[sniffer] Re: I got a strong attack today

[John T (lists)]

>   3) then be able to create a temporary rule to help block messages
> - must be viable until SNF has an updated ruleset to start clearing
out
> the attack
> - I don't think declude (what I use w/SNF) has rule expirations (but
> would be a nice feature)

What I do when I create a temp rule is to call it T_date_A and then B and
then C and so forth. I then keep a rule_readme.txt file in the spool\declude
directory that I update.

John T




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Excessive amounts of spam

[John T (lists)]

Yes.
John T


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of David
> Moore
> Sent: Thursday, December 20, 2007 2:24 PM
> To: Message Sniffer Community
> Subject: [sniffer] Re: Excessive amounts of spam
> 
> We are using MxGuard, Sniffer, InvURIBL combo on Imail will the beta
sniffer
> still fit with this combination with out issues?
> 
> Regards David Moore
> [EMAIL PROTECTED]
> 
> J.P. MCP, MCSE, MCSE + INTERNET, CNE.
> www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC
sales
> 
> Office Phone: (+612) 9453 1990
> Fax Phone: (+612) 9453 1880
> Mobile Phone: +614 18 282 648
> Skype Phone: ADSLDIRECT
> 
> POSTAL ADDRESS:
> PO BOX 190
> BELROSE NSW 2085
> AUSTRALIA.
> 
> -
> 
> This email message is only intended for the addressee(s) and contains
> information that may be confidential, legally privileged and/or copyright.
> If you are not the intended recipient please notify the sender by reply
> email and immediately delete this email. Use, disclosure or reproduction
of
> this email, or taking any action in reliance on its contents by anyone
other
> than the intended recipient(s) is strictly prohibited. No representation
is
> made that this email or any attachments are free of viruses. Virus
scanning
> is recommended and is the responsibility of the recipient.
> -
> 
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
> Of E. H. (Eric) Fletcher
> Sent: Friday, 21 December 2007 8:35 AM
> To: Message Sniffer Community
> Subject: [sniffer] Re: Excessive amounts of spam
> 
> Frank:
> 
> Thanks for your input.  There are definitely things leaking though that
> wouldn't have leaked through before.  We've held off hoping for a
production
> 
> release but it may not be practical much longer.  On that note, for anyone
> else in the same position, we tested adding InvURIBL from Invariant
Systems.
> 
> It's not a sniffer replacement but definitely caught a lot of what sniffer
> currently lets through for the very valid reasons Pete has covered.  The
> only thing missing seemed to be a white list so that you could white list
> legitimate publications that might contain links to 'offensive' sites.
That
> 
> can probably be tuned out thru weighting however we'd hoped not to be
> re-inventing the wheel for a short term solution.
> 
> Eric
> 
> - Original Message -
> From: "Pi-Web - Frank Jensen" <[EMAIL PROTECTED]>
> To: "Message Sniffer Community" 
> Sent: Thursday, December 20, 2007 1:17 PM
> Subject: [sniffer] Re: Excessive amounts of spam
> 
> 
> >
> > We have been running it for - I guess - 2 month now without any trouble.
> >
> >
> >> How stable is the beta version?
> >>
> >>  Regards David Moore
> >> [EMAIL PROTECTED] 
> >>
> >> J.P. MCP, MCSE, MCSE + INTERNET, CNE.
> >> www.adsldirect.com.au  for ADSL and
> >> Internet www.romtech.com.au  for PC sales
> >>
> >> Office Phone: (+612) 9453 1990
> >> Fax Phone: (+612) 9453 1880
> >> Mobile Phone: +614 18 282 648
> >> Skype Phone: ADSLDIRECT
> >>
> >> POSTAL ADDRESS:
> >> PO BOX 190
> >> BELROSE NSW 2085
> >> AUSTRALIA.
> >>
> >> -
> >>
> >> This email message is only intended for the addressee(s) and contains
> >> information that may be confidential, legally privileged and/or
> >> copyright. If you are not the intended recipient please notify the
sender
> 
> >> by reply email and immediately delete this email. Use, disclosure or
> >> reproduction of this email, or taking any action in reliance on its
> >> contents by anyone other than the intended recipient(s) is strictly
> >> prohibited. No representation is made that this email or any
attachments
> >> are free of viruses. Virus scanning is recommended and is the
> >> responsibility of the recipient.
> >>
> >> -
> >>
> >>  *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On
> >> Behalf Of *Pete McNeil
> >> *Sent:* Friday, 21 December 2007 8:10 AM
> >> *To:* Message Sniffer Community
> >> *Subject:* [sniffer] Re: Excessive amounts of spam
> >>
> >>  Hello David,
> >>
> >>  Thursday, December 20, 2007, 3:25:45 PM, you wrote:
> >>
> >>
> >>>
> >>
> >>
> >>
> >> Ø  If you are not yet running the latest beta then that might help
quite
> >> a bit since the GBUdb (IP reputation system) does a good job capturing
> >> new spam from old bots even before rules are coded.
> >>
> >> Please clarify are you saying it would help if we had the beta
installed?
> >>
> >>  Yes. The new GBUdb engine reduces leakage quite a bit. As more systems
> >> adopt the new version this will improve even more. Most new spam
> >> campaigns are started with some 

[sniffer] Re: Excessive amounts of spam

[John T (lists)]

I have not noticed any increase on FPs on the one server that is running it.

John T
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Darin
> Cox
> Sent: Thursday, December 20, 2007 1:29 PM
> To: Message Sniffer Community
> Subject: [sniffer] Re: Excessive amounts of spam
> 
> I've heard comments that it has a higher catch rate... how about FP rate?
> Higher, the same, or lower?
> 
> Darin.
> 
> 
> - Original Message -
> From: "Pi-Web - Frank Jensen" <[EMAIL PROTECTED]>
> To: "Message Sniffer Community" 
> Sent: Thursday, December 20, 2007 4:17 PM
> Subject: [sniffer] Re: Excessive amounts of spam
> 
> 
> 
> We have been running it for - I guess - 2 month now without any trouble.
> 
> 
> > How stable is the beta version?
> >
> >
> >
> > Regards David Moore
> > [EMAIL PROTECTED] 
> >
> > J.P. MCP, MCSE, MCSE + INTERNET, CNE.
> > www.adsldirect.com.au  for ADSL and
> > Internet www.romtech.com.au  for PC sales
> >
> > Office Phone: (+612) 9453 1990
> > Fax Phone: (+612) 9453 1880
> > Mobile Phone: +614 18 282 648
> > Skype Phone: ADSLDIRECT
> >
> > POSTAL ADDRESS:
> > PO BOX 190
> > BELROSE NSW 2085
> > AUSTRALIA.
> >
> > -
> >
> > This email message is only intended for the addressee(s) and contains
> > information that may be confidential, legally privileged and/or
> > copyright. If you are not the intended recipient please notify the
> > sender by reply email and immediately delete this email. Use, disclosure
> > or reproduction of this email, or taking any action in reliance on its
> > contents by anyone other than the intended recipient(s) is strictly
> > prohibited. No representation is made that this email or any attachments
> > are free of viruses. Virus scanning is recommended and is the
> > responsibility of the recipient.
> >
> > -
> >
> >
> >
> > *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On
> > Behalf Of *Pete McNeil
> > *Sent:* Friday, 21 December 2007 8:10 AM
> > *To:* Message Sniffer Community
> > *Subject:* [sniffer] Re: Excessive amounts of spam
> >
> >
> >
> > Hello David,
> >
> >
> >
> > Thursday, December 20, 2007, 3:25:45 PM, you wrote:
> >
> >
> >
> >>
> >
> >
> >
> > Ø  If you are not yet running the latest beta then that might help quite
> > a bit since the GBUdb (IP reputation system) does a good job capturing
> > new spam from old bots even before rules are coded.
> >
> > Please clarify are you saying it would help if we had the beta
installed?
> >
> >
> >
> > Yes.
> >
> >
> >
> > The new GBUdb engine reduces leakage quite a bit. As more systems adopt
> > the new version this will improve even more. Most new spam campaigns are
> > started with some large fraction of existing bots. Messages from bots
> > that have already been identified will be blocked even before new
> > content rules can be generated (if needed).
> >
> >
> >
> > _M
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > Pete McNeil
> >
> > Chief Scientist,
> >
> > Arm Research Labs, LLC.
> >
> >
> ##
> ###
> >
> >
> >
> > This message is sent to you because you are subscribed to
> >
> >
> >
> >   the mailing list .
> >
> >
> >
> > To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> >
> >
> >
> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> >
> >
> >
> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> >
> >
> >
> > Send administrative queries to  <[EMAIL PROTECTED]>
> >
> >
> >
> >
> >
> 
> 
> --
> Mvh. Frank Jensen
> [EMAIL PROTECTED]
> www.pi.dk
> 
> 
> 
> Imponerende, fascinerende og kæmpe
> Plakater f.eks. 149 x 149 = 629 kr
> Vi kan også lave plakat fra dit digitale foto
> 
> www.plakatkunst.dk
> 
> 
> 
> ##
> ###
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> ##
> ###
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to

[sniffer] Re: [S][sniffer] Re: Please send email to r...@bluscs.com

[John T (lists)]

Maybe try reading the entire email before you ask. It is at the bottom of
EVERY post.

John T


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> David Payer - IowaLink Administrator
> Sent: Thursday, November 29, 2007 8:17 AM
> To: Message Sniffer Community
> Subject: [sniffer] Re: [S][sniffer] Re: Please send email to
[EMAIL PROTECTED]
> 
> John, it is often less than clear as to how to do that. For example, where
> is our customer interface to change things?
> 
> Is that link on the email?
> 
> Is that link on the armresearch.com page?
> 
> If you know this to be the case, please show us all.
> 
> David P.
> 
> 
> 
> - Original Message -
> From: "John T (lists)" <[EMAIL PROTECTED]>
> To: "Message Sniffer Community" 
> Sent: Thursday, November 29, 2007 10:00 AM
> Subject: [S][sniffer] Re: Please send email to [EMAIL PROTECTED]
> 
> 
> > Please do what you are supposed to do and take responsibility to update
> > your
> > own subscription!
> >
> > John T
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Please send email to r...@bluscs.com

[John T (lists)]

Please do what you are supposed to do and take responsibility to update your
own subscription!

