNS based tests do you use in your filter system?
 
 How many of them really matter?
 
 Thanks!
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Numeric spam

2006-06-06 Thread Colbeck, Andrew



 So no one has any idea what 
the purpose of these emails 
are?

The bad guys aren't telling. The good guys have lots 
of theories, such as:

http://isc.sans.org/diary.php?storyid=1384

and also:

http://www.f-secure.com/weblog/archives/archive-062006.html#0894

which 
in turn points to this UseNet thread:

http://groups.google.com/group/Gmail-Problem-solving/browse_thread/thread/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2

which 
has a rather low signal to noise ratio. Suffice it to say that in that 
thread, they eventually come up with "spammers fake the from address on a 
regular basis, yes, even yours" and "hey, we don't know what this 
is".

The 
bad guys have certainly spewed out broken junk before, which doesn't seem to 
suit their purpose; all I can see it accomplishing is exposing previously clean 
IP addresses as zombies with no commercial gain.

(Hmm... ok, to follow that previous sentence you need to share my 
understanding that the bad guys regularly burn many previously clean IP 
addressesat one go byusing the zombies on those machines to pump out 
a new spam run, thus evading the IP based blacklists until those blacklists 
catch up. Since their commercial messages gets through to mailboxes in the 
meantime, that is a good tradeoff from their point of view. No payload in 
the numeric spam means no commercial gain.)

The 
only theories thatIcan get behindrevolve around 
information-gathering. Since the MAILFROM is not an address under their 
control, the bad guys could glean a little information to clean their address 
lists by collecting 500-level SMTP error messages from each of their 
zombies.

That 
would only give them partial information and would require that they co-ordinate 
the data back from their many zombies. And it supposes that the bad guys 
care about list scrubbing. The greatest supposition is that they would do 
this without commercial gain; after all, they could have done this without a 
special spam run.

I 
think they just screwed up again.

Andrew 
8)





  
  
  From: Message Sniffer Community 
  [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
  GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message 
  Sniffer CommunitySubject: Re: [sniffer]Numeric 
  spam
  
  
  On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:
  We're 
getting the same and today it started hitting a different account (Domain).

What are these things? I thought exploratory, maybe looking for replies 
to build a DB for a later spam wave? Their not malicious in content and look 
likesomeone's virus working incorrectly. But, I doubt they are really 
so benign.

Any understand their purpose?



On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:

  I started seeing these 
  messages Monday (yesterday) morning EDT. The from
  and to are the same (ie 
  you sent it to yourself). I am tagging it but
  there is not enough 
  stuff to push it into DELETE 
territory.
  
  
  So no one has any idea 
  what the purpose of these emails are?
  Random 
  numbers for no apparent reason...?
  
  Regards,
  
  
  Steve 
  Guluk
  SGDesign
  (949) 
  661-9333
  ICQ: 
  7230769
  
  
  


Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Colbeck, Andrew
John, I think my last post answered that.

FWIW, also check out the SPF record:

nslookup -type=TXT email.paypal.com

Which allows postdirect.com as a mailer.  In this case, it's not needed,
because they also allow SPF from the PTR records that match.

Andrew 8)


 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
 Sent: Wednesday, May 24, 2006 9:45 AM
 To: Message Sniffer Community
 Subject: Re: [sniffer]Possible Paypal Phishing
 
 But how is PayPal's DNS involved in this as at what point are 
 the Paypal DNS servers queried?
 
 John T
 eServices For You
 
 Seek, and ye shall find!
 
 
  -Original Message-
  From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On 
  Behalf
 Of
  Colbeck, Andrew
  Sent: Wednesday, May 24, 2006 9:38 AM
  To: Message Sniffer Community
  Subject: Re: [sniffer]Possible Paypal Phishing
  
  It's really from PostDirect.com aka YesMail.com ...
  
  You can tell that it's authorized because the reverse DNS 
 which ends 
  in PayPal.com (ok, that does set off alarm bells when it's someone 
  else's
  netblock) matches the forward lookup of the resulting 
 address at PayPal.
  
  Therefore, PayPal is deliberately allowing that reverse IP 
 in someone 
  else's netblock.
  
  That, or both the netblock and PayPal's DNS have been p0wned.
  
  Andrew 8)
  
  
  
   -Original Message-
   From: Message Sniffer Community
   [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
   Sent: Wednesday, May 24, 2006 9:31 AM
   To: Message Sniffer Community
   Subject: [sniffer]Possible Paypal Phishing
  
   Attached are the headers to an e-mail I am suspecting as a clever 
   phising that has me worried.
  
   It looks like a legit message sent on behalf of Paypal, 
 however, it 
   is sent from an IP address not owned by Paypal BUT which has a 
   REVDNS that ends in paypal.com.
  
   The message is full of links to images.postdirect.com but 
 does have 
   legit links to paypal.com.
  
   John T
   eServices For You
  
   Seek, and ye shall find!
  
  
  
  
  #
  
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to 
  the DIGEST mode, E-mail to [EMAIL PROTECTED] 
 To switch 
  to the INDEX mode, E-mail to [EMAIL PROTECTED] Send 
  administrative queries to  [EMAIL PROTECTED]
 
 
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED] To 
 switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED] To switch to the INDEX mode, 
 E-mail to [EMAIL PROTECTED] Send administrative 
 queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Ebay Phishing Emails getting through

2006-05-17 Thread Colbeck, Andrew
 Certainly, submitting samples to spam@ (or preferably your 
 local spam submission point polled by our bots) will put 
 these messages in front of us if we have not already created 
 rules for them.

I've just manually submitted the ~35 messages that my filters triggered
on for phishing that didn't trigger Message Sniffer today but ended up
in my HOLD folder anyway due to their total spamminess.

Most of them are against eBay and came from Germany.

Andrew 8)

 

 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Wednesday, May 17, 2006 12:53 PM
 To: Message Sniffer Community
 Subject: Re: [sniffer]Ebay Phishing Emails getting through
 
 Hello Jim,
 
 Wednesday, May 17, 2006, 2:46:48 PM, you wrote:
 
  Has anyone else been getting an excess amount of ebay 
 phishing emails 
  making it through sniffer today?  I have personally 
 received a couple 
  of them and have multiple users reporting the same.  I have 
 forwarded 
  them to the sniffer spam@ address if you can take a look 
 Pete it would 
  be much appreciated.
 
 ot
 
 Ah... So the list is working :-) I'll have to update the 
 signup instructions... I can check that off the list.
 
 /ot
 
 Today, starting at about 0100 E, the blackhats really took it 
 up a notch. I know because I was on duty making rules at the time.
 
 One of the things I saw a lot of were new phishing attacks - 
 all varieties and variants.
 
 I know the team has been pushing hard on these, but some are 
 bound to get through on the first few passes.
 
 Another thing we've noticed in the grand scheme is that 
 localized phishing attacks are becoming more common. These 
 are less likely to hit our spamtraps since the target lists 
 used are highly regional -- so if we don't have a spamtrap in 
 that geography our view of the spam may be delayed. We're 
 working on this problem on a number of fronts..
 Ideas, as always, are welcome.
 
 Certainly, submitting samples to spam@ (or preferably your 
 local spam submission point polled by our bots) will put 
 these messages in front of us if we have not already created 
 rules for them.
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to 
 [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



RE: Re[2]: [sniffer] New Rulebot F001

2006-03-06 Thread Colbeck, Andrew
Pete,

One of these was EarthLink [207.217.120.227], and one of these was
Google Mail [64.233.166.182].

SpamBag lists the EarthLink address as a source of bogus bounces, and I
posit that this would be the source of the mail to the spamtraps that
would trigger the F001 bot.

I would like to state that I don't need Message Sniffer to identify
servers that send bogus postmaster notifications.  This would be
entirely due to false positives such as the three examples above.

Given that spammers clearly recycle their email database as a
fake-mailfrom database, any spamtrap address will get bogus bounces and
therefore, the spamtraps will flag legitimate senders' IP addresses in
Rule 63.

