[sniffer] assert! ?

2007-03-20 Thread Jay Sudowski - Handy Networks LLC
What's the status of Assert!?  I see this mentioned in your Wiki in
August of 05, but it's coming soon on your web site?

Thanks!
-
Jay Sudowski // Handy Networks LLC

Director of Technical Services
Providing Premium Reseller, Dedicated and
Colocation Hosting Solutions
Tel: 303-414-6902|  Fax: 303-414-6912

www.handynetworks.com



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Integration with Mailenable

2007-03-17 Thread Jay Sudowski - Handy Networks LLC
Hi Phil -

Good question.  We integrate Sniffer into SmarterMail via Declude.
However, SmarterMail does have the capability to run a program against a
message before it is delivered.  We have some customers that use a batch
file to call f-prot and get virus scanning integrated into their mail
server on the cheap.  I believe it would likely be possible to make use
of the same functionality to call Sniffer directly, and thus avoid
having to purchase Declude.  I have just never had a need to attempt
this.

As for domain keys, I don't believe so.  However, you can setup
SPFyou're your domains simply by adding the appropriate DNS records to
said domains zone files.

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Friday, March 16, 2007 12:01 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Integration with Mailenable


Jay,

Thanks for the heads up on Mailenable. I took a look at SmarterMail 
and it looks pretty good. How does it interface with Message Sniffer 
or does it require and external gateway such as EWall? How has 
support been with it and how have they been as far as updates. Also 
does it have domain keys capability and SPF support for sending 
mail to yahoo.com etc...

Thanks,

Phil


At 07:26 PM 3/15/2007, you wrote:
Stay Away From MailEnable.

There are so many exploits out there for MailEnable, and there are more
exploits found monthly, if not weekly.  At one particular interval,
MailEnable had to re-release the same patch several times in the *same*
week because it kept on not actually fixing the root of the issue.  If
you run MailEnable, odds are that you will end up exploited, even if
you
stay on the of the patches.

On top of that, MailEnable is just simply a CPU and IO hog, much more
so
than other other mail server I have ever seen.  By default, they use
entirely text based configuration files, which on occasion get
truncated
to zero during periods of high activity on the server.

In the past year, we have assisted our customers move 20,000+ mailboxes
away from MailEnable, mostly all to SmarterMail.  Do not waste your
time
and money with MailEnable.

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Thursday, March 15, 2007 12:22 PM
To: Message Sniffer Community
Subject: [sniffer] Integration with Mailenable


We are finally going to replace our old Vopmail server. Looking at
Mailenable Enterprise. Will Sortmonster work with that program? Is
anyone using Mailenable? If so how is it and if it works with
Sortmonster how did you use them together.

THanks,

Phil


#
This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Integration with Mailenable

2007-03-17 Thread Jay Sudowski - Handy Networks LLC
Re: domain keys: I was looking at that in some older forum posts, and
from what I could tell it only did inbound authentication, not outbound
signing.  But apparently it does DK both ways now.  Sorry!  

 

I like SmarterMail, but as Matt says it's not perfect.  Their support is
definitely lacking, even though it's totally paid now, and they have a
very rapid development cycle (which is not a bad thing), but they really
like to stick it to folks who bought an old version just prior to the
release of a new version by making them pay full upgrade price.  Not
very customer friendly.  The CEO seems to be totally missing that point
and interacts with customers in public forums using a very arrogant
tone. OTOH, they allow service providers to hand out free 50 domain /
250 user licenses to any of their customers, in the hops that the
customer will need to upgrade to a larger edition.  This is good for the
service provider and very good for folks who fit into the free license
size.

 

And yes, ME really is a dog -  poor performance, poor code, poor overall
implementation

 

-Jay

 



From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: Saturday, March 17, 2007 3:06 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Integration with Mailenable

 

There is in fact a Domain Keys plug-in for SmarterMail listed on their
downloads page:

http://www.smartertools.com/Products/SmarterMail/DL/v4.aspx

Personally I'm not a fan of any present sender identification
implementation.  Both SPF and Domain Keys are primarily associated with
spam by volume, and SPF can at cause one's customers issues when they do
things like use alternative SMTP servers or find themselves behind an
SMTP proxy at a hotel or T-Mobile HotSpot...but I digress.