John T
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> [EMAIL PROTECTED]
> Sent: Thursday, November 29, 2007 5:12 AM
> To: Message Sniffer Community
> Subject: [sniffer] Please send email to [EMAIL PROTECTED]
> 
> My email address has changed. Please email [EMAIL PROTECTED]
> 
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Imail Upgrade

[John T (lists)]

Yes, there is a difference. Webmail is different. Additional features in the
SMTP service. Vulnerabilities fixed. Bugs fixed. 

There is indeed a patch for version 8, it is called 8.22 + HF2.

John T
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Greg
> Sent: Saturday, November 03, 2007 5:31 PM
> To: Message Sniffer Community
> Subject: [sniffer] Imail Upgrade
> 
> I'm running an older ver of Imail (8.05) and considering an
> upgrade.  Is there much of a difference.  The only issue I'm
> currently having is there is an exploit that some yahoo is crashing
> the server a couple times a month.  Imail won't patch it so I either
> have to upgrade or move to another platform.  I know this isn't
> Sniffer related but looking for some advice from someone running Imail.
Thanks
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Reporting False Positives

[John T (lists)]

To clarify something that came up in another post a couple of weeks ago, is
it necessary to send false positive reports from the specified email
address, or any address as long as it includes the proper information such
as the license in the subject line?

 

John T

 

[sniffer] Re: Beta

[John T (lists)]

Thanks as always Pete for a great explination.

John T
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Pete McNeil
> Sent: Wednesday, October 17, 2007 5:35 AM
> To: Message Sniffer Community
> Subject: [sniffer] Re: Beta
> 
> Hello John,
> 
> Wednesday, October 17, 2007, 1:41:18 AM, you wrote:
> 
> >> Our SYNC server software rejects connections by default. If an SNF
> >> node follows the expected connection protocols and authenticates
> >> properly and consistently then it will be allowed to communicate with
> >> the system. If it fails to do any of these things or looks suspicious
> >> in any way then it will be automatically black listed for increasingly
> >> extended periods and potentially null routed by our fire-walls. The
> >> security mechanisms are fully automatic and constantly monitored.
> 
> > If something goes wrong on my server, either by a mistake I make in a
> > configuration file or a bug or whatever, and my server in connecting to
the
> > SYNC server should be rejected and subsequently black listed, is there a
> > notification that takes place that some one will review to see if that
> > sniffer license is otherwise valid and otherwise no known problems are
seen
> > so that I will then be notified saying "hey there is a problem contact
us"
> > so that the problem can be resolved?
> 
> Yes.
> 
> The system is completely automated and reliable. There is nothing to
> be concerned about. Quite simply, nothing can go wrong, go wrong, go
> wrong... go..
> 
> Seriously though--
> 
> In order to be black-listed by our system you would have to be abusing
> the SNF software or using some alternative software to attempt to gain
> access or deny access to the SYNC servers. Otherwise the most you
> could do would be to loose contact for some time.
> 
> That said, if any system does something to become black-listed then
> you can be sure it will have our attention.
> 
> It is basically impossible for you to cause a properly functioning SNF
> node to become black-listed by altering the configuration file. It is
> far more likely that your SNF node would simply fail to connect.
> 
> Chances are that if you were making an adjustment that could cause
> this you would also be watching to make sure that things were working
> correctly when you finished.
> 
> In case you did cause the system to lose it's connection with us, the
> system is designed so that SNF nodes will remain reliable and
> effective for extended periods even if they are unable to contact the
> SYNC server. It is also designed to recover gracefully when the
> problem is corrected.
> 
> The GBUdb system is highly effective even when it does not share it's
> information with the other SNF nodes. Each GBUdb node learns first
> about it's local traffic. As long as your SNF rulebase file is up to
> date - or even close to being up to date, your system is likely to be
> very effective at filtering spam.
> 
> If your SNF/GBUdb node becomes detached from the main system for an
> extended period, it will degrade in it's performance. Once the problem
> is corrected it should recover in a very short time.
> 
> In the event we detect any IPs being black listed or acting
> suspiciously we will be watching closely so that we can analyze any
> potential threats and take appropriate actions. If we can identify a
> customer involved in such a case we will contact them to investigate
> and correct the problem.
> 
> Locally, your status reports indicate when the last sync event
> occurred. This is one of the ways you can check the status of your
> system. Consider this example from recent telemetry:
> 
> 
> 
> 
> 
> 
> 
> 
> You can see when the last sync event occurred (about 11 seconds ago in
> this case):
> 
> 
> 
> We plan to encourage the development of third party tools for
> monitoring and analyzing SNF system data. In addition we plan to build
> monitoring and analysis services of our own to include features that
> will notify system administrators when something doesn't look quite
> right.
> 
> If you (anyone) develop something nice for displaying and/or
> monitoring SNF status data then please share it with the SNF
> community.
> 
> In the mean time - we have done extensive testing and monitoring
> throughout the development process. High availability is (has always
> been) a design requirement and we're confident SNF can deliver that.
> 
> Hope this helps,
> 
> _M
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to 

[sniffer] Re: Beta

[John T (lists)]

> Our SYNC server software rejects connections by default. If an SNF
> node follows the expected connection protocols and authenticates
> properly and consistently then it will be allowed to communicate with
> the system. If it fails to do any of these things or looks suspicious
> in any way then it will be automatically black listed for increasingly
> extended periods and potentially null routed by our fire-walls. The
> security mechanisms are fully automatic and constantly monitored.

If something goes wrong on my server, either by a mistake I make in a
configuration file or a bug or whatever, and my server in connecting to the
SYNC server should be rejected and subsequently black listed, is there a
notification that takes place that some one will review to see if that
sniffer license is otherwise valid and otherwise no known problems are seen
so that I will then be notified saying "hey there is a problem contact us"
so that the problem can be resolved?

John T




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: New Server/Client configuration

[John T (lists)]

3) The logs are rotating according to UTC time. How can that be configured
to rotate in local time?

 

John T

 

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of John T (lists)
Sent: Thursday, October 11, 2007 11:05 AM
To: Message Sniffer Community
Subject: [sniffer] New Server/Client configuration

 

A couple of notes I have noticed:

 

1)When SNFServer starts and creates the file id_snf_engine_cfg.log,
would it be a good idea to list the version of the SNFServer?

2)In your announcement about the version 1.4 beta, you said to upgrade
the snf_engine.xml as well. Why? Since there are many configuration options
in the snf_engine.xml, I would not want to take a chance replacing it and
forgetting a setting that had been made/changed.

 

John Tolmachoff

eServices For You

[EMAIL PROTECTED]

(626) 737-6003

Fax (626) 737-6004

 

[sniffer] New Server/Client configuration

[John T (lists)]

A couple of notes I have noticed:

 

1)When SNFServer starts and creates the file id_snf_engine_cfg.log,
would it be a good idea to list the version of the SNFServer?

2)In your announcement about the version 1.4 beta, you said to upgrade
the snf_engine.xml as well. Why? Since there are many configuration options
in the snf_engine.xml, I would not want to take a chance replacing it and
forgetting a setting that had been made/changed.

 

John Tolmachoff

eServices For You

  [EMAIL PROTECTED]

(626) 737-6003

Fax (626) 737-6004

 

[sniffer] Re: Updates to log rotation scripts

[John T (lists)]

I think he was asking about the log rotate script that also FTPs a copy up
to sniffer. Do we still need to FTP a log to Sniffer?

John T


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Pete McNeil
> Sent: Tuesday, October 09, 2007 9:28 PM
> To: Message Sniffer Community
> Subject: [sniffer] Re: Updates to log rotation scripts
> 
> Hello tfox,
> 
> Tuesday, October 9, 2007, 10:23:46 PM, you wrote:
> 
> > What updates/file name changes would be necessary for the log rotation
> > scripts?
> 
> It is possible to generate old style log files from the new version if you
wish. Your
> current scripts can be used as-is in that case.
> 
> Hopefully you will be able to make the switch to the new XML based logs.
> 
> Both log types can be rotated daily by the new engine. Specifically,
today's date can be
> prepended to the log file names.
> 
> > How can we monitor the status of SNF in real time, via the XML pages?
> 
> The first answer is that the new engine produces a number of status
reports - every
> second, every minute, or every hour.
> 
> These status reports and logs, though formatted as XML, have been designed
to be
> relatively easy to see in a simple text editor. It does take a little bit
of getting used to -
> but not too much.
> 
> > Is there such a thing as an XML reader?
> 
> Yep. Your web browser. Just about every web browser can read and translate
XML
> data these days. The trick is -- translate how?
> 
> You may want to use an XSLT utility, or more likely the XSLT capabilities
in your web
> server environment or even in your web browser alone.
> 
> For example, you could take one of the status files, copy it to a new
file. Add a few
> lines of text - specifically to add a style-sheet definition and document
type so that the
> XML is "complete". Then you should be able to open the resulting file in
your favorite
> browser.
> (You will have to create an XSL file (style sheet) to translate the XML
file into what you
> want to see.)
> 
> [[ This is the approach I used to create the "rate chart" shown in
> nowSimplePrescale.png, then I moved the whole thing to our web server to
make it
> more automatic. ]]
> 
> Another way you might go is to import the XML from the log or status
report into a
> database. (Here again you may want/need to prepend a line or two of text
to make
> the XML completely compatible with your
> environment)
> 
> Then you would be able to extract reports from your database in "the usual
way".
> 
> We're hopeful that folks who are savvy about XML and XSL will create and
share
> useful translations and tools for SNF users. We look forward to supporting
that effort.
> 
> Internally we've done a few quick things to watch the telemetry we get
from SNF
> nodes and our own servers. The approach we've taken is to use the inherent
XSLT
> capabilities of our web/jsp servers and the basic capabilities in IE and
Firefox.
> 
> Attached are some screen shots of live data I am looking at right now.
> This telemetry comes from one of our spamtrap pre-filters.
> 
> nowSimplePrescale.png uses a simple XSL file that took me about 20 minutes
to throw
> together while thumbing through a text book.
> 
> nowNodeDashbaord.png took a bit more work and leverages a flash based live
gauge
> tool that periodically pulls xml data from our internal servers (so it's
animated). The
> flash gadget came from here:
> 
> http://www.maani.us/gauge/
> 
> We will also be creating some monitoring tools and services on our web
site to take
> advantage of the live data provided by the new SNF engine and some of our
new
> back-end tools.
> 
> If anyone creates any useful XSL, tools, etc then please let us know and
we will be
> happy to post them on our site and create appropriate reciprocal links.
> 
> Hope this helps,
> 
> _M
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: All about GBUdb

[John T (lists)]

OK, a couple of questions.