I don't expect nor want you to discuss the details of the spamtraps as
the point of one class of your spamtraps is that their methods are
secret.  However, Matt has described a subset of the filters various
Decluders have used to filter out postmaster bounces and other reflected
noise, and I can certainly chip in on that conversation offline.

Andrew.


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Monday, March 06, 2006 3:18 PM
 To: Darin Cox
 Subject: Re[2]: [sniffer] New Rulebot F001
 
 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:
 
 DC We just reviewed this morning's logs and had a few false 
 positives.  
 DC Not sure if these are due to the new rulebot, but it's more than 
 DC we've had for the entire day for the past month.
 
 DC Rules
 DC --
 DC 873261
 DC 866398
 DC 856734
 DC 284831
 DC 865663
 
 Three of these are from F001 and have been removed.
 
 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182
  http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182
 
 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200
  http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200
 
 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227
  http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227
 
 
 I haven't yet processed the fps, only looked up the rules.
 
 There are currently 32820 rules authored by the F001 bot.
 
 Hope this helps,
 
 _M
 
 
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Sniffer, MDLP, and invURIBL?

2006-02-25 Thread Colbeck, Andrew



Joe,

Are you using MDLP to autotune your weights in 
Declude? If so, you can exclude invURIBL and other tests which you don't 
want to change, whether because you think the weight is perfect, or because 
their randomness doesn't fit MDLP's idea of a weighting 
system.

Check out this snippet from The McNeil on this list at some 
point in the past:


"Use the #MDLP:MANUAL feature to lock these 
tests at the values you set. In your GLOBAL.CFG file create a line that lists 
the tests you want to adjust manually.
#MDLP:MANUAL TEST1 TEST2 
TEST3
You can also use more than one line if 
you wish...
#MDLP:MANUAL TEST1
...
#MDLP:MANUAL TEST2
...
#MDLP:MANUAL TEST3
...
The #MDLP:MANUAL directive appears to 
be a comment to Declude so it will be otherwise ignored. If you have an #MDLP 
directive you want to comment out then you can add an additional # as 
in:
##MDLP:...
This will cause MDLP to 
ignore it as well."

Andrew 
8)

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Joe 
  WolfSent: Saturday, February 25, 2006 9:05 AMTo: 
  sniffer@SortMonster.comSubject: [sniffer] Sniffer, MDLP, and 
  invURIBL?
  
  I'm currently running Sniffer via Declude and use 
  MDLP. Great!
  
  Since all the talk about invURIBL on the Imail list I 
  thought I'd give it a try. The only problem I have is that it doesn't 
  seem to be compatible with MDLP.
  
  invURIBL assigns its own weight to each message. 
  The global.cfg line is as follows:
  INV-URIBL external weight "X:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP%" 
  0 0
  I'm not an expert but the %WEIGHT% must pass the weight 
  determined by invURIBL to Declude. I don't know what the variables of 
  the weighting system are.
  
  I'm worried that I may start getting a bunch of false 
  positives since MDLP can't manage the weighting of invURIBL.
  
  Would appreciate any advice from anyone that knows more 
  about this than I do!
  
  Thanks,
  Joe


RE: Re[4]: [sniffer] When to go persistent

2006-02-24 Thread Colbeck, Andrew
Goran,

When you issue a reload you can tell that the new rulebase is being used
because the *.svr file's date and time will change to the current time.

Andrew 8)

  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
 Sent: Friday, February 24, 2006 7:31 AM
 To: sniffer@SortMonster.com
 Subject: RE: Re[4]: [sniffer] When to go persistent
 
 Hi,
 
 I just got my service up and running using Matt's post 
 
 http://www.mail-archive.com/sniffer@sortmonster.com/msg00169.html
 
 It was simple especially since I already the resource kit installed.
 
 Now I know that this I supposed to work to get the persistent 
 instance to load the new rulebase after a download.
 
 REM Load new rulebase file.
 %LicenseID%.exe reload
 
 
 But is there any way to query the service and ask it to tell 
 you when was the last time the rulebase was loaded? Or what 
 version of the rulebase it is using? When running in peer 
 mode this question does not arise since the instances read 
 the file off disk so there is no problem.
 With the persistent instance this is not the case and I would 
 like to know that it really is using the newest rulebase.
 
 Goran Jovanovic
 Omega Network Solutions
 
  
 
  -Original Message-
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
  On Behalf Of Pete McNeil
  Sent: Thursday, February 23, 2006 3:11 PM
  To: Rick Robeson
  Subject: Re[4]: [sniffer] When to go persistent
  
  On Thursday, February 23, 2006, 1:22:53 PM, Rick wrote:
  
  RR I thought you had to run this as a service?
  
  RR Rick Robeson
  RR getlocalnews.com
  RR [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
  
  Strictly speaking you do not have to run it as a service, but it is 
  more convenient to do so. If you run it from the command 
 line then you 
  would need to remain logged in.
  
  Running the persistent instance from the command line is convenient 
  for testing, but it is much better to run it as a service in a 
  production environment - that way it starts and stops with 
 the other 
  services as expected, doesn't require any account to be logged in, 
  etc...
  
  _M
  
  
  
  This E-Mail came from the Message Sniffer mailing list. For
 information
  and (un)subscription instructions go to 
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] When to go persistent

2006-02-23 Thread Colbeck, Andrew
Goran, I'd be interested in Pete's technical answer, too.

The practical answer is that you should always go with the persistent
instance of Message Sniffer.  From reading Pete's previous screeds and
monitoring the list here in the last year and from having my own
troubles, it's pretty clear to me that only marginal cases suffer with
the persistent mode (and I was one of them).

Pete's answer on volumes won't answer what are the marginal cases, it
just doesn't fit your question.  For me, it was simple lack of hardware,
but I was *right* on the edge.

Andrew 8)



 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
 Sent: Thursday, February 23, 2006 8:30 AM
 To: sniffer@SortMonster.com
 Subject: [sniffer] When to go persistent
 
 Hi,
 
 Is there any good rule of thumb, in terms of messages 
 processed per minute/hour/day when you should move to a 
 persistent instance of Sniffer?
 
 Thank you
 
 Goran Jovanovic
 Omega Network Solutions
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Bad Rule - 828931

2006-02-07 Thread Colbeck, Andrew
Thanks for the update, Pete.

I also appreciate that you expanded on how that rule went wild.  I can
see that the intent was good but the unintended consequences were not so
good.

Here's how it played out on my server:

How many messages hit the FP rules: 2,042
How many messages Declude decided were ham anyway: 1,093
How many messages Declude decided were viruses: 0
How many messages Declude decided were spam: 949
Of the spam, when re-queued, how many were ham: 583
Of the spam, when re-queued, how many were still spam: 366

So, in total:
How many messages hit the bad 828931 rule: 2,042
How many were indeed spam: 366
How many were false positives: 1,676


Andrew 8)





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Bad Rule - 828931

2006-02-07 Thread Colbeck, Andrew



Thanks for the update, Pete.I also appreciate that 
you expanded on how that rule went wild. I can see that the intent was 
good but the unintended consequences were not so good.Here's how it 
played out on my server:How many messages hit the FP rules: 2,042How 
many messages Declude decided were ham anyway: 1,093How many messages 
Declude decided were viruses: 0How many messages Declude decided were spam: 
949Of the spam, when re-queued, how many were ham: 583Of the spam, when 
re-queued, how many were still spam: 366So, in total:How many 
messages hit the bad 828931 rule: 2,042How many were indeed 
spam: 366How many were false positives: 
1,676Andrew 8)p.s. Re-posted in HTML so 
that I don't have to explain the line breaks that were eaten in the plain text 
version post.





[sniffer] Rulebots gone wild

2006-01-19 Thread Colbeck, Andrew
By the way, Pete, thank you very much for publicly posting the URL where
we could download FPSigIDs.csv so that we could work on recovering our
own false positives. 

I was able to use this information to selectively re-test all of the
messages detected by those rules.  That was 2,449 messages.  More than
half of those were detected as spam by other Message Sniffer rules,
leaving me with 1,038 messages that I re-queued in my Declude JunkMail
Pro on Ipswitch Imail.