I think that both IMail and SmarterMail are decent products, but neither
one of them is perfect.  SmarterMail certainly has a lower cost of
entry.  I would trust Jay's experience with MailEnable considering his
extensive experience.

Matt



Jay Sudowski - Handy Networks LLC wrote: 

Hi Phil -
 
Good question.  We integrate Sniffer into SmarterMail via Declude.
However, SmarterMail does have the capability to run a program against a
message before it is delivered.  We have some customers that use a batch
file to call f-prot and get virus scanning integrated into their mail
server on the cheap.  I believe it would likely be possible to make use
of the same functionality to call Sniffer directly, and thus avoid
having to purchase Declude.  I have just never had a need to attempt
this.
 
As for domain keys, I don't believe so.  However, you can setup
SPFyou're your domains simply by adding the appropriate DNS records to
said domains zone files.
 
-Jay
 
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Friday, March 16, 2007 12:01 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Integration with Mailenable
 
 
Jay,
 
Thanks for the heads up on Mailenable. I took a look at SmarterMail 
and it looks pretty good. How does it interface with Message Sniffer 
or does it require and external gateway such as EWall? How has 
support been with it and how have they been as far as updates. Also 
does it have domain keys capability and SPF support for sending 
mail to yahoo.com etc...
 
Thanks,
 
Phil
 
 
At 07:26 PM 3/15/2007, you wrote:
  

Stay Away From MailEnable.
 
There are so many exploits out there for MailEnable, and there
are more
exploits found monthly, if not weekly.  At one particular
interval,
MailEnable had to re-release the same patch several times in the
*same*
week because it kept on not actually fixing the root of the
issue.  If
you run MailEnable, odds are that you will end up exploited,
even if


you
  

stay on the of the patches.
 
On top of that, MailEnable is just simply a CPU and IO hog, much
more


so
  

than other other mail server I have ever seen.  By default, they
use
entirely text based configuration files, which on occasion get


truncated
  

to zero during periods of high activity on the server.
 
In the past year, we have assisted our customers move 20,000+
mailboxes
away from MailEnable, mostly all to SmarterMail.  Do not waste
your


time
  

and money with MailEnable.
 
-Jay
 
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED]
On
Behalf Of Phillip Cohen
Sent: Thursday, March 15, 2007 12:22 PM
To: Message Sniffer Community
Subject: [sniffer] Integration with Mailenable
 
 
We are finally going to replace our old Vopmail server. Looking
at
Mailenable Enterprise. Will Sortmonster work with that program

[sniffer] Re: Integration with Mailenable - Domain Keys

2007-03-17 Thread Jay Sudowski - Handy Networks LLC
I really don't see why it wouldn't be possible to do.  Here is the script 
that's used for f-prot:

-
SET ERR=0
call C:\Program Files\FSI\F-Prot\fpcmd.exe -silent -auto -ai -archive 
-saferemove -disinf -del -append -report=C:\SmarterMail\logs\virusscan.log %1
IF NOT ERRORLEVEL 1 GOTO CLEAN
IF ERRORLEVEL 1 SET ERR=1
IF ERRORLEVEL 2 SET ERR=2
IF ERRORLEVEL 3 SET ERR=3
IF ERRORLEVEL 4 SET ERR=4
IF ERRORLEVEL 5 SET ERR=5
IF ERRORLEVEL 6 SET ERR=6
@REM echo Virus scanned by F-Prot (%ERR%) viruses found %1
MOVE /Y %1 C:\SmarterMail\Viruses
GOTO END
:CLEAN
@REM echo Virus scanned by F-Prot (%ERR%) viruses found  %1
:END
-

I think you should be able to modify it so that it calls Sniffer, rather than 
FProt.  %1 is the path to the mail file.  Based upon the error code/return 
code, you could then delete/hold spam detected by Sniffer accordingly. 

As for SM not having a GUI, it really hasn't be an issue for us...

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Chris 
Bunting
Sent: Saturday, March 17, 2007 4:03 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Integration with Mailenable - Domain Keys

The other issue with SmarterMail is it doesn't have any gui.  Which I guess 
isn't a bad thing.  But I sometimes like a gui for certain things.  Also 
Declude seemed very expensive to use with sniffer

Sent via my BlackBerry
- Ask me about it!  