If an IP is found to be BAD, the website states a non-zero code will be
returned. Well, I know that those of us using Declude and using listed
return codes other than non-zero will have a problem with this. Can this be
set to a specific return code that we can then use with Declude?

Same question on the UGLY, can it be set to return a specific return code so
that we can use that with Declude?

John T


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Pete McNeil
> Sent: Saturday, October 06, 2007 6:06 PM
> To: Message Sniffer Community
> Subject: [sniffer] All about GBUdb
> 
> Hello Sniffer Folks,
> 
> At your convenience please review the following:
> 
>
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.G
BUdb
> 
> This page describes one of the key features of the new SNF engine
> (currently in wide beta testing). GBUdb is an IP reputation system
> built on a collaborative learning engine. Each SNF node equipped with
> GBUdb learns the behavior of the message sources it encounters and
> shares that information with other SNF/GBUdb nodes in the cloud.
> 
> This learning and sharing process happens in near real-time
> (zero-minute) and allows the new SNF engine to improve both filtering
> accuracy and system efficiency (with a little help from it's friends).
> 
> Let us know if you have any questions or comments.
> 
> Thanks!
> 
> _M
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Address

[John T (lists)]

> Some of the spammers are apparently using my email address as the sender.
Any
> way to defeat that or capitalize on it?  I get several bounces a week from
all over the
> world.

Ah, the American spirit at work. If you can't stop it, make money on it.

;-)>

(And yes, I know that is not what you meant. At least I hope not.)

John T




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Category idea

[John T (lists)]

I have been asked by a client to help find a way to catch headhunters and
such that attempt to recruit currant employees. I have yet to spend time on
this as it seems creating a filter in Declude for this while maintaining
low/no false positives would be some what difficult.

While this is outside of what normally would be considered SPAM, I was
wondering if Message Sniffer ever considered a category for such things.

John T




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Warning: eBay False Positives

[John T (lists)]

I saw several legit eBay notices caught by Scams Category on Sunday morning.
Details sent to Sniffer.

John T




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Appriver issue

[John T (lists)]

> My personal opinion is worth way less than John's, but I'd still like
> to
> insert it here.  I was dramatically affected by a software product that
> I don't even subscribe to, so I'm somewhat curious why you would defend
> them so readily at this juncture.  Perhaps they aren't totally to
> blame.  But perhaps you are unaware of some of the ramifications of
> this
> foul-up.  I'm not sure.   But if you were affected by a service that
> you
> didn't have any connection to the way I was, perhaps it would be a
> different story.  

I am not so much defending the way the company handled it or such but am
stating that hey things happen, lets not over react.

And I understand completely. In my example, I nor my company nor my servers
were using the content filtering that was involved. But just the night
before while investigating a problem at the office of my biggest client, I
found that there was a group of users accessing websites from the office
that were causing problems bandwidth problems that those office managers had
complained about. So I enabled the content filtering for all offices. I then
sent an email to the management of the action I took pending further
investigation. Well, at 7:00 AM the next morning, before I knew exactly what
was happening or the extent of it, I had the CEO of the company on the phone
screaming at me threatening legal action since their offices could not get
on-line to process financial transactions that their customers were
depending on.

John T





#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Appriver issue

[John T (lists)]

Inserting my 2 cents here since that is all that it is worth.

 

In backing up what Matt said, let me relate a similar example of a problem
that occurred a year and a half ago to a major IT security products vendor:

 

At about 6:15 AM PT on a week day in the middle of a normal busy week, their
content filtering servers begin to become unresponsive. At first, it was
intermittent and hard to pinpoint. But within about 45 minutes, they stopped
responding completely. Well, their appliances did what they were designed to
do by default configuration, fail safe. Block all access if the content
filtering server does not respond. All one had to do though was to log onto
the appliance and change the failsafe block to allow. But this is where the
fun (not) began. There are hundreds or more of library's, both public and
private, as well as schools, that are using those appliances and that
content filtering service. Guess what? They are bound by law to have content
filtering in place, meaning they could not turn the fail safe off. Companies
and schools and libraries started screaming bloody murder and demanded a
resolution an hour ago. The content filtering service was finally restored
about 2:30 PM if I recall correctly. 

 

So, what happened? I mean this is a big company and it should have things in
place to prevent this. Right?

 

They did. As much as some one would expect them to.

 

They had 4 servers. The servers were fine, they were still running. There
were no software changes, and in fact their tests showed the servers were
still responding. They were located at a location with multiple internet
connections, and all tests showed the internet connections were all up and
working. Power was flowing fine and all UPSs as well as the generator were
all fine. Finally, after about 2 hours, the problem was found: My
understanding is that a single module in a enterprise router failed but in a
way that was hard to find. Once found, the hardware vendor sent a
replacement part by courier to replace.

 

My understanding is that it cost them well over 10 grand to eliminate that
one single point of failure. And that was just for the hardware.

 

Just goes to prove once again that in IT, 80% of the result is 20% of the
cost. That remain 20% of result is what costs the 80%.

 

John T

 

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Matt
Sent: Friday, May 18, 2007 9:44 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Appriver issue

 

I have something that I would also like to clear up.

When I indicated that AppRiver had removed it's contact page, it likely just
wasn't operating at the time that I was attempting to access it.
Considering their issues, it would not be a surprise to see other issues
like this caused, but it seemed suspicious since their home page was working
and not their contact page.  I did note that it was working by the time that
it was pointed out that it was up.

In no way did I ever believe that Pete or Sniffer had any direct involvement
in the system that created these problems, and in no way should this reflect
badly on Pete or Sniffer as far as I am concerned.

I was slightly miffed after getting off the phone with them where their
reaction quite clearly indicated that they were aware of the issue.  I
suggested that they take their servers off-line due to the issues that were
being caused, but I was probably barking up the wrong tree.  The servers
weren't taken off line for another hour or so, or maybe this is when the
delivery servers caught up with the queued E-mail destined for my client.
I'm not sure why they didn't act on this sooner.  When you have a loop, it
is important to stop it, and their multi-homing made it difficult for others
to block.  One user received about 500 copies of the same message (and also
called them), and there were other examples that we saw which were much more
limited.  I do hope that they didn't choose to introduce new software at 11
a.m. ET on the busiest E-mail day of the week, and that this was only when
the problems surfaced...

Everyone that deals with significant volumes of E-mail has issues from time
to time, and I wouldn't draw conclusions about AppRiver based on just this
one circumstance.  I would imagine that it is hard to plan for how to deal
with a broad scale looping issue, and I'm sure this was a learning
experience for them.

Matt




 

[sniffer] Re: Sniffer as passthrough filter

[John T (lists)]

Yes, it is called email gateway service and many of us do that and it is
fairly straightforward to setup but there are a number of steps.

John T

> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
> Of K Mitchell
> Sent: Thursday, March 08, 2007 6:16 PM
> To: Message Sniffer Community
> Subject: [sniffer] Sniffer as passthrough filter
> 
>   I've been running Message Sniffer here with IMail and mxGuard for a
> number of the domains we service. I have another customer that runs their
> own Exchange server, and wishes to continue doing so, but inquired as to
> the possibility of us doing pass-through filtering for them. Is this
> possible with the setup I have?
> 
> Thanks,
> 
> --
> Kirk Mitchell-General Manager[EMAIL PROTECTED]
> Keystone Connect Unlock Your World
> Altoona, PA  814-941-5000   http://www.keyconn.net
> 
> 
> #
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Blocking emails with Cyrillic characters

[John T (Lists)]

As some one who speaks Russian, it would be more productive for you to
forward those spams to sniffer for processing rather than create a rule
based on normal common language characters. Besides, that is not what I
expect from Sniffer. My understand of the premise of Message Sniffer is to
create rules that search for a pattern in spam messages that can be reliably
duplicated. Having a rule solely based on inclusion of common language
characters would under-mind that trust we have in Message Sniffer.

 

John T

eServices For You

 

"Life is a succession of lessons which must be lived to be understood."

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Steve Guluk
Sent: Wednesday, December 13, 2006 12:43 PM
To: Message Sniffer Community
Subject: [sniffer] Blocking emails with Cyrillic characters

 

 

Hello Comrades, 

Could we get a rule that looks for various common Russian words (or Cyrillic
characters) and then gives them a spam value?

 

Do you sell much Sniffer Product to Russia? If not, rules that focus on
common russian words would be great for blocking much of the spam that makes
it's way past Sniffer. You could always create a way for people that want
Russian emails to exclude this rule. No?

 

Not that I know all the details of how you guys create your rules but a rule
looking for common Cyrillic  characters could catch all spam formatted in
Russian as well as other languages that use similar characters. Otherwise
you should hire some coders that understand these languages as I get a heap
of spam that passes Sniffer by using what looks like Russian or Cyrillic
characters.

 

I run iMail 8.22 so if anyone has any other ideas that could block these
please post your suggestions, I guess we could create a phrase list from
some of the Cyrillic  spams..?

 

Regards, 

 

 

Steve Guluk

SGDesign

(949) 661-9333

ICQ: 7230769

 

 

 





 

[sniffer] Re: Stock spam

[John T (Lists)]

On the ones that I see get through, (image spams,) I usually see a Sniffer
triggered update within 60 minutes after that and then that stops them.