For what it's worth, that 1,038 messages that did not trigger any rules
in the new rulebase included 378 spam messages which were then caught by
my Declude JunkMail Pro configuration.

Andrew 8)



 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Thursday, January 19, 2006 9:15 AM
 To: Jeff Alexander
 Subject: Re: [sniffer] How can I
 
 On Thursday, January 19, 2006, 8:37:01 AM, Jeff wrote:
 
 JA   
 JA  
 JA I have been having a lot of problems with the rules  since Friday.
 JA  
 JA How can I see what rules are set for  spamming.
 
 There are many thousands of rules. For security purposes we 
 don't expose their content freely. If you have false 
 positives, please follow the false positive process and as 
 part of that process, the rules involved with any particular 
 case will be shown to you.
 
 It's not clear from your note but most likely you're trouble 
 is part of a problem we had with our rule-bots a few days 
 ago. The rule-bots have been disabled and the bad rules they 
 created have been rolled out of the core rulebase.
 
 Hope this helps,
 
 _M
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Rollback of bot rules..

2006-01-17 Thread Colbeck, Andrew
Thank you, Pete.

In my spelunking, I've found too many rules to put in as panic entries
my .cfg file, and this morning I dropped the weight for my experimental
class tests to low values, and heavily edited my combo tests that
build on Sniffer hits.

I'm attaching a report showing the number of hits for the various rules
that I'm pretty sure are false positives, and this was from a modest
sample of my traffic.

Now that the source of the bad rules is gone, and I see that the latest
.snf update's file size has significantly shrunk, I'm going to find all
the rules that triggered tests 61 and 63 and re-queue them in my Declude
for scanning to get the false positives through my mail system.

Andrew.

 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Tuesday, January 17, 2006 2:06 PM
 To: sniffer@sortmonster.com
 Subject: [sniffer] Rollback of bot rules..
 
 Hello Sniffer Folks,
 
   There is an unknown problem with the bots surrounding SURBL and
   SORBS testing. Rather than search for all the needles in all the
   haystacks we are taking the following action:
 
   The bots will be offline until further notice - so all rules will be
   those that are developed by our human rule-techs for the time being.
 
   All SURBL or SORBS related rules that were generated by bots in the
   past 18 hours will be rolled into our Problematic rule group. This
   is where rules go when they have been removed due to an FP - the
   Problematic rule group does not get published - it simply prevents
   rules from being duplicated.
 
   Since we have a huge backlog of false positive reports, it may take
   a while to get through them all. Please be patient.
 
   The database changes will occur in the next half hour. All updates
   after that time should have these troublesome rules removed.
 
   Once I resolve what happened to the bots I will let everyone know.
 
 Thanks,
 _M
 
 Pete McNeil (Madscientist)
 President, MicroNeil Research Corporation Chief SortMonster 
 (www.sortmonster.com) Chief Scientist (www.armresearch.com)
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 10 491587
  1 534442
  4 618807
  1 800976
 16 802046
  1 802834
  1 802871
  1 803025
  5 803052
  1 803099
  1 803115
  1 803163
 43 803228
  5 803243
  1 803403
  1 803530
  5 803621
  1 803967
  6 804085
  3 804105
 10 804289
  3 804436
  1 804561
  4 804788
  1 805080
  1 805141
 32 805157
  1 805270
  5 805273
  2 805306
  1 805367
 10 805460
  2 805475
  1 805517
  4 805528
  3 805531
  3 805613
  1 805807
  1 805863
  1 806121
  3 806338
  2 806396
 40 806424
 21 806488
 11 808137
  2 808421
  2 808456
  1 808733
  2 809667
  1 809928
 60 810112
  3 810136
  1 810761
  1 810833
  2 811233


RE: [sniffer] POP3 Account Question

2005-12-05 Thread Colbeck, Andrew



(nuts, to fast on the "Send" button).

... plus, future hits on spam that is already detected can 
accumulate hits on, say, SNIFFEREXPIP that weren't already hitting. 
Therefore, trying to save bandwidth and processing power over at sortmonster.com 
by submitting less spam is not helpful.

Pete, how'd I do?

Andrew 8)


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  AndrewSent: Monday, December 05, 2005 12:34 PMTo: 
  sniffer@SortMonster.comSubject: RE: [sniffer] POP3 Account 
  Question
  
  I had the same question, but more 
  specifically:
  
  Is is helpful for sniffer trap (spam and user trap) 
  submissions to skip, or to include messages on which sniffer already 
  hits.
  
  I imagine that all trap hits are useful, and that 
  duplicate submissions reinforce the rule strength for a given hit when we 
  submit spam that is already detected...
  
  Andrew 8)
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Scott 
FisherSent: Monday, December 05, 2005 12:28 PMTo: 
sniffer@SortMonster.comSubject: [sniffer] POP3 Account 
Question

I'm working on setting up a spamtrap that'll be 
for Sniffer.

One question:

Do you want the email to be 
filtered?

options.
Bring in all email.
Delete all email that Sniffer finds a match on. 
So the only mail left will be mail that Sniffer returned a 0 
on.
Run normal 
tests.


RE: [sniffer] OT: MDaemon HELO greeting

2005-10-28 Thread Colbeck, Andrew



Thanks, Dave!



  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
  KoontzSent: Thursday, October 27, 2005 8:39 AMTo: 
  sniffer@SortMonster.comSubject: RE: [sniffer] OT: MDaemon HELO 
  greeting
  
  Find or add the following Section to your MDaemon.ini 
  file, enter Line 7000= whatever you want:
  
  [Custom-SMTP]7000=" Blah...Blah ESMTP 
  server"
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
AndrewSent: Wednesday, October 26, 2005 2:14 PMTo: 
sniffer@SortMonster.comSubject: [sniffer] OT: MDaemon HELO 
greeting

Can anybody give me the short and sweet "how-to" change 
the HELO in MDaemon withoutchanging the hostname of the mail 
server?

I don't use MDaemon, I'm trying to help someone 
else.

Thanks,

Andrew 
8)


[sniffer] OT: MDaemon HELO greeting

2005-10-26 Thread Colbeck, Andrew



Can anybody give me the short and sweet "how-to" change the 
HELO in MDaemon withoutchanging the hostname of the mail 
server?

I don't use MDaemon, I'm trying to help someone 
else.

Thanks,

Andrew 8)


RE: [sniffer] New virus...

2005-10-06 Thread Colbeck, Andrew
I suppose it depends on just deep the sniffer signature goes...

Previous viruses including Sober.* have come in waves, with variants
that skirt all but the most intrusive antivirus blocking schemes.

I submitted a sample to the Norman Sandbox, which turned up different
information than the McAfee, Trend Micro et al writeups.  I googled the
CLSIDs that turned up and didn't come up with much, but a fascinating
thing was that they also hit on previous Norman Sandbox entry that
Google happened to have in its cache from Sep-25-2005.  Maybe the bad
guys are testing their software there before release? Hmmm...

So anyhow... If sniffer is *so* amazing that it could identify the CLSID
within an executable within a zip file within a MIME segment of a
message file, well, that would certainly be amazing, now wouldn't it?

I figure the CLSID is unlikely to change as quick as the distribution
method and packaging.

Andrew 8)

P.s. We'll see how well the shiny new Common Malware Enumeration scheme
pans out.  So far, the vendors' names for the malware are quite
different.


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
 Sent: Thursday, October 06, 2005 12:02 AM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] New virus...
 
 No need to block zips, with Declude just add BANZIPEXTS  
 ON to your
 virus.cfg file since the payload is an exe within the zip and 
 since we are all already banning executable files, correct?
 
 John T
 eServices For You
 
  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]
 On
  Behalf Of Pete McNeil
  Sent: Wednesday, October 05, 2005 8:41 PM
  To: sniffer@sortmonster.com
  Subject: [sniffer] New virus...
  Importance: High
  
  Hello sniffer,
  
Hello folks... watch out for a new virus email with an attachment
named pword _ change . zip - extra spaces added to skip filters
;-)
  
We're adding some SNF rules to catch it. No word about it on virus
lists or scanner services yet (that I can see).
  