-Original Message-
From: E. H. \(Eric\) Fletcher [EMAIL PROTECTED]
Date: Sat, 17 Mar 2007 14:42:43 
To:Message Sniffer Community sniffer@sortmonster.com
Subject: [sniffer] Re: Integration with Mailenable - Domain Keys

Phil / Jay:

I am also looking at SmarterMail as an addition to or replacement for 
several IMail servers and looking at calling MessageSniffer from it without 
Declude because of the Declude bundling of things we don't want or see value 
in.  While doing a little more reading on the SmarterTools site I saw a link 
that addresses your discussion on domain keys:

http://smartermail.exhalus.net/domainkeys/


Eric

- Original Message - 
From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Saturday, March 17, 2007 1:43 PM
Subject: [sniffer] Re: Integration with Mailenable


Hi Phil -

Good question.  We integrate Sniffer into SmarterMail via Declude.
However, SmarterMail does have the capability to run a program against a
message before it is delivered.  We have some customers that use a batch
file to call f-prot and get virus scanning integrated into their mail
server on the cheap.  I believe it would likely be possible to make use
of the same functionality to call Sniffer directly, and thus avoid
having to purchase Declude.  I have just never had a need to attempt
this.

As for domain keys, I don't believe so.  However, you can setup
SPFyou're your domains simply by adding the appropriate DNS records to
said domains zone files.

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Friday, March 16, 2007 12:01 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Integration with Mailenable


Jay,

Thanks for the heads up on Mailenable. I took a look at SmarterMail
and it looks pretty good. How does it interface with Message Sniffer
or does it require and external gateway such as EWall? How has
support been with it and how have they been as far as updates. Also
does it have domain keys capability and SPF support for sending
mail to yahoo.com etc...

Thanks,

Phil


At 07:26 PM 3/15/2007, you wrote:
Stay Away From MailEnable.

There are so many exploits out there for MailEnable, and there are more
exploits found monthly, if not weekly.  At one particular interval,
MailEnable had to re-release the same patch several times in the *same*
week because it kept on not actually fixing the root of the issue.  If
you run MailEnable, odds are that you will end up exploited, even if
you
stay on the of the patches.

On top of that, MailEnable is just simply a CPU and IO hog, much more
so
than other other mail server I have ever seen.  By default, they use
entirely text based configuration files, which on occasion get
truncated
to zero during periods of high activity on the server.

In the past year, we have assisted our customers move 20,000+ mailboxes
away from MailEnable, mostly all to SmarterMail.  Do not waste your
time
and money with MailEnable.

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Thursday, March 15, 2007 12:22 PM
To: Message Sniffer Community
Subject: [sniffer] Integration with Mailenable


We are finally going to replace our old Vopmail server. Looking at
Mailenable Enterprise. Will Sortmonster work with that program? Is
anyone using Mailenable? If so how is it and if it works with
Sortmonster how did you use them together.

THanks,

Phil

[sniffer] Re: Integration with Mailenable

2007-03-15 Thread Jay Sudowski - Handy Networks LLC
Stay Away From MailEnable.  

There are so many exploits out there for MailEnable, and there are more
exploits found monthly, if not weekly.  At one particular interval,
MailEnable had to re-release the same patch several times in the *same*
week because it kept on not actually fixing the root of the issue.  If
you run MailEnable, odds are that you will end up exploited, even if you
stay on the of the patches.

On top of that, MailEnable is just simply a CPU and IO hog, much more so
than other other mail server I have ever seen.  By default, they use
entirely text based configuration files, which on occasion get truncated
to zero during periods of high activity on the server.

In the past year, we have assisted our customers move 20,000+ mailboxes
away from MailEnable, mostly all to SmarterMail.  Do not waste your time
and money with MailEnable.  

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Phillip Cohen
Sent: Thursday, March 15, 2007 12:22 PM
To: Message Sniffer Community
Subject: [sniffer] Integration with Mailenable


We are finally going to replace our old Vopmail server. Looking at 
Mailenable Enterprise. Will Sortmonster work with that program? Is 
anyone using Mailenable? If so how is it and if it works with 
Sortmonster how did you use them together.

THanks,

Phil


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Sniffer as passthrough filter

2007-03-15 Thread Jay Sudowski - Handy Networks LLC
Just to add: whatever you do in regards to this, make sure that you do
recipient address validation at your gateway.  If you do not, your mail
server will relay all messages for the gateway'd domain to the
destination server, which has the effective impact of enabling a
catch-all account on a domain and then forwarding all the mail to a
remote system.