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)



> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Pete McNeil
> Sent: Tuesday, December 12, 2006 9:43 AM
> To: Message Sniffer Community
> Subject: [sniffer] Re: Stock spam
> 
> Hello Herb,
> 
> Tuesday, December 12, 2006, 12:32:09 PM, you wrote:
> 
> > We were seeing lots of unmarked pump and dump stock spam a week or so
> > ago but now almost non is getting thru. Sniffer is catching most of it
> > and some other declude and rbl tests are as well.
> 
> It's interesting to see such mixed results posted. It makes me wonder
> what the differences are between the systems reporting high catch
> rates (which we also see, once a campaign has been analyzed) and low
> catch rates.
> 
> Also -- are the poor catch rates reported on text based stock-push
> spams or image based?
> 
> Text based stock-push leakage is not likely because we generally catch
> these very fast and there are a range of rules in place to capture new
> campaigns even before we've seen them - so if you have this kind of
> leakage and it persists then start looking for problems with your
> system (errors, rulebase updates working, etc...)
> 
> Image based stock-push is a problem, as is all image spam, but we do
> generally get these handled pretty fast. If you haven't already -
> recognize that since about mid September the black hats have
> significantly shifted toward image spam, have increased their volumes
> by between 4x and 20x (depending on who you talk to), and have
> increased the rate at which new campaigns are launched by at least 5x.
> 
> If you are seeing image spam leakage check your weighting system (if
> you have one) and be sure that SNF rule groups 60 and 61 are rated
> highly enough to hold a message on their own. Previously we had always
> advised that SNF plus at least one other test should be required to
> hold a message simply for philosophical reasons: no single test should
> hold a message in order to improve accuracy. Unfortunately the recent
> changes in blackhat behavior are such that SNF is often the only test
> to fire on image spams so it has become necessary to abandon that
> tactic in order to minimize leakage.
> 
> Hope this helps,
> 
> _M
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Update Notifications Text Change.

[John T (Lists)]

Working good here Pete.

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)



> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Pete McNeil
> Sent: Tuesday, December 05, 2006 6:23 AM
> To: Message Sniffer Community
> Subject: [sniffer] Update Notifications Text Change.
> 
> Hello SNF Folks,
> 
> I have just posted a change to the SNF update notifications text. Most
> of you won't notice :-)
> 
> The text was changed to make the messages more descriptive and to
> answer some common questions about the notifications.
> 
> If you key any automated actions from the body of these update
> notifications you will want to revisit that mechanism to see that it
> still works.
> 
> Thanks,
> 
> _M
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Yahoo! Is Retarded

[John T (Lists)]

;)

 





John T

eServices For You

 

"Life is a succession
of lessons which must be lived to be understood."

Ralph Waldo Emerson
(1802-1882)

 



 





-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Thursday, October 26, 2006 8:48 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Yahoo! Is
Retarded

 

I like your new sig, John.

 

How's this for an addendum?

 

"Experience is that which you
acquire, just after you needed it."

 

 

Andrew 8)

 



 







From: Message Sniffer
Community [mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Thursday, October 26, 2006 8:13 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Yahoo! Is
Retarded

You’re preaching to the choir.

 



John T

eServices For You

 

"Life is a succession of
lessons which must be lived to be understood."

Ralph Waldo Emerson
(1802-1882)

 



 



-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Jonathan Hickman
Sent: Thursday, October 26, 2006 7:24 AM
To: Message Sniffer Community
Subject: [sniffer] Yahoo! Is
Retarded

 



Now, my word choice of
'Retarded' is merely to illuminate the slowness of Yahoo! in regards to this
issue and the severity of their decision and not to indicate that they are
mentally handicapped which is an accusation for which I have no basis. 
However, as evidence of this, please review the following URLs:





 





http://ca.answers.yahoo.com/question/index?qid=20061024160658AAAh0QY





http://answers.yahoo.com/question/index?qid=20061024080547AAf54ah





 





Jonathan Hickman

[sniffer] Re: Yahoo! Is Retarded

[John T (Lists)]

You’re preaching to the choir.

 



John T

eServices For You

 

"Life is a succession
of lessons which must be lived to be understood."

Ralph Waldo Emerson
(1802-1882)

 



 



-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Jonathan Hickman
Sent: Thursday, October 26, 2006
7:24 AM
To: Message Sniffer Community
Subject: [sniffer] Yahoo! Is
Retarded

 



Now, my word choice of
'Retarded' is merely to illuminate the slowness of Yahoo! in regards to this
issue and the severity of their decision and not to indicate that they are
mentally handicapped which is an accusation for which I have no basis. 
However, as evidence of this, please review the following URLs:





 





http://ca.answers.yahoo.com/question/index?qid=20061024160658AAAh0QY





http://answers.yahoo.com/question/index?qid=20061024080547AAf54ah





 





Jonathan Hickman

[sniffer] Re: Declude header not modified correctly

[John T (Lists)]

http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Integration

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Joe Wolf
Sent: Tuesday, October 24, 2006 4:17 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Declude
header not modified correctly

 



I have this problem as well, but I'm running an older
version of Declude.  





 





As far as I know there's no way to fix the problem
other than supposedly the newest version fixes the issue.  I'm not going
to spend another penny on Declude so I'm stuck with the problem unless I switch
mail servers.





 





Declude went down hill when the new owners took
over.  They have a group of worshopers on their list that attacks anyone
critical of management which makes it impossible to give critical information
on the product.





 





I love Sniffer.  I wish all products worked as
good as Sniffer does.  I just wish it didn't run underneath a third party
plug in (Declude) to run on Imail or Smartermail.  





 





Does anyone know of a different mail server that's
EASY to use that offers the features of Imail and doesn't require Declude to
run Sniffer?





 





Thanks,





-Joe







- Original Message - 





From: Herb Guenther 





To: Message
Sniffer Community 





Sent: Tuesday, October
 24, 2006 6:11 PM





Subject: [sniffer]
Re: Declude header not modified correctly





 



Just as a follow up, I have not had any email returned
from Declude in the last 4 business days.  So, they are just ignoring the
problem even tho the tools are all doing their part to identify the messages
are spam, the header mod is useless so it goes right thru the filters.  So
their answer was to have me update to the latest version, which did not solve
the problem, and then I did not hear back from them after any email and a call.

Herb

Kami Razvan wrote: 

We see that a lot too.. we run
2.14

 

Kami

 







From: Message
Sniffer Community [mailto:sniffer@sortmonster.com]
On Behalf Of Darin Cox
Sent: Monday, October
 16, 2006 5:44 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Significant
increase in false positives



We see this occasionally with Declude
1.82.  What version are you running?






Darin.





 





 





- Original Message - 



From: Herb Guenther 





To: Message
Sniffer Community 





Sent: Monday, October
 16, 2006 5:35 PM





Subject: [sniffer]
Re: Significant increase in false positives







 



Hi Darin;

Not seeing a lot of false pos messages, but there are lots of spam messages
sneaking through our system because  declude is not modifying the header
correctly.  It is adding a header stub to the bottom of the message so
that users mail client filters which look for the modified subject line is not
working.  Anyone else having that issue?

Herb





-- Herb GuentherLanex, LLCwww.lanex.com(262)789-0966x102 Office(262)780-0424 Direct  This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.# This message is sent to you because you are subscribed to   the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to  <[EMAIL PROTECTED]>  

[sniffer] Re: Declude header not modified correctly

[John T (Lists)]

Declude is not ignoring the problem. David
Barker is aware of it and has responded discussion concerning this problem on
the Declude Junkmail list.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Herb Guenther
Sent: Tuesday, October 24, 2006 4:11 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Declude
header not modified correctly

 

Just as a follow up, I have not had any email returned
from Declude in the last 4 business days.  So, they are just ignoring the
problem even tho the tools are all doing their part to identify the messages
are spam, the header mod is useless so it goes right thru the filters.  So
their answer was to have me update to the latest version, which did not solve
the problem, and then I did not hear back from them after any email and a call.

Herb

Kami Razvan wrote: 

We see that a lot too.. we run
2.14

 

Kami

 







From: Message
Sniffer Community [mailto:sniffer@sortmonster.com]
On Behalf Of Darin Cox
Sent: Monday, October
 16, 2006 5:44 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Significant
increase in false positives



We see this occasionally with Declude
1.82.  What version are you running?






Darin.





 





 





- Original Message - 



From: Herb Guenther 





To: Message
Sniffer Community 





Sent: Monday, October
 16, 2006 5:35 PM





Subject: [sniffer]
Re: Significant increase in false positives







 



Hi Darin;

Not seeing a lot of false pos messages, but there are lots of spam messages
sneaking through our system because  declude is not modifying the header
correctly.  It is adding a header stub to the bottom of the message so
that users mail client filters which look for the modified subject line is not
working.  Anyone else having that issue?

Herb





-- Herb GuentherLanex, LLCwww.lanex.com(262)789-0966x102 Office(262)780-0424 Direct  This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.






#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: FW: Retest (KMM38446283V14479L0KM)

[John T (Lists)]

HA HA

HO HO

ROFLOL

Do you really think Yahoo and the other big ego head companies care about
us?