You may want to temporarily block .zip files - or at least this
particular zip file until the new rules can be pushed out and the
virus scanners catch up.
  
  Thanks,
  _M
  
  Pete McNeil (Madscientist)
  President, MicroNeil Research Corporation Chief SortMonster 
  (www.sortmonster.com) Chief Scientist (www.armresearch.com)
  
  
  This E-Mail came from the Message Sniffer mailing list. For 
  information
 and
  (un)subscription instructions go to
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] YAhoo mails failing sniffer?

2005-09-22 Thread Colbeck, Andrew
Inversely, I just had a 419 scam come from a legitimate hotmail account,
with a Yahoo! Email address as payload, and for the record, that email
address (nor anything else) trigger a Sniffer detection.

I've just submitted it to the spam@ address.

Andrew 8) 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Matt
 Sent: Wednesday, September 21, 2005 9:29 PM
 To: sniffer@SortMonster.com
 Subject: Re: [sniffer] YAhoo mails failing sniffer?
 
 Quick follow-up.  The bad rule appears to be 497585.
 
 Matt
 
 
 
 Marc Catuogno wrote:
 
 I'm seeing a few legit e-mails from Yahoo failing sniffer.  
 Anyone else?
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information 
 and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
   
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Integration with today's new ORF version:

2005-09-15 Thread Colbeck, Andrew
I just thought I'd revive this thread and say that on a tiny organization for 
whom I also administer the mail, this was welcome news.

They have ORF plus Exchange 2000.  I added the free eval version of sniffer to 
their mix with the new ORF External Agent feature.

Despite the delay in patterns, it is picking up some of the small amount of 
spam that leaks in despite the RBL based tests.

I also used the standard download scripts wrangled by Bill Landry instead of 
my own, and found this pretty easy to set up.


Andrew 8)

 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt
 Sent: Monday, September 05, 2005 7:46 AM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] Integration with today's new ORF version:
 
 Congratulations!
 
 (Sorry for having wasted band-width, I just saw the contact 
 vendor link - never clicked on the link that contained the 
 XML definitions G  Found it now...).
 
 Anyway - thanks for the integration.
 
 Best Regards
 Andy Schmidt
 
 Phone:  +1 201 934-3414 x20 (Business)
 Fax:+1 201 934-9206 
 
 
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
 On Behalf Of Pete McNeil
 Sent: Monday, September 05, 2005 10:43 AM
 To: Andy Schmidt
 Subject: Re: [sniffer] Integration with today's new ORF version:
 
 On Monday, September 5, 2005, 9:26:38 AM, Andy wrote:
 
 AS http://www.vamsoft.com/orf/agentdefs.asp
 AS  
 AS It says to contact  vendor. Here I am G.
 
 Yes indeed.
 
 How may I help you?
 
 _M
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Sniffer Resources

2005-09-06 Thread Colbeck, Andrew
Richard, are you rotating your sniffer logs daily?

I had the same experience a very log time ago, and found that without
rotating the logs, appending to a monster text file was soaking up a lot
of cpu and disk on my server.

Bill Landry worked with a lot of people here to make his download script
generic enough for everyone's use.  Bundled with that is a script for
rotating your logs and uploading them back to SortMonster so that your
system provides feedback on rule strengths.

You can find more information about the logs here:

http://www.messagesniffer.com/Support/TechDetails/logFiles.jsp

And the user submitted scripts section is here:

http://www.messagesniffer.com/Support/submittedScripts.jsp

In particular, you would want to download:

http://www.messagesniffer.com/Support/UserScripts/ImailSnifferUpdateTool
s.zip

And then edit the cmd files to provide your executable name and auth key
in the variables supplied.

And then schedule the rotate/update script, e.g.

At 10:23PM /every:m,t,w,th,f,sa,su c:\messagesniffer\snfupd.cmd
 

I hope that helps somebody,

Andrew 8)




 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris
 Sent: Tuesday, September 06, 2005 8:07 AM
 To: sniffer@SortMonster.com
 Subject: [sniffer] Sniffer Resources
 
 When I turn off sniffer my server acts normally on 
 rescources..but when I turn it on it goes to 100% and stays 
 there most of the time...I have tried updating the sniffer 
 and rebooting the server but does not help...it has been 
 doing this for about a month...has anyone else seen this..if 
 not what can I do to resolve it..right now I have sniffer 
 turned off so I can just send mail thru the server..
 
 Richard Farris
 Ethixs Online
 1.270.247. Office
 1.800.548.3877 Tech Support
 Crossroads to a Cleaner Internet
 
 - Original Message -
 From: Pete McNeil [EMAIL PROTECTED]
 To: Andy Schmidt sniffer@SortMonster.com
 Sent: Monday, September 05, 2005 9:43 AM
 Subject: Re: [sniffer] Integration with today's new ORF version:
 
 
  On Monday, September 5, 2005, 9:26:38 AM, Andy wrote:
 
  AS http://www.vamsoft.com/orf/agentdefs.asp
  AS
  AS It says to contact  vendor. Here I am G.
 
  Yes indeed.
 
  How may I help you?
 
  _M
 
 
 
  This E-Mail came from the Message Sniffer mailing list. For 
 information 
  and (un)subscription instructions go to 
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
  
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Test

2005-08-04 Thread Colbeck, Andrew



Ping?

Pong.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Robert 
  MathiasSent: Thursday, August 04, 2005 3:59 PMTo: 
  sniffer@SortMonster.comSubject: [sniffer] Test
  
  
  Apologies, but need 
  to test.
  Robert


RE: Re[2]: [sniffer] Sniffer taking a long time?

2005-08-03 Thread Colbeck, Andrew
 So basically, what you are saying is that my volume is really 
 too low to take advantage of the persistent sniffer (and such 
 may actually decrease my performance), and I should stick 
 with the non-service version.  Is that right?  That is about 
 what I thought (without the details of how sniffer works, I 
 just wanted to be sure).

Well, Dan, for the inevitable rush of traffic, I'd stick with the
persistent sniffer implementation now that you have it working.

If the 2 second wait time galls you, then use your **.cfg file and
specify the

MaxPollTime: 500

value at 500 ms or whatever you'd like your maximum wait time to be
instead of 2 seconds (2000 ms).

Andrew 8)




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] FireDaemon

2005-07-31 Thread Colbeck, Andrew



FireDaemon is dirt cheap. Yes, you can have one 
service for free if you find an older version.

If you want free and will settle forno interface, 
then check out the free SrvAny.exe that is downloadable from Microsoft as part 
of their Windows Server Resource Kit.

Andrew 8)

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  PayerSent: Sunday, July 31, 2005 5:16 PMTo: 
  sniffer@SortMonster.comSubject: Re: [sniffer] 
  FireDaemon
  
  The newest version is not a free version. Older 
  versions gave you one service for free. The new one does not. Got a 
  license?
  
  David Payer
  
- Original Message - 
From: 
Greg Wanner 
To: sniffer@sortmonster.com 
Sent: Sunday, July 31, 2005 5:43 
PM
Subject: [sniffer] FireDaemon

Can anybody help me with a problem getting the 
persistent mode to work with FireDaemon. I loaded the latest version, 
1.7. I believe I have everything setup correctly, the right .exe name, 
authenicationxx and persistent in parameters. It starts to fire up, 
then stops. Any hints?

[EMAIL PROTECTED]



[sniffer] New, but broken worm?

2005-07-22 Thread Colbeck, Andrew
My email server has received about 200 of a certain message since 8:30
AM PDT.

The Subject line is merely 1, the forged mailfrom is approximately the
first 8 characters of the target address plus a forged domain.  There is
an attachment called 1.txt and a message text body that begins on a
new line ICA= plus three characters, the first one of which may be
low-bit ASCII and the second two are high-bit.

The sources include zombie networks, normal mail servers, and bounced
messages from normal servers.

I've sent a bunch of samples to the usual spam@ address and thought I'd
make a more general posting here.  My guess is that it's a new worm, and
that it's broken.