-Jay 

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of John T (lists)
Sent: Thursday, March 08, 2007 11:44 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Sniffer as passthrough filter


Yes, it is called email gateway service and many of us do that and it is
fairly straightforward to setup but there are a number of steps.

John T

 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf
 Of K Mitchell
 Sent: Thursday, March 08, 2007 6:16 PM
 To: Message Sniffer Community
 Subject: [sniffer] Sniffer as passthrough filter
 
   I've been running Message Sniffer here with IMail and mxGuard for a
 number of the domains we service. I have another customer that runs
their
 own Exchange server, and wishes to continue doing so, but inquired as
to
 the possibility of us doing pass-through filtering for them. Is this
 possible with the setup I have?
 
 Thanks,
 
 --
 Kirk Mitchell-General Manager[EMAIL PROTECTED]
 Keystone Connect Unlock Your World
 Altoona, PA  814-941-5000   http://www.keyconn.net
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Uploading problems

2006-12-07 Thread Jay Sudowski - Handy Networks LLC
You will very likely need to use passive mode then, as TCP Port
filtering works very much the same way as a firewall, at least as it
applies to FTP.

-Jay


-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of K Mitchell
Sent: Thursday, December 07, 2006 11:29 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Uploading problems


At 10:22 PM 12/7/2006 -0500, Pete McNeil wrote:
Hello K,

   At this point it just hangs, no transfer occurring. In the event
that it
 might be transferring but not displaying the hash marks, I left it
sit for
 over 30 minutes(10mb logfile)...nothing. I'm not sure what else to
try.

What you've described usually goes along with a firewall problem.
Firewalls and FTP are always a challenge. What seems to be happening
is that the command channel is working fine, but when it's time to set
up the data channel that fails- and so you don't get any data.

  There is no firewall. I have TCP port filtering set up on the machine,
but both 20 and 21 are open.





-- 
Kirk Mitchell-General Manager[EMAIL PROTECTED]
Keystone Connect Unlock Your World
Altoona, PA  814-941-5000   http://www.keyconn.net



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Experimental Abstract

2006-10-09 Thread Jay Sudowski - Handy Networks LLC
I was setting a lower weight on the experimental/abstract result codes
due to inconsistent results in the past.  However, after a review of
customer spam that was still getting through, I increased the weighting
on those codes to equal our hold weight.  Customer is much happier now.

-Jay

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Pete McNeil
Sent: Monday, October 09, 2006 6:15 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Experimental Abstract

Hello Alberto,

In earlier times we had a philosophy that no single test should trap a
message. The idea was that my combining tests the accuracy of the
filter system would always (qualified) be improved.

The blackhats have become extremely aggressive about burning IPs and
generating image spam and/or other abstracted, short lived, and
narrowly targeted campaigns.

As a result of these changes, it is often the case that our abstract
rules are the only thing that will fire on a message.

The bad news is that holding on any single test will probably lead to
more false positives.

The good news is that SNF:Experimental/Abstract has a very low false
positive rate.

It may be time to alter our philosophy w/ regard to the
experimental/abstract rules group and recommend that wherever
practical, messages should probably be held (not deleted) based on a
hit in this rule group.

Hope this helps,

_M

Monday, October 9, 2006, 5:59:44 PM, you wrote:

 Hello

 I'm getting storms of spam and Sniffer sets them as (Experimental
 Abstract)
 Can someone explain how have I to treat them?

 Many thanks in advance
 Alberto



 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]



-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Jay Sudowski - Handy Networks LLC
The owner of a domain need not authorize a reverse DNS PTR record in any
way, shape or form.  If the netblock was owned, or the netblock owner
had delegated rDNS to a malicious customer, they could easily set rDNS
to whatever they wanted.  Aol.com, paypal.com, ebay.com, chase.com ...

-Jay
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Wednesday, May 24, 2006 12:38 PM
To: Message Sniffer Community
Subject: Re: [sniffer]Possible Paypal Phishing

It's really from PostDirect.com aka YesMail.com ...

You can tell that it's authorized because the reverse DNS which ends in
PayPal.com (ok, that does set off alarm bells when it's someone else's
netblock) matches the forward lookup of the resulting address at PayPal.

Therefore, PayPal is deliberately allowing that reverse IP in someone
else's netblock.

That, or both the netblock and PayPal's DNS have been p0wned.