It would take a mass amount of paid Yahoo users to make some thing happen.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Tech Support
> Sent: Wednesday, October 18, 2006 6:58 PM
> To: Message Sniffer Community
> Subject: [sniffer] Re: FW: Retest (KMM38446283V14479L0KM)
> 
> The time and resources spent dealing with this add up to serious cash
> 
> I'm thinking class action lawsuit :)
> 
> 
> 
> - Original Message -
> From: "Matrosity Hosting" <[EMAIL PROTECTED]>
> To: "Message Sniffer Community" 
> Sent: Wednesday, October 18, 2006 8:36 PM
> Subject: [sniffer] FW: Retest (KMM38446283V14479L0KM)
> 
> 
> > Whatever, yahoo.
> >
> > You can't just admit your system was hosed and actually still is.
> >
> > Bill Foresman
> > Matrosity Hosting
> > www.matrosity.com
> > 850.656.2644
> >
> > -Original Message-
> > From: Yahoo! Customer Support [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, October 18, 2006 7:39 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Retest (KMM38446283V14479L0KM)
> >
> > Hello,
> >
> > Thank you for contacting Yahoo! Customer Care.
> >
> > We have investigated the issue described in your report and believe the
> > problem has been resolved. We apologize for any inconvenience.
> >
> > Emails from the mail server(s) you are using have recently become
> > deprioritized due to potential issues with its mailings.
> >
> > These deprioritizations were temporary but may be re-triggered if the
> > sending IP profile continues to be poor. Typically, deprioritizations
are
> > triggered by bad individual sender or MAIL FROM profiles.
> >
> > To continue to receive prioritized delivery or if your servers are being
> > delivered to Yahoo! Mail's Bulk Mail folder, please visit the following
> > URL's for more information:
> >
> >   http://help.yahoo.com/help/us/mail/spam/spam-18.html
> >
> >   http://help.yahoo.com/help/us/mail/bulk/bulk-01.html
> >
> > If you are not the administrator for the mail server(s) affected, we
> > encourage you to contact the administrator so they can address the
> > possible
> > issues regarding mailings from the mail server.
> >
> > If you notice any further difficulties with delivering to Yahoo! Mail
> > accounts after this time, please let us know by replying to this email.
> > Please provide the text of any error messages you may have received and
a
> > copy of the email (with the full headers). Also, by providing the
specific
> > IP address of the mail server that experienced the delivery issue, it
will
> > help us to troubleshoot the issue efficiently.
> >
> > Thank you again for contacting Yahoo! Customer Care.
> >
> > Regards,
> >
> > Raoul
> >
> > Yahoo! Customer Care
> > http://www.yahoo.com/
> >
> > 27129662
> >
> >
> >
> > Original Message Follows:
> > -
> >
> > Mail-Id: 1161088172-2180
> > Name: Bill Foresman
> >
> > IPs in the form 255.255.255.255 (separate multiple IP submissions by new
> > lines):
> > 69.8.234.8
> >
> > Indicate the error message(s) you have received.
> > 10:17 00:24 SMTP-(373302740f62)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(278301774a27)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(3b5b01fb0583)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(31dc0257057c)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(306301c6026c)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(27c101704a84)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(370f01ce0f1b)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(367c02540dfe)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(3215025705df)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(37f301fe10c1)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(2d3e016f53e1)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(37e5027410aa)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(39ad01de02b3)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(2ea30212569a)
> > Trying yahoo.com (0)
> >
> > 10:17 00:24 SMTP-(373302740f62)
> > 451 Message temporarily deferred -
> > 4.16.50
> >
> > Optionally, add a comment to your submission.
> > No clue why this is happening to us!
> > I've checked multiple poen relay test
> > and all come back negative.
> >
> > While Viewing: http://help.yahoo.com/help/us/mail/defer/defer-02.html
> >
> > Form Name: http://add2.dir.scd.yahoo.com/fast/help/us/mail/cgi_retest
> > ---
> >
> >
> >
> >
> >
> #
> 
> > This message is sent to you because you are subscribed to
> >  the mailing list .
> > To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> > Send administrative queries t

[sniffer] Re: email

[John T (Lists)]

I have seen reports that Network Non-Solutions is having DNS Server issues
today.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Pete McNeil
> Sent: Tuesday, October 17, 2006 2:29 PM
> To: Message Sniffer Community
> Subject: [sniffer] Re: email
> 
> Hello Computer,
> 
> Tuesday, October 17, 2006, 3:20:18 PM, you wrote:
> 
> > Dear Pete,
> 
> > I sent an E-mail to the Sniffer Community over an hour ago, and it has
not
> > yet been received by anyone.  I noticed that 2pm was the last "sniffer"
mail
> > I got.  Are these being held up for some reason?
> 
> I don't think so - at least not on purpose. There have been a lot of
> odd DNS based things going on today.
> 
> I will look into it, but at the moment things seem to be working.
> 
> _M
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Thanks Sniffer

[John T (Lists)]

I have noticed in the last couple of weeks a greatly improved response time
in reports of false positives.

Just want to say thanks.

John T
eServices For You

"Seek, and ye shall find!"





#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Experimental Abstract

[John T (Lists)]

I concur Pete in that I have been thinking about upping the weight for the
EXP tests. I recently changed ABST from 20 to 25. I attach at 25, hold at 30
and delete at 35.

SNIFFER-TRAVEL  47  20
SNIFFER-INSURANCE   48  20
SNIFFER-AV-PUSH 49  20
SNIFFER-WAREZ   50  30
SNIFFER-SPAMWARE51  40
SNIFFER-SNAKEOIL52  40
SNIFFER-SCAMS   53  40
SNIFFER-PORN54  40
SNIFFER-MALWARE 55  25
SNIFFER-INKPRINTING 56  20
SNIFFER-SCHEMES 57  30
SNIFFER-CREDIT  58  30
SNIFFER-GAMBLING59  30
SNIFFER-GENERAL 60  25
SNIFFER-EXP-ABST61  25
SNIFFER-OBFUSCATION 62  25
SNIFFER-EXP-IP  63  20

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Pete McNeil
> Sent: Monday, October 09, 2006 3:15 PM
> To: Message Sniffer Community
> Subject: [sniffer] Re: Experimental Abstract
> 
> Hello Alberto,
> 
> In earlier times we had a philosophy that no single test should trap a
> message. The idea was that my combining tests the accuracy of the
> filter system would always (qualified) be improved.
> 
> The blackhats have become extremely aggressive about burning IPs and
> generating image spam and/or other abstracted, short lived, and
> narrowly targeted campaigns.
> 
> As a result of these changes, it is often the case that our abstract
> rules are the only thing that will fire on a message.
> 
> The bad news is that holding on any single test will probably lead to
> more false positives.
> 
> The good news is that SNF:Experimental/Abstract has a very low false
> positive rate.
> 
> It may be time to alter our philosophy w/ regard to the
> experimental/abstract rules group and recommend that wherever
> practical, messages should probably be held (not deleted) based on a
> hit in this rule group.
> 
> Hope this helps,
> 
> _M
> 
> Monday, October 9, 2006, 5:59:44 PM, you wrote:
> 
> > Hello
> 
> > I'm getting storms of spam and Sniffer sets them as (Experimental
> > Abstract)
> > Can someone explain how have I to treat them?
> 
> > Many thanks in advance
> > Alberto
> 
> 
> 
> >
> #
> 
> > This message is sent to you because you are subscribed to
> >   the mailing list .
> > To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> > Send administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: [Fwd: keep up with the jones']

[John T (Lists)]

???/

John T
eServices For You

"Seek, and ye shall find!"

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Kim W. Premuda
Sent: Tuesday, October 03, 2006 6:00 PM
To: Message Sniffer Community
Subject: [sniffer] [Fwd: keep up with the jones']



 Original Message  
Subject: 
keep up with the jones'
Date: 
Tue, 03 Oct 2006 17:52:39 -0800
From: 
Larry Swinton <[EMAIL PROTECTED]>
To: 
[EMAIL PROTECTED]












tips to live by... 




2: And he said, Behold now, I am old, I know not the day of my death: 
31: And the plenty shall not be known in the land by reason of that famine
following; for it shall be very grievous. 
7: And the sons of Jacob came out of the field when they heard it: and the
men were grieved, and they were very wroth, because he had wrought folly in
Israel in lying with Jacob's daughter; which thing ought not to be done. 
4: Unstable as water, thou shalt not excel; because thou wentest up to thy
father's bed; then defiledst thou it: he went up to my couch. 
24: And God said, Let the earth bring forth the living creature after his
kind, cattle, and creeping thing, and beast of the earth after his kind: and
it was so. 
31: And the plenty shall not be known in the land by reason of that famine
following; for it shall be very grievous. 
5: And in the fourteenth year came Chedorlaomer, and the kings that were
with him, and smote the Rephaims in Ashteroth Karnaim, and the Zuzims in
Ham, and the Emims in Shaveh Kiriathaim, 
32: And the man came into the house: and he ungirded his camels, and gave
straw and provender for the camels, and water to wash his feet, and the
men's feet that were with him. 
5: And Abraham said unto his young men, Abide ye here with the ass; and I
and the lad will go yonder and worship, and come again to you, 
17: And these are the sons of Reuel Esau's son; duke Nahath, duke Zerah,
duke Shammah, duke Mizzah: these are the dukes that came of Reuel in the
land of Edom; these are the sons of Bashemath Esau's wife. 
30: And Joseph made haste; for his bowels did yearn upon his brother: and he
sought where to weep; and he entered into his chamber, and wept there. 



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Sharon Daniels is out of the office.

[John T (Lists)]

Bleeping wonderful.

We have to put up with this for a week?

I guess a nice little Outlook rule is called for.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> [EMAIL PROTECTED]
> Sent: Monday, August 07, 2006 10:02 AM
> To: Message Sniffer Community
> Subject: [sniffer] Sharon Daniels is out of the office.
> 
> 
> 
> 
> 
> I will be out of the office starting  07/08/2006 and will not return until
> 15/08/2006.
> 
> I will respond to your message when I return.  If your request is urgent
> please resend your message to [EMAIL PROTECTED] or call 623-5700.
> 
> Have a great day!
> Sharon
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: Fwd: Re: ------------------------------------------------

[John T (Lists)]

As Pete has said before, do not send
spam reports to the list.

 

There is a separate appropriate email
address for that.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Filippo Palmili
Sent: Thursday,
 August 03, 2006 2:08 AM
To: Message Sniffer Community
Subject: [sniffer] Fwd: Re: Prima
esperienza di striptease e poi sesso anale trovi qui

 

Hello,
please include in rules this SPAM.

regards
Filippo

[sniffer] Re: Help

[John T (Lists)]

Stop using the silly WHITELIST TODOMAIN
for one thing.

 

What is the IP address they are coming
from? Could be a compromised client?

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Filippo Palmili
Sent: Thursday, July
 27, 2006 9:11 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Help

 

Whese:

#=   
WHITELISTS   ===

#WHITELIST  HABEAS
PREWHITELIST    ON
WHITELIST   AUTH
#WHITELIST  LOCAL

#(PRO version only) enables addresses in the web address book to automatically
be white listed.
#AUTOWHITELIST  ON

# - Domain Example ->   WHITELIST
   FROM
@declude.com

# - User Example   ->   WHITELIST
   FROM
[EMAIL PROTECTED]

# - IP Example - 
#WHITELIST  IP
  63.246.13.90

# - TO  Example - 
#WHITELIST  TO
  postmaster@
#WHITELIST  TO
  abuse@

WHITELIST TO [EMAIL PROTECTED]
WHITELIST TO [EMAIL PROTECTED]

WHITELIST TODOMAIN @mydomain
WHITELIST TODOMAIN @mydomain
WHITELIST TODOMAIN @mydomain
WHITELIST TODOMAIN @mydomain


Filippo

At 18:06 27/07/2006, you wrote:



***
My mail server have the relay activated only for certain IP address and
networks.
Filippo
***

Sorry, I didn't read your message close enough.

What whitelist settings do you have in global.cfg?

Paul Navarre



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: My rulebase download and log upload script

[John T (Lists)]

Reading through the updated script, I notice you are uploading the log file
whenever the script runs. I currently upload the log file once per day.