Incidentally, I don't think this is related to a current spam campaign
in which the Subject: line includes a number inside of square brackets.
I just thought I'd head off that distraction.

Andrew 8)



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] New, but broken worm?

2005-07-22 Thread Colbeck, Andrew
 I'm on updates this evening. I'll watch for this. It sounds 
 like something that requires an abstract rule --- probably 
 not enough content for the other coders to try it safely... I 
 am surprized I didn't hear about it though...
 
 Please send me another note with a few of these as 
 attachments (even better if they are raw files from your mail 
 queue - that way there will be no re-coding by any mail 
 clients) -- send to our support@ address. If they get through 
 then that means we're not filtering them yet -- I'll use them 
 as examples and will try to code a complex rule that's safe.
 
 Thanks!
 
 _M
 

Sure thing, Pete.

I think the formatting survived ok, and even took the time to review the
submission guideline on your support web page.

It looks like Tito's submission survived intact, but I'll send a follow
up as per your request, it's dead easy (but will include my standard
Declude headers).

Andrew 8)





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] Phishers Jump On MasterCard Breach

2005-06-21 Thread Colbeck, Andrew
FYI

http://www.securitypipeline.com/news/164901324





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Spam blocks loading me up with spam

2005-06-17 Thread Colbeck, Andrew
Title: Message



Gotta 
catch 'em all (not Pokemon, spam)...

Sniffer caught all of them today:

gawk 
"$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log 
temp.txt

fgrep 
-ftemp.txt dec0617.log | fgrep "Total weight"

If 
your volume is quite high, that second line, instead of showing all the total 
weights for the netblocks in question, could instead show which lines sniffer 
didn't hit on:


fgrep 
-ftemp.txt dec0617.log | fgrep "Total weight"  | fgrep -v 
"SNIFFER"


Andrew 8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Scott FisherSent: Thursday, June 16, 2005 4:20 
  PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Spam 
  blocks loading me up with spam
  I'm also taking out the: 200.49.32.xxx to 
  200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb 
  with SBL 17983.
  
  The trouble on this spammer for me, is they 
  aren't listed anywhere (with the 299.49.50.XXXs and are probably burning 
  through domain names faster than the SURBLs can really be 
  effective.
  So unless I get an SURBL hit or a Sniffer hit 
  they are leaking through. Hopefully with Pete's new rules, this will be 
  stopped.
  
  200.49.32.0/24200.49.32.0/24moved 
  06-15-05SBL17983200.49.33.0/24200.49.33.0/24starsoftmails.comadded 
  02-17-05SBL17983200.49.34.0/24200.49.34.0/24moved 
  06-15-05SBL17983200.49.35.0/24200.49.35.0/24moved 
  06-15-05SBL17983200.49.36.0/24200.49.36.0/24moved 
  06-15-05SBL17983200.49.37.0/24200.49.37.0/24afdtc.comadded 
  02-17-05SBL17983200.49.38.0/24200.49.38.0/24afdtc.comadded 
  02-17-05SBL17983200.49.39.0/24200.49.39.0/24afdaa.comadded 
  02-17-05SBL17983200.49.40.0/24200.49.40.0/24moved 
  06-15-05SBL17983200.49.41.0/24200.49.41.0/24moved 
  06-15-05SBL17983200.49.42.0/24200.49.42.0/24moved 
  06-15-05SBL17983200.49.43.0/24200.49.43.0/24awwsc.comadded 
  02-17-05SBL17983200.49.44.0/24200.49.44.0/24arvvv.commoved 
  05-29-05SBL17983200.49.45.0/24200.49.45.0/24starofferzone.comadded 
  02-17-05SBL17983200.49.46.0/24200.49.46.0/24fdcmm.comadded 
  02-17-05SBL17983200.49.47.0/24200.49.47.0/24bicsc.comadded 
  02-17-05SBL17983
  
- Original Message - 
From: 
Darrell 
([EMAIL PROTECTED]) 
To: sniffer@SortMonster.com 
Sent: Thursday, June 16, 2005 6:44 
PM
Subject: Re: [sniffer] Spam blocks 
loading me up with spam

Scott,

Not to many incoming for me - about 200 out of 
about 125K messages. One thing to note is the ones I am getting are 
around that block but even lower like 200.49.44.x.

Darrell
---Check out http://www.invariantsystems.com 
for utilities for Declude And Imail. IMail Queue Monitoring, Declude 
Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log 
Parsers.

  - Original Message - 
  From: 
  Scott Fisher 
  To: sniffer@SortMonster.com 
  Sent: Thursday, June 16, 2005 6:04 
  PM
  Subject: [sniffer] Spam blocks 
  loading me up with spam
  
  
  Am I the only one getting blasted by these 
  spam from these IP blocks? Sniffer seems a little behind on catching 
  these.
  
  200.49.48.0/24200.49.48.0/24
  200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com
  200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com
  200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com
  200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24
  
  Domain names andlinks seem to be five 
  chars beginning with aa. Theyalsoseem to be progressing 
  through theIP blocks.
  
  i think they started in on the June 15th and 
  have been spamming pretty 
consistantly.


RE: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Title: Message



I 
haven't noticed this spam leaking through, but at your prompting I did 
a:

egrep 
".+From: .+To: .+IP: 200\.49\." dec0616.log

and 
saw about 46. A glance through these to:from:ip: lines definitely shows 
messages that fit your description, along with messages that don't (I'm 
deliberately looking at the16 bit subnet) and I see messages today 
from:


200.49.37.0/24
200.49.44.0/24

in addition to the blocks you listed, and a 
spot check of two of them did not turn up any hitswith sniffer. 
Total volume was low,at less than50 messages.

One other interesting comment that I can add 
is that I'm seeing them use VERP like MAILFROM addresses, e.g.:

[EMAIL PROTECTED]

Of course, jsmith and example.com are not 
the actual text, but the recipient at my domain.

Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 
  PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam 
  blocks loading me up with spam
  
  Am I the only one getting blasted by these spam 
  from these IP blocks? Sniffer seems a little behind on catching 
  these.
  
  200.49.48.0/24200.49.48.0/24
  200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com
  200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com
  200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com
  200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24
  
  Domain names andlinks seem to be five chars 
  beginning with aa. Theyalsoseem to be progressing through 
  theIP blocks.
  
  i think they started in on the June 15th and have 
  been spamming pretty consistantly.


RE: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Title: Message



Also, 
thedomains in the body textare not hitting on SURBL 
tests.

Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34 
  PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] Spam 
  blocks loading me up with spam
  I 
  haven't noticed this spam leaking through, but at your prompting I did 
  a:
  
  egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log
  
  and 
  saw about 46. A glance through these to:from:ip: lines definitely shows 
  messages that fit your description, along with messages that don't (I'm 
  deliberately looking at the16 bit subnet) and I see messages today 
  from:
  
  
  200.49.37.0/24 
  200.49.44.0/24
  
  in addition to the blocks you listed, and 
  a spot check of two of them did not turn up any hitswith sniffer. 
  Total volume was low,at less than50 messages.
  
  One other interesting comment that I can 
  add is that I'm seeing them use VERP like MAILFROM addresses, 
  e.g.:
  
  [EMAIL PROTECTED]
  
  Of course, jsmith and example.com are not 
  the actual text, but the recipient at my domain.
  
  Andrew 
  8)
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 
PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam 
blocks loading me up with spam

Am I the only one getting blasted by these spam 
from these IP blocks? Sniffer seems a little behind on catching 
these.

200.49.48.0/24200.49.48.0/24
200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com
200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com
200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com
200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24

Domain names andlinks seem to be five 
chars beginning with aa. Theyalsoseem to be progressing through 
theIP blocks.

i think they started in on the June 15th and 
have been spamming pretty 
consistantly.


RE: Re[2]: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Today I saw hits from this campaign on another IP block as well, and
plugging that into SenderBase.org gives me:

http://www.senderbase.org/search?searchString=200.49.37.130

Note in the top right that they list:

200.49.36.0/22

belonging to Network Access Point S.R.L., and following that link
shows 19 domains, many of which follow Scott's spam campaign sample
domains.