Andrew 8)



 -Original Message-
 From: Message Sniffer Community 
 [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
 Sent: Wednesday, May 24, 2006 9:31 AM
 To: Message Sniffer Community
 Subject: [sniffer]Possible Paypal Phishing
 
 Attached are the headers to an e-mail I am suspecting as a 
 clever phising that has me worried.
 
 It looks like a legit message sent on behalf of Paypal, 
 however, it is sent from an IP address not owned by Paypal 
 BUT which has a REVDNS that ends in paypal.com.
 
 The message is full of links to images.postdirect.com but 
 does have legit links to paypal.com.
 
 John T
 eServices For You
 
 Seek, and ye shall find!
 
 


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



RE: [sniffer] New Rulebot F001

2006-03-06 Thread Jay Sudowski - Handy Networks LLC
There's been at least one FP ;)

--
Rule - 861038
NameF001 for Message 2888327: [216.239.56.131]
Created 2006-03-02
Source  216.239.56.131
Hidden  false
Blocked false
Origin  Automated-SpamTrap
TypeReceivedIP
Created By  [EMAIL PROTECTED]
Owner   [EMAIL PROTECTED]
Strength2.08287379496965
False Reports   0
From Users  0
[FPR:B]

The rule is below threshold, and/or badly or broadly coded so it will be
removed from the core rulebase.


My concern with automated IP rule coding is that we use Sniffer because
it's extremely accurate.  Coding rules linked to IPs, particularly IPs
that are used by google or any large ISP to send large amounts of
(mostly legitimate) email is contrary to what Sniffer is great at, which
is tagging spam that no one else is.

Is response code 63 going to be utilized for any other purposes?  If
not, I will let Declude know to weight these responses lower than normal
Sniffer.

- Jay 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Monday, March 06, 2006 3:00 PM
To: sniffer@sortmonster.com
Subject: [sniffer] New Rulebot F001

Hello Sniffer folks,

  The first of the new rulebots is coming online.

  Rulebot F001 creates IP rules for sources that consistently fail
  many tests while also reaching the cleanest of our spamtraps.

  The rules will appear in group 63.

  The bot is playing catchup a bit (since there have been few IP rules
  at all since we disabled the old bots).

  The algorithms used in this bot have been tested manually for 2
  weeks with no false positives.

  Expect an increase in your rulebase size while F001 catches up with
  current spamtrap data.

Thanks,

_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] False Positives

2006-02-15 Thread Jay Sudowski - Handy Networks LLC
Search your sniffer logs and include the log lines for that particular
message.

-Jay

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Wednesday, February 15, 2006 3:55 PM
To: sniffer@SortMonster.com
Subject: [sniffer] False Positives

My users have been getting a lot of FPs by Sniffer lately.  They send me

the email with the FULL HEADERS displayed and I forward this email on to

SortMonster.  The program they use to analyze incoming submissions check

MY email headers, determine that SNIFFER was not at fault and sends me 
back an email saying it didn't find any flags.  How the heck am I 
supposed to submit FPs from my users to SNIFFER?!!  I also save my 
user's email and attach it to my submissions to sortmonster, but these 
too are not flagged.

Very frustrating, esp since SNIFFER FPs are particularly dangerous since

I give it so much weight.

---
[This E-mail was scanned for viruses.]



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Joe Jobs...

2005-12-15 Thread Jay Sudowski - Handy Networks LLC
Generally because they don't know any better.  Backscatter just makes
the problems 10 times worse.

-Jay

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Stanford
Sent: Thursday, December 15, 2005 1:11 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Joe Jobs...

That brings a question up...why do some/many/most postmasters feel that
it
is so important to notify senders of a virus to a spoofed email
address?
Also, I have yet to see a legitimate email that contained a virus..so
why
not turn the notification off all together?

Just curious...

Kevin 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Thursday, December 15, 2005 11:30 AM
To: sniffer@sortmonster.com
Subject: [sniffer] Joe Jobs...

Hello Sniffer Folks,

  Please be aware that there are several spam and possibly virus
  (other malware?) campaigns being transmitted with my madscientist
  address and possibly other addresses from our company in the From:
  headers and SMTP envelope.

  Though this has happened in the past at low levels, I have noted
  recently a very high level of bounces and warnings returning to me
  (erroneously) from systems that claim they have received viruses and
  spam from my address.