Pete, what is the preferred timing for uploading the log file?

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Colbeck, Andrew
> Sent: Friday, July 07, 2006 6:24 PM
> To: Message Sniffer Community
> Subject: [sniffer] My rulebase download and log upload script
> 
> The last thing before I leave for the weekend...
> 
> I finally got around to updating my download/upload script so that I can
> upload compressed logs.
> 
> In the course of doing that, I found that my upgraded version of wget
> has changed its behaviour; as of the 1.10.x series, if you specify -O to
> specify the target filename, various options are ignored including the
> -N for "download only if server side is newer".  Therefore, ever since I
> upgraded my wget, I've been downloading a compressed rulebase file on
> *each* run.
> 
> Some of this script is antique and some of it is new.  I just downloaded
> the "standard download script" that Bill Landry ushered into this world,
> and my script was certainly informed by the discussions of that on this
> list.
> 
> (I'm not trying to replace that script, I'm just giving credit where
> credit is due.)
> 
> My .cmd file script is attached as a .txt file; as I mentioned a while
> back, I use both the IMail "external script" mailbox method to launch
> this file when SortMonster/ARM sends me my notification, and I also run
> it on a schedule with the AT command so that one of them will work to
> get timely updates.
> 
> Andrew 8)
> 




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: My rulebase download and log upload script

[John T (Lists)]

Weekend, what is that?

Thanks Andrew.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Colbeck, Andrew
> Sent: Friday, July 07, 2006 6:24 PM
> To: Message Sniffer Community
> Subject: [sniffer] My rulebase download and log upload script
> 
> The last thing before I leave for the weekend...
> 
> I finally got around to updating my download/upload script so that I can
> upload compressed logs.
> 
> In the course of doing that, I found that my upgraded version of wget
> has changed its behaviour; as of the 1.10.x series, if you specify -O to
> specify the target filename, various options are ignored including the
> -N for "download only if server side is newer".  Therefore, ever since I
> upgraded my wget, I've been downloading a compressed rulebase file on
> *each* run.
> 
> Some of this script is antique and some of it is new.  I just downloaded
> the "standard download script" that Bill Landry ushered into this world,
> and my script was certainly informed by the discussions of that on this
> list.
> 
> (I'm not trying to replace that script, I'm just giving credit where
> credit is due.)
> 
> My .cmd file script is attached as a .txt file; as I mentioned a while
> back, I use both the IMail "external script" mailbox method to launch
> this file when SortMonster/ARM sends me my notification, and I also run
> it on a schedule with the AT command so that one of them will work to
> get timely updates.
> 
> Andrew 8)
> 




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Numeric spam

[John T (Lists)]

My thought is they are either building a
db of valid names or testing delivery techniques.

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Steve Guluk
Sent: Tuesday, June
 06, 2006 3:46 PM
To: Message Sniffer Community
Subject: Re: [sniffer]Numeric spam

 

 





On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:







We're
getting the same and today it started hitting a different account (Domain).



 





What are these things? I thought
exploratory, maybe looking for replies to build a DB for a later spam wave?
Their not malicious in content and look like someone's virus working
incorrectly. But, I doubt they are really so benign. 





 





Any understand their purpose?





 





 





On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:







I started seeing these messages Monday (yesterday) morning
EDT. The from

and to are the same (ie you sent it to yourself). I am
tagging it but

there is not enough stuff to push it into DELETE
territory.









 



 



So no one has any idea what the purpose of these emails
are?

Random
numbers for no apparent reason...?

 

Regards, 

 

 

Steve Guluk

SGDesign

(949) 661-9333

ICQ: 7230769

 

 

 









 

Re: [sniffer]Sniffer updates down?

[John T (Lists)]

Well, I figured out what the problem is, sort of.

This last Monday I finally reconfigured the network at my Data Center for
using 2 Internet connections. 

For some reason, DNS queries going out the secondary connection are timing
out.

Fun Fun Fun.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Goran Jovanovic
> Sent: Friday, June 02, 2006 3:57 PM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Sniffer updates down?
> 
> Hi John,
> 
> I got my Sniffer update at 5:03 pm no problem from Toronto
> 
> Goran Jovanovic
> Omega Network Solutions
> 
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
> Behalf Of John T (Lists)
> Sent: Friday, June 02, 2006 5:23 PM
> To: Message Sniffer Community
> Subject: [sniffer]Sniffer updates down?
> 
> I am getting errors since late last night that host can not be found.
> 
> John T
> eServices For You
> 
> "Seek, and ye shall find!"
> 
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer]Sniffer updates down?

[John T (Lists)]

I am getting errors since late last night that host can not be found.

John T
eServices For You

"Seek, and ye shall find!"




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

[John T (Lists)]

But how is PayPal's DNS involved in this as at what point are the Paypal DNS
servers queried?

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 9:38 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS which ends in
> PayPal.com (ok, that does set off alarm bells when it's someone else's
> netblock) matches the forward lookup of the resulting address at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in someone
> else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -----Original Message-
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> >
> > Attached are the headers to an e-mail I am suspecting as a
> > clever phising that has me worried.
> >
> > It looks like a legit message sent on behalf of Paypal,
> > however, it is sent from an IP address not owned by Paypal
> > BUT which has a REVDNS that ends in paypal.com.
> >
> > The message is full of links to images.postdirect.com but
> > does have legit links to paypal.com.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

[John T (Lists)]

That is what has me worried.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Jay
> Sudowski - Handy Networks LLC
> Sent: Wednesday, May 24, 2006 9:51 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> The owner of a domain need not authorize a reverse DNS PTR record in any
> way, shape or form.  If the netblock was owned, or the netblock owner
> had delegated rDNS to a malicious customer, they could easily set rDNS
> to whatever they wanted.  Aol.com, paypal.com, ebay.com, chase.com ...
> 
> -Jay
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
> Behalf Of Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 12:38 PM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS which ends in
> PayPal.com (ok, that does set off alarm bells when it's someone else's
> netblock) matches the forward lookup of the resulting address at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in someone
> else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -Original Message-
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> >
> > Attached are the headers to an e-mail I am suspecting as a
> > clever phising that has me worried.
> >
> > It looks like a legit message sent on behalf of Paypal,
> > however, it is sent from an IP address not owned by Paypal
> > BUT which has a REVDNS that ends in paypal.com.
> >
> > The message is full of links to images.postdirect.com but
> > does have legit links to paypal.com.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]Possible Paypal Phishing

[John T (Lists)]

Disregard my last post.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 9:38 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS which ends in
> PayPal.com (ok, that does set off alarm bells when it's someone else's
> netblock) matches the forward lookup of the resulting address at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in someone
> else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -----Original Message-
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> >
> > Attached are the headers to an e-mail I am suspecting as a
> > clever phising that has me worried.
> >
> > It looks like a legit message sent on behalf of Paypal,
> > however, it is sent from an IP address not owned by Paypal
> > BUT which has a REVDNS that ends in paypal.com.
> >
> > The message is full of links to images.postdirect.com but
> > does have legit links to paypal.com.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer]Possible Paypal Phishing

[John T (Lists)]

Attached are the headers to an e-mail I am suspecting as a clever phising
that has me worried.

It looks like a legit message sent on behalf of Paypal, however, it is sent
from an IP address not owned by Paypal BUT which has a REVDNS that ends in
paypal.com.

The message is full of links to images.postdirect.com but does have legit
links to paypal.com.

John T
eServices For You

"Seek, and ye shall find!"

Received: from srv5.eservicesforyou.net [67.94.227.40] by 
mail.eservicesforyou.net (SMTPD-8.20) id A02A059C;
 Tue, 23 May 2006 12:19:06 -0700
Received: from email-83.paypal.com ([206.165.246.83]) by 
srv5.eservicesforyou.net with Microsoft SMTPSVC(6.0.3790.1830);
 Tue, 23 May 2006 12:19:04 -0700
DomainKey-Signature: a=rsa-sha1;
 
h=Date:From:Subject:To:X-Header-CompanyDBUserName:Errors-To:List-Unsubscribe:Reply-To:X-Header-MasterId:X-Header-Versions:Message-ID:MIME-Version:Content-Type;
 
b=WlXEq1pDWhpajVdRtFzPcMshLTMrz08l/ijYdx+vckIXWxVdYeyr5NIpJxQeNPWyUCarrOPq21w4dRyp2X6KbCRrHgHIfPkX2eXvho3C4KwridkCfzshGGflsDPpkiHE;
 c=nofws; d=email.paypal.com;
 q=dns; s=yesmail1
Date: Tue, 23 May 2006 12:11:03 PDT
From: PayPal <[EMAIL PROTECTED]>
Subject: New: Tips, ID Theft Q&A, and more
To: "Srikanth Gudapati" <[EMAIL PROTECTED]>
X-Header-CompanyDBUserName: paypal
Errors-To: [EMAIL PROTECTED]
List-Unsubscribe: 
Reply-To: [EMAIL PROTECTED]
X-Header-MasterId: 905605
X-Header-Versions: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/html;
 charset=us-ascii
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 23 May 2006 19:19:04.0536 (UTC) 
FILETIME=[C157CD80:01C67E9D]
X-RBL-Warning: SPAMCHECK: Message failed SPAMCHECK: 10.
X-RBL-Warning: WHITEFILTER3: Message failed WHITEFILTER3 test (line 28, weight 
-25)
X-RBL-Warning: GRAYFILTER1: Message failed GRAYFILTER1 test (line 145, weight 5)
X-RBL-Warning: GRAYFILTER2: Message failed GRAYFILTER2 test (line 5, weight 5)
X-RBL-Warning: SUBJECTSTART_IS: Message failed SUBJECTSTART_IS test (line 52, 
weight 15) (weight capped at 15)
X-RBL-Warning: KEYSUBJECT: Message failed KEYSUBJECT test (line 85, weight 15)
X-Note: ###
X-Note:  This message scanned by eServices For You for viruses and junkmail.
X-Note:  Scan time start at 12:20:50 on 23 May 2006.
X-Note:  Total weight of message as a result of tests: 28
X-Note:  TESTS FAILED: NOABUSE, IPNOTINMX, NOLEGITCONTENT, SPAMCHECK, 
SUBJECTSTART_IS, KEYSUBJECT
X-Note:  Sender is [EMAIL PROTECTED] and spool file is D602a007c3bbd.smd
X-Note:  This E-mail was received from RevDNS: [email-83.paypal.com]
X-Note:  This e-mail was received from IP: [206.165.246.83]
X-Note:  To report any issues,
 please contact [EMAIL PROTECTED]
X-Note: 
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Re: [sniffer]SpamStorm!