Weirdly, plugging in that CIDR format back into SenderBase reveals
little joy.

I've submitted to spam@ multiple samples from today of spam that I
caught with and without Sniffer so that Pete can see what is common.

Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Thursday, June 16, 2005 3:58 PM
To: Chuck Schick
Subject: Re[2]: [sniffer] Spam blocks loading me up with spam


Additional info (justifying the IP block rules just added):

http://www.senderbase.org/search?searchString=200.49.48.0%2F20

I wonder why nobody else is listing these IPs yet. Could we just be the
first? (This exercise has given me some ideas for new research
tasks-- :-) )

Interesting.

_M

On Thursday, June 16, 2005, 6:46:13 PM, Chuck wrote:

CS We have been seeing these.

CS Chuck Schick
CS Warp 8, Inc.
CS (303)-421-5140
CS www.warp8.com

CS -Original Message-
CS From: [EMAIL PROTECTED] 
CS [mailto:[EMAIL PROTECTED]
CS On Behalf Of Scott Fisher
CS Sent: Thursday, June 16, 2005 4:04 PM
CS To: sniffer@SortMonster.com
CS Subject: [sniffer] Spam blocks loading me up with spam



CS Am I the only one getting blasted by these spam from these IP 
CS blocks? Sniffer seems a little behind on catching these.

CS 200.49.48.0/24  200.49.48.0/24 
CS 200.49.49.0/24  200.49.49.0/24  mowz2.com
CS 200.49.50.0/24  200.49.50.0/24  qckcstmr.com  
CS 200.49.51.0/24  200.49.51.0/24  srvdupfrsh.com  
CS 200.49.52.0/24  200.49.52.0/24  aahtv.com  
CS 200.49.53.0/24  200.49.53.0/24  aakai.com  
CS 200.49.54.0/24  200.49.54.0/24  aakib.com  
CS 200.49.55.0/24  200.49.55.0/24  aakli.com  
CS 200.49.56.0/24  200.49.56.0/24  aafix.com  
CS 200.49.57.0/24  200.49.57.0/24  e.com  
CS 200.49.58.0/24  200.49.58.0/24  
CS 200.49.59.0/24  200.49.59.0/24

CS Domain names and links seem to be five chars beginning with aa. They

CS also seem to be progressing through the IP blocks.

CS i think they started in on the June 15th and have been spamming 
CS pretty consistantly.


CS This E-Mail came from the Message Sniffer mailing list. For 
CS information and (un)subscription instructions go to 
CS http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] New Spam/Virus?

2005-06-06 Thread Colbeck, Andrew
Title: Message



I'm 
seeing what Scott sees, but the payload is an encrypted zip.

VirusTotal.com says:

This is a report 
processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file.


  
  
Antivirus
Version
Update
Result
  
  
AntiVir
6.30.0.15
06.06.2005
no virus found
  
AVG
718
06.06.2005
no virus found
  
Avira
6.30.0.15
06.06.2005
no virus found
  
BitDefender
7.0
06.06.2005
no virus found
  
ClamAV
devel-20050501
06.06.2005
Worm.Mytob.CO
  
DrWeb
4.32b
06.06.2005
Win32.HLLM.MyDoom.44
  
eTrust-Iris
7.1.194.0
06.05.2005
no virus found
  
eTrust-Vet
11.9.1.0
06.06.2005
no virus found
  
Fortinet
2.27.0.0
06.06.2005
W32/MyTob.EN-mm
  
Ikarus
2.32
06.06.2005
no virus found
  
Kaspersky
4.0.2.24
06.06.2005
Net-Worm.Win32.Mytob.bg
  
McAfee
4507
06.06.2005
Generic Malware.a!zip
  
NOD32v2
1.1131
06.06.2005
Win32/Mytob.DO
  
Norman
5.70.10
06.06.2005
W32/Mytob.GE
  
Panda
8.02.00
06.06.2005
no virus found
  
Sybari
7.5.1314
06.06.2005
W32/Mytob.G
  
Symantec
8.0
06.06.2005
no virus found
  
TheHacker
5.8-3.0
06.06.2005
no virus found
  
VBA32
3.10.3
06.06.2005
Net-Worm.Win32.Mytob.bg

VirusTotal is a free service offered by Hispasec Sistemas. There 
are no guarantees about the availability and continuity of this service. 
Although the detection rate afforded by the use of multiple antivirus engines is 
far superior to that offered by just one product, these results DO NOT guarantee 
the harmlessness of a file. Currently, there is not any solution that offers a 
100% effectiveness rate for detecting viruses and malware.



Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Scott FisherSent: Monday, June 06, 2005 2:29 
  PMTo: sniffer@SortMonster.comCc: 
  Declude.Virus@declude.comSubject: Re: [sniffer] New Spam/Virus? 
  
  Yes I have seen them too:
  
  email starts with:
  
  Dear Valued Member, According to our site policy 
  you will have to confirm your account by the following link or else your 
  account will be suspended within 24 hours for security reasons.
  
- Original Message - 
From: 
Jim Matuska 

To: sniffer@SortMonster.com 
Sent: Monday, June 06, 2005 4:13 
PM
Subject: [sniffer] New Spam/Virus? 


Is anyone else seeing a huge rash of spam/virus 
messages in the last hour or so? I have multiple users that are 
getting messages that are forging our own addresses and have a link that 
appears to go to our website but instead goes elsewhere with a IP address 
link. These do not appear to be infecting as file attachments but from 
the web link itself. Pete, I have forwarded a few to your spam@ 
address, let me know what you think.

Jim Matuska Jr.Computer Tech2, CCNANez 
Perce TribeInformation Systems[EMAIL PROTECTED]


RE: [sniffer] New Spam/Virus?

2005-06-06 Thread Colbeck, Andrew
Title: Message



http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]

This 
is the virus that I was seeing. The one that Jim and others are seeing may 
be this MyTob, whose description was still pending when I was at Trend's 
site:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDW

and 
may be the same as:

http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]

Andrew 
8)

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Colbeck, AndrewSent: Monday, June 06, 2005 2:41 
  PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] New 
  Spam/Virus? 
  I'm 
  seeing what Scott sees, but the payload is an encrypted 
  zip.
  
  VirusTotal.com says:
  
  This is a 
  report processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file. 
  
  


  Antivirus
  Version
  Update
  Result


  AntiVir
  6.30.0.15
  06.06.2005
  no virus found

  AVG
  718
  06.06.2005
  no virus found

  Avira
  6.30.0.15
  06.06.2005
  no virus found

  BitDefender
  7.0
  06.06.2005
  no virus found

  ClamAV
  devel-20050501
  06.06.2005
  Worm.Mytob.CO

  DrWeb
  4.32b
  06.06.2005
  Win32.HLLM.MyDoom.44

  eTrust-Iris
  7.1.194.0
  06.05.2005
  no virus found

  eTrust-Vet
  11.9.1.0
  06.06.2005
  no virus found

  Fortinet
  2.27.0.0
  06.06.2005
  W32/MyTob.EN-mm

  Ikarus
  2.32
  06.06.2005
  no virus found

  Kaspersky
  4.0.2.24
  06.06.2005
  Net-Worm.Win32.Mytob.bg

  McAfee
  4507
  06.06.2005
  Generic Malware.a!zip

  NOD32v2
  1.1131
  06.06.2005
  Win32/Mytob.DO

  Norman
  5.70.10
  06.06.2005
  W32/Mytob.GE

  Panda
  8.02.00
  06.06.2005
  no virus found

  Sybari
  7.5.1314
  06.06.2005
  W32/Mytob.G

  Symantec
  8.0
  06.06.2005
  no virus found

  TheHacker
  5.8-3.0
  06.06.2005
  no virus found

  VBA32
  3.10.3
  06.06.2005
  Net-Worm.Win32.Mytob.bg
  
  VirusTotal is a free service offered by Hispasec Sistemas. There 
  are no guarantees about the availability and continuity of this service. 
  Although the detection rate afforded by the use of multiple antivirus engines 
  is far superior to that offered by just one product, these results DO NOT 
  guarantee the harmlessness of a file. Currently, there is not any solution 
  that offers a 100% effectiveness rate for detecting viruses and 
  malware.
  