  I suspect that this might have been triggered by recent press
  activity, - especially a Washington Post article which included my
  email address without modification.

  If you receive any of these messages, please treat them as the
  spam/malware that they are and ignore the source.

  I have verified that we are not sending any such messages (
  unintentionally) from any of our systems.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation Chief SortMonster
(www.sortmonster.com) Chief Scientist (www.armresearch.com)


This E-Mail came from the Message Sniffer mailing list. For information
and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] YAhoo mails failing sniffer?

2005-09-21 Thread Jay Sudowski - Handy Networks LLC
I noticed some as well.  We received one confirmed fp report, which I
sent in yesterday, but a look at the logs showed potentially up to 5
messages that were sent from legit Yahoo mail servers, that could have
been legit mail that sniffer caught.  Still haven't received a response
on the fp submission either.

Thanks!
-
Jay Sudowski // Handy Networks LLC

Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003
Hosting Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of William Van Hefner
Sent: Thursday, September 22, 2005 12:24 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] YAhoo mails failing sniffer?

I got a record number of false-positives from Sniffer yesterday. The
category was always Scam Patterns. Two of them were from Yahoo! as
well.
Although the total was low (something like four FP's total), that is
more in
one day than I usually see in a month with Sniffer. There must have been
some incredibly-badly written code that slipped though, as they were
personal e-mails that should never have been tagged. Personal e-mails
are
really the only ones that I truly consider false positives. I get dozens
of
mailing list messages trapped each month, but I don't consider those a
big
deal. Customers rarely miss these. I very, very rarely see any truly
personal e-mails get trapped by Sniffer though. Hopefully, they have
already
fixed the problem. I haven't seen any as of this afternoon.


William Van Hefner
Network Administrator

Vantek Communications, Inc.
555 H Street, Ste. C
Eureka, CA 95501
707.476.0833 ph
800-331.4638 fx 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno
 Sent: Wednesday, September 21, 2005 9:09 PM
 To: sniffer@SortMonster.com
 Subject: [sniffer] YAhoo mails failing sniffer?
 
 
 I'm seeing a few legit e-mails from Yahoo failing sniffer.  
 Anyone else?
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 This E-Mail came from the Message Sniffer mailing list. For 
 information and (un)subscription instructions go to 
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] OT test settings

2005-09-11 Thread Jay Sudowski - Handy Networks LLC
DSBLip4rlist.dsbl.org   *
15  0
MXRATE-BLACKip4r  pub.mxrate.net  127.0.0.2 15
0
SBLXBL4 ip4rxbl.spamhaus.org127.0.0.4
15  0

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Serge
Sent: Sunday, September 11, 2005 10:20 PM
To: sniffer@SortMonster.com
Subject: [sniffer] OT test settings

Hi pete

Can you please give the settings for the following tet that appears in
the 
MDLP reports:
DSBL
MXRATE-BLACK
SBL-XBL4 



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: Re[2]: [sniffer] Sniffer and SmarterMail?

2005-06-01 Thread Jay Sudowski - Handy Networks LLC
If you have a current SA with Declude, you can move from iMail Declude
to SmarterMail Declude for free.  I suggest that you contact Declude
about this - that is, assuming you are completely shutting down your
iMail server.

-Jay


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, June 01, 2005 8:31 PM
To: Joe Wolf
Subject: Re[2]: [sniffer] Sniffer and SmarterMail?

Hi Joe,

Yeah,  we  had  talked  about  buying  the  low  cost Declude Virus/JM
versions  and  then  letting  Sniffer  hook into those as well as then
hooking with SmarterMail...

That's an option for you too.

-jason

- - - - - - - - - - - - - - - - - - 
Wednesday, June 1, 2005, 7:02:30 PM, you wrote:

JW Mdaemon may be great, but it's out of my budget.  I can't afford
$2500 for
JW the mail server and then another $1600 for the anti-virus.
Especially when
JW I compare it to SmarterMail at $600.

JW I would love to continue to use Sniffer...  I respect it more than
Imail and
JW Declude combined!  But the fact is that it's time to move on.
Ipswitch has
JW completely lost their mind and just doesn't give a damn about their
JW customers, failed to fix major problems, and raised their prices
thru the
JW roof.

JW It may be very simple to plug in Sniffer to SmarterMail, but I'm not
a
JW developer.  I don't really want to run a non-supported
implementation.