[John T (Lists)]

Another thing I am seeing that I need to investigate more is possible spam
from say paypal and the REVDNS ends in say paypal.com. But it will have to
wait until Sunday night.

John T
eServices For You

"Seek, and ye shall find!"

> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
> Pete McNeil
> Sent: Saturday, May 20, 2006 2:19 PM
> To: Message Sniffer Community
> Subject: [sniffer]SpamStorm!
> 
> Hello Sniffer Folks,
> 
> It's been a while since I've made an announcement like this, but I
> thought I would warn you if you're not already seeing it---
> 
> Today we have seen several high amplitude bursts of new spam that
> appear to be coordinated to hit at a particular moment. These bursts
> appear to contain campaigns in "all flavors" and appear to be from a
> wide variety of sources (as identified by coding tactics,
> methodologies, subject matter, obfuscation techniques, etc...)
> 
> It appears to me that even factions which generally don't get along
> are more than happy to jump on the "burst" bandwagon at present.
> 
> About 30 hours ago the first heavy burst began with new spam and
> variants arriving at a rate 6 times normal.
> 
> Another similar burst is currently underway which began roughly 3
> hours ago and has sustained a similar rate throughout that period.
> 
> Not only is the rate of new variations very high but the overall
> bandwidth of the campaigns is also very high.
> 
> This overall pattern of bursts seems to have begun roughly 3 days ago
> - perhaps around the time of the demise of bluesky.
> 
> The pattern of traffic is very similar to the pattern that we saw
> beginning last year when we identified an apparent shift in spam
> delivery patterns:
> 
> http://www.sortmonster.com/MessageSniffer/Help/Papers/OrganizedBlackHats/
> 
> I've attached images of our current 2 day and 30 day graphs for those
> who are interested in such things.
> 
> I recommend that if you have a way to tune your systems to be more
> strict (perhaps at the expense of some FPs) then now might be a good
> time to make that tradeoff.
> 
> Best,
> 
> _M
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

RE: [sniffer] Test

[John T (Lists)]

Pong

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: sniffer@sortmonster.com [mailto:[EMAIL PROTECTED] On Behalf
Of Pete
> McNeil
> Sent: Monday, May 15, 2006 10:12 PM
> To: sniffer@sortmonster.com
> Subject: Test
> 
> Hello sniffer,
> 
>   Just testing.
> 
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.
> 
> 
> #
> 
> This message is sent to you because you are subscribed to
>   the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....

[John T (Lists)]

Just when you think we won the battle, they move the targets and change the
rules.

This is why we need people like Pete and Darrell to help us fight this ever
changing war.

A big thanks.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Friday, May 05, 2006 11:37 AM
> To: John T (Lists)
> Subject: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer
> 
> On Friday, May 5, 2006, 1:08:14 PM, John wrote:
> 
> JTL> Well, I am at the point that I could care less about geocities false
> JTL> positives. If GeoCities is going to allow this much spam junk then I
could
> JTL> care less about allowing them.
> 
> That's fine.
> 
> There are probably a number of systems that feel that way. I only
> meant to say that we've tried a "block-first" strategy w/ geocities
> before and had to remove it. YMMV.
> 
> You should also know (may remember) that the blackhats experimented a
> while ago with using several other hosting sites, including msn, and
> seeding them in round-robin fashion so that they all appeared in each
> campaign. Since this experiment stopped abruptly I doubt that it has
> been abandoned - rather, it was put on the shelf for a while. At the
> time it was clearly effective for them. I think it likely they will do
> that again (don't know when) since they are putting some new effort
> into this path. I don't have any evidence of it yet.
> 
> I discovered that on 20060503 the blackhats made some significant
> changes to their use of geocities links and their transmission
> patterns. I've re-tuned the F002 bot to compensate and it is currently
> reviewing a handful of new geocities links every minute and adding
> approximately 1.2 new rules per minute.
> 
> I suspect that the lull we observed may have had something to do with
> their "tooling up" for this set of campaigns.
> 
> _M
> 
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....

[John T (Lists)]

Well, I am at the point that I could care less about geocities false
positives. If GeoCities is going to allow this much spam junk then I could
care less about allowing them.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Friday, May 05, 2006 9:09 AM
> To: John T (Lists)
> Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer
> 
> We've had that rule before and had to pull it for false positives.
> 
> _M
> 
> 
> On Friday, May 5, 2006, 11:41:50 AM, John wrote:
> 
> JTL> FYI, I created a Declude Filter:
> 
> JTL> Subject END NOTCONTAINS news
> JTL> BODY25  CONTAINShttp://geocities.com/
> 
> JTL> Been catching every one like that.
> 
> JTL> John T
> JTL> eServices For You
> 
> JTL> "Seek, and ye shall find!"
> 
> 
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> JTL> On
> >> Behalf Of Daniel Bayerdorffer
> >> Sent: Friday, May 05, 2006 7:38 AM
> >> To: sniffer@SortMonster.com
> >> Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer
> >>
> >> Here too.
> >>
> >> --
> >> Daniel Bayerdorffer  [EMAIL PROTECTED]
> >> Numberall Stamp & Tool Co., Inc.
> >> PO Box 187 Sangerville, ME 04479 USA
> >> TEL 207-876-3541  FAX 207-876-3566
> >> www.numberall.com
> >>
> >>
> >>
> >> > -Original Message-
> >> > From: [EMAIL PROTECTED]
> >> > [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
> >> > Sent: Friday, May 05, 2006 10:34 AM
> >> > To: sniffer@sortmonster.com
> >> > Subject: [sniffer] Lot of Drugs Spam getting through sniffer
> >> >
> >> > The last few days tons on Drus spam is coming in and sniffer
> >> > is catching
> >> > none of it.
> >> >
> >> > Chuck Schick
> >> > Warp 8, Inc.
> >> > (303)-421-5140
> >> > www.warp8.com
> >> >
> >> >
> >> >
> >> > This E-Mail came from the Message Sniffer mailing list. For
> >> > information and (un)subscription instructions go to
> >> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >> >
> >>
> >>
> >>
> >>
> >> This E-Mail came from the Message Sniffer mailing list. For information
> JTL> and
> >> (un)subscription instructions go to
> >> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> 
> JTL> This E-Mail came from the Message Sniffer mailing list. For
> JTL> information and (un)subscription instructions go to
> JTL> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Lot of Drugs Spam getting through sniffer....

[John T (Lists)]

FYI, I created a Declude Filter:

Subject END NOTCONTAINS news
BODY25  CONTAINShttp://geocities.com/

Been catching every one like that.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Daniel Bayerdorffer
> Sent: Friday, May 05, 2006 7:38 AM
> To: sniffer@SortMonster.com
> Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer
> 
> Here too.
> 
> --
> Daniel Bayerdorffer  [EMAIL PROTECTED]
> Numberall Stamp & Tool Co., Inc.
> PO Box 187 Sangerville, ME 04479 USA
> TEL 207-876-3541  FAX 207-876-3566
> www.numberall.com
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
> > Sent: Friday, May 05, 2006 10:34 AM
> > To: sniffer@sortmonster.com
> > Subject: [sniffer] Lot of Drugs Spam getting through sniffer
> >
> > The last few days tons on Drus spam is coming in and sniffer
> > is catching
> > none of it.
> >
> > Chuck Schick
> > Warp 8, Inc.
> > (303)-421-5140
> > www.warp8.com
> >
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For
> > information and (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >
> 
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] Updates slow

[John T (Lists)]

It seems today that updates have been slow to retrieve, the last one being
averaging 54 Kbps. Updates are triggered on the e-mail update notice.

John T
eServices For You

"Seek, and ye shall find!"




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] New Web Site!

[John T (Lists)]

Pete, while I fully understand all of what you said, allowing any one
registered to edit any page is leaving things wide open for abuse. Isn't
there a way to set permissions on a section basis? Example, I should not
have the ability to edit the recent events page and not that I would, but I
am human and humans make mistakes and do dumb things from time to time.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Friday, March 17, 2006 9:30 AM
> To: John T (Lists)
> Subject: Re[2]: [sniffer] New Web Site!
> 
> On Friday, March 17, 2006, 11:53:58 AM, John wrote:
> 
> JTL> What is the purpose of using a WIKI site?
> 
> A few things really -
> 
> * It's fast and easy to create, update, and correct the content.
> Things happen quickly here and in the messaging security business in
> general. It makes sense to use tools that can adapt just as quickly
> and with as little friction as possible.
> 
> * Some of our user community contribute software and technical
> knowledge on a regular basis. A wiki makes that process easier. This
> is particularly useful where SNF overlaps with other software - The
> folks who use, develop, or maintain that software can now participate
> openly in developing documentation for that work.
> 
> * We've always maintained a collaborative relationship with our
> customers and this helps to enforce that point.
> 
> * One of the things we've always encouraged is the sharing of
> information related to, but not necessarily about SNF. For example, it
> is not uncommon for a discussion about integrating SMF with a mail
> server to branch off into a wide range of loosely related topics from
> DNS, to server and network performance, to handy tools and tricks.
> 
> We have a lot of experts in our community. Quite Often, difficult to
> find solutions lurk in the context of the discussions on and off our
> list. Now those solutions can be captured here in the natural context
> in which they came up so that they will be easy to find.
> 
> --
> 
> Consider this approach part of fostering a strong user community and
> providing a resource that goes beyond our own products and services.
> 
> At the end of the day we are working shoulder to shoulder with the
> developers, managers, administrators, and users of all kinds of
> systems. We want this wiki to be a valuable resource for anybody who
> uses SNF, and lots of folks who don't (yet).
> 
> _M
> 
> 
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] New Web Site!

[John T (Lists)]

What is the purpose of using a WIKI site?