  
  
  Andrew 8)
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Scott FisherSent: Monday, June 06, 2005 2:29 
PMTo: sniffer@SortMonster.comCc: 
Declude.Virus@declude.comSubject: Re: [sniffer] New Spam/Virus? 

Yes I have seen them too:

email starts with:

Dear Valued Member, According to our site 
policy you will have to confirm your account by the following link or else 
your account will be suspended within 24 hours for security 
reasons.

  - Original Message - 
  From: 
  Jim Matuska 
  
  To: sniffer@SortMonster.com 
  Sent: Monday, June 06, 2005 4:13 
  PM
  Subject: [sniffer] New Spam/Virus? 
  
  
  Is anyone else seeing a huge rash of 
  spam/virus messages in the last hour or so? I have multiple users 
  that are getting messages that are forging our own addresses and have a 
  link that appears to go to our website but instead goes elsewhere with a 
  IP address link. These do not appear to be infecting as file 
  attachments but from the web link itself. Pete, I have forwarded a 
  few to your spam@ address, let me know what you think.
  
  Jim Matuska Jr.Computer Tech2, 
  CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]


RE: [sniffer] Declude Question

2005-05-26 Thread Colbeck, Andrew
PM Spam volumes in general are up quite a bit since the german sober
PM incident. In the past few days there have been a few new campaigns
PM that have had a very aggressive delivery schedule

For what it's worth, I'm seeing this more today, and in particular, from
a wide number of IPs, instead of a high number of messages from a few
IPs.
I haven't investigated for content.

Andrew 8)


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Rule 353039 - .comcast.net

2005-05-10 Thread Colbeck, Andrew
Thanks for the quick work, Pete.

I put in the Rule-panic entry as soon as you sent the email to this
list.

For what it's worth, I just finished with all my held mail for the last
two days, and I had no false positives from messages with a mailfrom
that included c o m c a s t.

Lots of mail that came from everywhere including ComCast zombies and
possibly servers, and contained ComCast email addresses in the body.
From the sheer bulk of it, it's no wonder that one of your robots
thought c o m c a s t was a good indicator of spam.

The only message that that was held, which a subsequent re-scan with
Sniffer turned up, was actually a W32/[EMAIL PROTECTED] virus (which I don't
expect Sniffer to catch).


Andrew 8)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, May 10, 2005 7:28 AM
To: sniffer@sortmonster.com
Subject: [sniffer] Rule 353039 - .comcast.net
Importance: High


Hello Sniffer Folks,

  A rule was created today by one of the robots which targets
  .comcast.net -- This happened when a number of blacklists including
  SBL listed comcast IPs causing the robot to be convinced that a
  message in the spamtrap warranted tagging the domain.

  The rule has been removed and I am pushing out new rulebase
  compilation as quickly as possible. Please do not rush to download
  your rulebase file in response to this --- wait for the update
  notification or else your file is not updated.

  I believe we've caught this quickly enough that most of you will not
  be effected. However, if you suspect that you do have the bad rule
  in your rulebase you can temporarily eliminate the rule by adding
  353039 to your Rule-panic entries in your configuration file.

  The rule cannot be recreated once removed.

  We are very sorry for the confusion.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Latest medication campaign

2005-04-13 Thread Colbeck, Andrew
On the weekend and since, I saw a lot of them get through but Sniffer
was dutifully catching them, unfortunately, they also served to
highlight Sniffer hyperaccuracy because those messages just weren't
reaching my HOLD weight.

Check out the Message Sniffer change rates for the last few days:

http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp

Something is definitely going on.  On Sunday, the blue line was almost
the entire New Rule group.

It started me thinking about making Sniffer my hold weight, and then
only applying counterweights.

Meanwhile, I've added SURBL-ish testing with a tiny Declude weight, but
with a combo of the new test and any Sniffer hit, that seems to have
made the difference.  I've only seen 1 undeliverable end up in the
postmaster box, and I've fixed why that happened (I set my skipweight
for various Declude filter text tests too low, so they weren't getting
run when the weight was close to my HOLD weight).

So now it's back to the server room for me.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Wednesday, April 13, 2005 10:16 AM
To: sniffer@SortMonster.com
Subject: [sniffer] Latest medication campaign


I am seeing a lot of these get through

John T
eServices For You



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] MDLP Tests

2005-04-02 Thread Colbeck, Andrew
Jay, here's more web information on the mxrate tests:

http://www.mxrate.com/lookup/dns.htm


Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Saturday, April 02, 2005 1:43 PM
To: Jay Sudowski - Handy Networks LLC
Subject: Re: [sniffer] MDLP Tests


On Saturday, April 2, 2005, 4:09:31 PM, Jay wrote:

JSHNL Hello -
 
JSHNL I am reviewing your MDLP report at 
JSHNL http://www.sortmonster.com/MDLP/MDLP-Example-Long.html, and find 
JSHNL some tests that are seemingly quite effective that I'm not 
JSHNL familiar with.  If anyone has any informaiton about these tests, 
JSHNL please let me know:

JSHNL - FABEL (is this the same as FABELSOURCES at
JSHNL http://www.declude.com/Articles.asp?ID=97Redirected=Y?)

FABEL   ip4rspamsources.fabel.dk127.0.0.2

JSHNL - MXRATE-*

MXRATE-BLACKip4rpub.mxrate.net  127.0.0.2
MXRATE-WHITEip4rpub.mxrate.net  127.0.0.3
MXRATE-SUSP ip4rpub.mxrate.net  127.0.0.4

JSHNL - UCEPROTEC*

UCEPROTECRDOip4rdnsbl-1.uceprotect.net  127.0.0.2
UCEPROTECCMUL   ip4rdnsbl-2.uceprotect.net  127.0.0.2
UCEPROTECCVIR   ip4rdnsbl-3.uceprotect.net  127.0.0.2

JSHNL Also, perhaps I am misunderstanding the data, but SNIFFER has a 
JSHNL SQ of .802 - isn't that relatively bad ?

Actually, that's the hyper-accuracy penalty at work. I wrote a bunch
about that on the MDLP page. What's going on is that SNF frequently
catches spam that virtually no other tests are catching yet and as a
result the total weight never reaches the threshold. Every one of those
events shows up counting against it.

We research these periodically (we used to look at them constantly) and
with very rare exceptions we find that these are not false positives.

In fact, on our systems last year SNF had fewer than 10 FP. (several of
those were messages from customers that actually contained examples of
spam, malware, or logs with spammy URI). Of course, our numbers are a
more than bit skewed because the vast majority of traffic on our system
is spam... so we can't use that to calculate a false positive rate
that has any real meaning.

The closest we can really get to an indication of false positive rates
from SNF is to point at our FP rate page:

http://www.sortmonster.com/MessageSniffer/Performance/FalseReportsRates.
jsp

This page shows counts of all false positives reported to us on a daily
basis for all of our customers. At least two of these systems are
service providers with 10 or more licenses which submit false positives
automatically as they are reported from their customers.

So anyway, the short answer is that the SA and SQ values on the SNIFFER
tests are skewed by the hyper-accuracy penalty inherent in how MDLP
develops these scores. The true accuracy values are very much higher and
this is regularly confirmed by both hard reviews of the data and
anecdotal evidence from our customers.

Hope this helps,

_M




This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] Money, drugs, and sex

2005-03-22 Thread Colbeck, Andrew
http://www.sophos.com/spaminfo/articles/spamwords.html

Interesting, but a pity they didn't publish a list of, say, their 1,000
most popular obfuscations.

Andrew 8)

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] mini-obfuscation

2005-03-22 Thread Colbeck, Andrew
Wow, Pete!  Wow.

I didn't feel I could measure up to adding on to that thread, so I
started over.

Although the search space is theoretically huge (you pointed out the
marketecture of large numbers), in practice, the spammers mostly use the
grains quite close to the marble and use the grains over again for a
while.