JW If there's a better option than SmarterMail I'd love to hear it, but
I can't
JW compare a $4000+ server to a $600 one.


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] MDLP Tests

2005-04-02 Thread Jay Sudowski - Handy Networks LLC
Hello - 
 
I am reviewing your MDLP report at
http://www.sortmonster.com/MDLP/MDLP-Example-Long.html, and find some
tests that are seemingly quite effective that I'm not familiar with.  If
anyone has any informaiton about these tests, please let me know:

- FABEL (is this the same as FABELSOURCES at
http://www.declude.com/Articles.asp?ID=97Redirected=Y?)
- MXRATE-*
- UCEPROTEC* 

Also, perhaps I am misunderstanding the data, but SNIFFER has a SQ of
.802 - isn't that relatively bad ?

Thanks!

-

Jay Sudowski // Handy Networks LLC

Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003
Hosting Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX

www.handynetworks.com http://www.handynetworks.com/ 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] MDLP Tests

2005-04-02 Thread Jay Sudowski - Handy Networks LLC
Ahh, that makes more sense now.  ham is just what does not pass the
spam threshold. In this light, if Sniffer is hyper accurate and
catches more real spam than all others, it will appear less accurate
overall because of the deficienes in the other tests.  For some reason,
I was thinking that ham was being calculated differently.

Thanks for the tests, as well.

-Jay

PS - I did read your stuff about hyper-accuracy, but everything wasn't
meshing for me, hence my question :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Saturday, April 02, 2005 4:43 PM
To: Jay Sudowski - Handy Networks LLC
Subject: Re: [sniffer] MDLP Tests

On Saturday, April 2, 2005, 4:09:31 PM, Jay wrote:

JSHNL Hello -
 
JSHNL I am reviewing your MDLP report at 
JSHNL http://www.sortmonster.com/MDLP/MDLP-Example-Long.html, and find 
JSHNL some tests that are seemingly quite effective that I'm not 
JSHNL familiar with.  If anyone has any informaiton about these tests,
please let me know:

JSHNL - FABEL (is this the same as FABELSOURCES at
JSHNL http://www.declude.com/Articles.asp?ID=97Redirected=Y?)

FABEL   ip4rspamsources.fabel.dk127.0.0.2

JSHNL - MXRATE-*

MXRATE-BLACKip4rpub.mxrate.net  127.0.0.2
MXRATE-WHITEip4rpub.mxrate.net  127.0.0.3
MXRATE-SUSP ip4rpub.mxrate.net  127.0.0.4

JSHNL - UCEPROTEC*

UCEPROTECRDOip4rdnsbl-1.uceprotect.net  127.0.0.2
UCEPROTECCMUL   ip4rdnsbl-2.uceprotect.net  127.0.0.2
UCEPROTECCVIR   ip4rdnsbl-3.uceprotect.net  127.0.0.2

JSHNL Also, perhaps I am misunderstanding the data, but SNIFFER has a 
JSHNL SQ of
JSHNL .802 - isn't that relatively bad ?

Actually, that's the hyper-accuracy penalty at work. I wrote a bunch
about that on the MDLP page. What's going on is that SNF frequently
catches spam that virtually no other tests are catching yet and as a
result the total weight never reaches the threshold. Every one of those
events shows up counting against it.

We research these periodically (we used to look at them constantly) and
with very rare exceptions we find that these are not false positives.

In fact, on our systems last year SNF had fewer than 10 FP. (several of
those were messages from customers that actually contained examples of
spam, malware, or logs with spammy URI). Of course, our numbers are a
more than bit skewed because the vast majority of traffic on our system
is spam... so we can't use that to calculate a false positive rate
that has any real meaning.

The closest we can really get to an indication of false positive rates
from SNF is to point at our FP rate page:

http://www.sortmonster.com/MessageSniffer/Performance/FalseReportsRates.
jsp

This page shows counts of all false positives reported to us on a daily
basis for all of our customers. At least two of these systems are
service providers with 10 or more licenses which submit false positives
automatically as they are reported from their customers.

So anyway, the short answer is that the SA and SQ values on the SNIFFER
tests are skewed by the hyper-accuracy penalty inherent in how MDLP
develops these scores. The true accuracy values are very much higher and
this is regularly confirmed by both hard reviews of the data and
anecdotal evidence from our customers.

Hope this helps,

_M




This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html