How many times have we all been frustrated that a piece of spam ending
up in *OUR* mailbox that was s close in content to spam we whacked
yesterday?

I thought the top n obfuscations might be interesting to look at, and
perhaps a shortcut  (temporary, albeit) for spam catching.  I thought we
might see whether, for example, broken URLs, fake comments, or high-bit
ASCII character substitutions were the obfuscation technique du jour.

I while back curiousity got the better of me (it was raining, and I had
a few days off) and I did a few grep sweeps on a warm spam corpus.

I was disappointed in my success rate for:

v.?i.?a.?g.?r.?a.?

and similar queries with deliberately substitutions (e.g. using a 1
for i).  I started writing a grep-generating-permutation engine and
decided my time was better spent on scritching my cat under his chin.

Of course, I have a lot more time for my cat since I implemented
Sniffer.

Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, March 22, 2005 4:37 PM
To: Colbeck, Andrew
Subject: Re: [sniffer] Money, drugs, and sex


On Tuesday, March 22, 2005, 4:47:30 PM, Andrew wrote:

CA http://www.sophos.com/spaminfo/articles/spamwords.html

CA Interesting, but a pity they didn't publish a list of, say, their 
CA 1,000 most popular obfuscations.

If you do the math then 1000 wouldn't even scratch it. One way to attack
this ( at least one of the ways we do it in Message Sniffer ) is to
apply some obfuscation algorithms to each word in the list using some
generic expansion patterns -- this helps to simplify the problem a bit.

For example, one obfuscation algorithm is to insert a single extra
character in the word. If you take the word obfuscation and apply this
expansion algorithm you get something like:

o~bfuscation
ob~fuscation
obf~uscation
...
obfuscatio~n

where ~ represents any random character.

Then think about adding two characters...

...
ob~fusc~ation
...

Then think about breaking the word with an empty anchor at any of the
places where you would insert a character...

...
obfusa href=http://yo-mama.it;/acation
...

and so on...

Of course, you can't simply apply all of the possible obfuscation
algorithms, and you can't completely exercise each one that you do
try... you have to pick and choose and learn as you go because otherwise
you would simply never finish the job. ***

If you iterate through all of the permutations and count them then the
numbers become astronomical... as in viagra can be obfuscated (and
detected by their fine software) more than 5,600,000,000 different ways
ahem. That's market speak for look how powerful our software is
-whoooah!

This is similar to a lot of other AI problems too and it's probably why
I'm involved since I love AI work. In most AI problems if you add up all
of the possible solutions to the problem you usually come up with a
number you couldn't possibly write down without writing the formula
instead. That is, the number would be so large that you would probably
die of old age before you actually finished writing all the digits. In
the AI world we talk about this huge sea of possibilities as a solution
space.

If you tried to check every possible solution one by one until you found
the best answer it would take you forever. This is called a brute force
attack. It's also what makes the big numbers seem impressive, and what
makes most encryption schemes work.###

Since we don't usually have forever, we do something else in the AI
world. We use algorithms to search the solution space for the best
answer. That is, rather than just going through the possible solutions
one at a time as we come to them (brute force) we try to figure out
which ones to look at and which ones to skip. The way we make that
decision is to use an algorithm that leverages special rules of thumb
(heuristics) to help us search the solution space more efficiently. This
effectively reduces the solution space and makes it possible to come
up with an answer that is good enough+++ within the time we have.

So, when they talk about recognizing more than 5 billion different
obfuscated forms of the word viagra they are really just estimating how
many of the permutations their heuristics are able to eliminate from the
solution space. (A more accurate way to think about it might be that a
single heuristic for a particular obfuscated word covers a large amount
of the solution space all at once. Since it's already been covered it
doesn't have to be searched -- the extra work is eliminated as compared
to a brute-force attack.)

For example: Suppose you have a sandbox into which someone has

RE: [sniffer] New change rates analysis

2005-02-20 Thread Colbeck, Andrew
http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp


Oooh, pretty!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Sunday, February 20, 2005 3:52 PM
To: sniffer@sortmonster.com
Subject: [sniffer] New change rates analysis


Hello Sniffer Folks,

  I have updated the change rates analysis page to show a bar graph of
  the recently created rules and their relative strengths (by age).
  This replaces the old text report we had before, though the data is
  still the same and then some.

  Comments welcome.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Determine Version

2005-02-19 Thread Colbeck, Andrew
Title: Message



Yup, 
just type the executable's filename in a command window, and the version 
information is on the last couple of lines in the resulting 
help.

Andrew 
8)

p.s. 
My version says build - v2-3.2 Nov 23 2004 01:21:33

  
  -Original Message-From: Keith Johnson 
  [mailto:[EMAIL PROTECTED] On Behalf Of Keith 
  JohnsonSent: Saturday, February 19, 2005 8:20 AMTo: 
  sniffer@SortMonster.comSubject: Determine 
  Version
  Is there a easy way to determine the Sniffer version you are running 
  (i.e. command line or the like)? Thanks for the aid.
  
  Keith
  



RE: [sniffer] Lists Ping?

2005-02-10 Thread Colbeck, Andrew
Hey, John.

Who are you talking to?  Gee the lists are quiet.


Andrew 8)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, February 10, 2005 9:46 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Lists Ping?


Your ping was not received.

You must have done something wrong.

No one is here.

No one is home.

:\

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
On
 Behalf Of Marc Catuogno
 Sent: Thursday, February 10, 2005 9:35 AM
 To: sniffer@SortMonster.com
 Subject: [sniffer] Lists Ping?
 
 Is it just me or are all the lists (Imail, Declude V and JM and this 
 one
 offline??)
 
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
 On Behalf Of Pete McNeil
 Sent: Tuesday, February 08, 2005 5:18 PM
 To: Bill Green dfn Systems
 Subject: Re: [sniffer] ERROR message in snifferp Command Prompt window
 
 On Tuesday, February 8, 2005, 3:20:25 PM, Bill wrote:
 
 BGdS I have started seeing this line repeated in the persistent 
 BGdS sniffer
 command
 BGdS window.
 
 BGdS ERROR_LOGFILE: Bad Lock During Logging 
 BGdS c:\imail\declude\sniffer\mycode.log
 
 BGdS It looks like the error has been happening once a day for about 
 BGdS a
 week.
 BGdS Other than the message all seems to be working well. Where 
 BGdS should I
 look for
 BGdS the cause?
 
 The first clue I can see is that it happens once per day... Chances 
 are there is a scheduled process interfering with the log file, the 
 storage system in general (perhaps some backups or other IO intensive 
 operation).
 
 Locking is a very lightweight mechanism in SNF because most operations

 are synchronized and sequential. If you are only seeing one of these 
 per day then there is no cause to worry - but do keep an eye on it so 
 that it doesn't get worse without you knowing it.
 
 A bad lock is probably a stale lock file --- The protocol would be to 
 simply ignore the lock after waiting the appropriate amount of time.
 
 In theory, no lock should be required to write to the log file because

 it is opened in append mode. Unfortunately on Win32 based systems 
 this doesn't mean what it should. That is, write operations are not 
 'atomic' --- so if more than one process tries to append to the log 
 file at once the result is unpredictable corruption.
 
 The locking mechanism we're using here (creating a lock semaphore
 file) is only intended to synchronize access to the file since Win32 
 doesn't. The fact that one process will wait - even if the lock fails
 - usually accomplishes this task. If the process were to fail and two 
 processes wrote (append) to the log file at once then it is possible, 
 but not certain, that log corruption would occur -- which is not 
 strictly vital for the odd record here and there.
 
 Hope this helps,
 
 _M
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information
and
 (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information
and
 (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] OT - Microsoft Patch Day - Exchange and SMTP updates

2005-02-10 Thread Colbeck, Andrew
Hello, all.

Aside from the usual Internet Explorer and Office patches, this patch
cycle also includes an update to the October update MS04-035 which
affects a DNS query vulnerability in the SMTP handling in Windows
2000/2003 as well as Exchange 2003.

http://www.microsoft.com/technet/security/bulletin/ms04-035.mspx


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


  1   2   >