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Friday, March 17, 2006 8:07 AM
> To: sniffer@sortmonster.com
> Subject: [sniffer] New Web Site!
> 
> Hello Sniffer Folks,
> 
>   Today we are making a major transition. The old Message Sniffer web
>   site will be torn down and replaced with a new WIKI:
> 
>   http://kb.armresearch.com/index.php?title=Message_Sniffer
> 
>   The top Message Sniffer page will retain it's index for a while but
>   instead of sending you to the original pages the links will take you
>   to appropriate pages in the new WIKI.
> 
>   Also - if you try to go directly to an old page you will be
>   redirected automatically to the appropriate new page.
> 
>   The WIKI requires that you create an account and log-in before
>   making any changes. We know there are blackhats out there so we will
>   be watching very closely... If we find there is abuse, we will
>   disable the ability to create accounts and you will need to contact
>   us at support@ if you want the ability to post -- let's hope it
>   doesn't come to that.
> 
>   We will continue to update, improve, and correct the wiki - it will,
>   in fact, be under constant development.
> 
>   Have fun!
> 
> Thanks,
> 
> _M
> 
> Pete McNeil (Madscientist)
> President, MicroNeil Research Corporation
> Chief SortMonster (www.sortmonster.com)
> Chief Scientist (www.armresearch.com)
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Imail server as a gateway

[John T (Lists)]

Title: Message









Yes

 



John T

eServices For You

 

"Seek, and ye shall
find!"



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen S Zappardo
Sent: Thursday, March 16, 2006
7:57 AM
To: sniffer@sortmonster.com
Subject: [sniffer] Imail server as
a gateway

 





If I sent my Imail server that is configured with declude
and sniffer, to forward messages to another mail server, will declude and
sniffer be ran on those emails?





 





Thanks

[sniffer] New add compain

[John T (Lists)]

I am seeing a log of spam with a subject line of with fw: or re: followed by
the username portion of the reciepient. Any way to create a rule for this?

John T
eServices For You

"Seek, and ye shall find!"





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[John T (Lists)]

Joe, you are correct. I searched for and
got out my agreement and it states Minimum Advertised Price. 

 

Memory does not always work so well.

 

It is no ECC you know.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf
Sent: Wednesday,
 December 28, 2005 5:43 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!

 



FYI, a reseller agreement may include a MAP (Minimum
Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling
price.  Any such stipulation in an agreement would put both of you in
violation of federal price-fixing laws.





 





-Joe







- Original Message - 





From: John
T (Lists) 





To: sniffer@SortMonster.com






Sent: Wednesday,
 December 28, 2005 7:29 PM





Subject: RE: Re[2]:
[sniffer] Last chance to renew at the old price!





 



According to the Reseller agreement I
signed when I became a reseller of Message Sniffer, I can not charge that low
of a price.

 

As such, Pete or some one at Sniffer
would need to notify me that I had permission to sell at such a low price.

 

What I mean is, be careful. 

 



John T

eServices For You



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!

 

After posting this,
another reseller pm me their renewal rate of $269. I didn't know Sniffer had
another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[John T (Lists)]

1. What is YOUR motive for taking such a
tone?

 

2. I never made an out right
solicitation. It was done in for the benefit of others. I am a small business
and to my bottom line, every dollar or 5 dollars or 10 dollars count. I clearly
said I am not in the business of selling software or hardware. I have turned
away requests before from people that have contacted me off list about
software. It is extremely rare that I will sell to other than my clients.

 

3. How do you respond to the posting on
this very list by Pete just a bit ago that the seller selling at such a low rate
is a valid reseller?

 

4. How do you respond to the posting on
this very list by Michael Murdock that yes you can renew with Declude at a
lower cost?

 

Your responses are injecting that I am
taking advantage of something or trying to take away something from
SortMonster. That is not true at all.

 

Your comment about competing is very unusual,
in that in essence many of us are natural competitors to one anther, yet day
after day we help each other, in essence helping our competitor.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)
Sent: Wednesday,
 December 28, 2005 6:01 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

 



You certainly crossed a line of
ethical integrity at the very least.





 





Pete: If you don't already have a
'non-compete' agreement in your reseller agreement its time.





I would never have believed someone would
actually try to sell your reseller rates to your customer base.





 





It's simply appalling.  And should be
grounds for termination.





 





 





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)
Sent: Wednesday,
 December 28, 2005 8:46 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

Absolutely not. In fact, if you read my
post after this, I am questioning whether or not it can be sold for a lower
price.

 

I am not here to undermine any one, as
after all where do you think the license that I sell comes from?

 

After all, we are all here to help one
another.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)
Sent: Wednesday,
 December 28, 2005 5:41 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

 



John T:  Did you just solicit
the ENTIRE sniffer community with pricing that will undermine Pete?





 





Never bit the hand that feeds you my
friend.





 





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)
Sent: Wednesday,
 December 28, 2005 8:17 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

Although I am a registered reseller, I
normally only sell hardware and software to clients as part of my services.

 

However, if any one is interested in a
price, contact me off list.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!

 

After posting this,
another reseller pm me their renewal rate of $269. I didn't know Sniffer had
another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[John T (Lists)]

Absolutely not. In fact, if you read my
post after this, I am questioning whether or not it can be sold for a lower
price.

 

I am not here to undermine any one, as
after all where do you think the license that I sell comes from?

 

After all, we are all here to help one
another.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)
Sent: Wednesday,
 December 28, 2005 5:41 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

 



John T:  Did you just solicit
the ENTIRE sniffer community with pricing that will undermine Pete?





 





Never bit the hand that feeds you my
friend.





 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On
Behalf Of John T (Lists)
Sent: Wednesday,
 December 28, 2005 8:17 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

Although I am a registered reseller, I
normally only sell hardware and software to clients as part of my services.

 

However, if any one is interested in a
price, contact me off list.

 



John T

eServices For You



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!

 

After posting this,
another reseller pm me their renewal rate of $269. I didn't know Sniffer had
another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription
instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[John T (Lists)]

According to the Reseller agreement I
signed when I became a reseller of Message Sniffer, I can not charge that low
of a price.

 

As such, Pete or some one at Sniffer
would need to notify me that I had permission to sell at such a low price.

 

What I mean is, be careful. 

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!

 

After posting this, another reseller pm me their renewal rate of $269.
I didn't know Sniffer had another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:



Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[John T (Lists)]

Although I am a registered reseller, I normally
only sell hardware and software to clients as part of my services.

 

However, if any one is interested in a
price, contact me off list.

 



John T

eServices For You



 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!

 

After posting this, another reseller pm me their renewal rate of $269.
I didn't know Sniffer had another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:



Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[John T (Lists)]

Pete, I am both a Sniffer reseller and user, and I was blind sided by this
announcement.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Tuesday, December 27, 2005 2:11 PM
> To: Darin Cox
> Subject: Re[2]: [sniffer] Last chance to renew at the old price!
> 
> I'm sorry that it wasn't more visible. We have been talking about this
> for several months and have made a few announcements. It has also been
> on the web site for several months.
> 
> My announcement today was just to make sure that anyone who had not
> heard didn't get blind-sided. Sorry it didn't turn out that way. We
> will be working on some better out-reach problems to help avoid this
> in the future.
> 
> _M
> 
> On Tuesday, December 27, 2005, 4:02:15 PM, Darin wrote:
> 
> DC> Wow... last minute notice.  It's difficult to budgets for these things
with
> DC> so little notice.  Please consider a couple month's notice the next
time.
> 
> DC> Darin.
> 
> 
> DC> - Original Message -
> DC> From: "Pete McNeil" <[EMAIL PROTECTED]>
> DC> To: 
> DC> Sent: Tuesday, December 27, 2005 12:42 PM
> DC> Subject: [sniffer] Last chance to renew at the old price!
> 
> 
> DC> Hello Sniffer folks,
> 
> DC>   This is just a friendly reminder that prices will be going up
> DC>   January 1.
> 
> DC>   You can add a year to your SNF subscription at the current price if
> DC>   you renew before January 1.
> 
> DC>   Details are here:
> DC> https://www.armresearch.com/message-sniffer/forms/form-renewal.asp
> 
> DC> Thanks,
> DC> _M
> 
> DC> Pete McNeil (Madscientist)
> DC> President, MicroNeil Research Corporation
> DC> Chief SortMonster (www.sortmonster.com)
> DC> Chief Scientist (www.armresearch.com)
> 
> 
> DC> This E-Mail came from the Message Sniffer mailing list. For
information and
> DC> (un)subscription instructions go to
> DC> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> 
> DC> This E-Mail came from the Message Sniffer mailing list. For
> DC> information and (un)subscription instructions go to
> DC> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[John T (Lists)]

The only problem with that, and one which I do not know how large of a
problem it is, is if you have always provided a single product, and suddenly
divide it into 2 levels, you end up with twice the amount of critics: Those
that pay less but expect more, those that pay more and then expect even
more.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Rick Robeson
> Sent: Tuesday, December 27, 2005 2:54 PM
> To: sniffer@SortMonster.com
> Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!
> 
> The thought does occur to me of how other companies have dealt with
similar
> issues.
> That issue being how to address a market requiring internal expansion
(i.e.
> expanded reinvestment) while not alienating an existing satisifed customer
> base. Many companies simply split their product line into 'basic' and
> 'premium' services. If the need is as great as Michael says, and the new
> revisions will result in vastly improved service, than most of their
> existing customers should want to move forward. However, giving people the
> option to 'stand still' is viable, good marketing, and good strategy. At
> this point, you have a certain catch 22. Everyone that pays now (for next
> year) is still paying you at the same rate (meaning no expanded funds),
but
> is now wondering if they're doing the right thing. Almost seems like the
> only way to make the current strategy pay off would have been to demand
the
> increased fees from all clients and not given the grace period for
renewing
> at the old rate. At least that way, you'd have gotten something in return
> for any perceived customer dissatisfaction.
> 
> Consider expanding to a two-tier service option. It really can work well,
> especially when in the future you might want to charge even more, but not
> alienate 'new' customers who need a lower buy-in.
> 
> 
> Rick Robeson
> getlocalnews.com
> [EMAIL PROTECTED] 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Fox, Thomas
> Sent: Tuesday, December 27, 2005 2:40 PM
> To: sniffer@SortMonster.com
> Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!
> 
> 
> Your interpretation of "a bit" as being 50+%
> is disingenuous at best, and thievery at the
> worst.
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
> > Sent: Tuesday, December 27, 2005 5:34 PM
> > To: Fox, Thomas
> > Subject: Re[2]: [sniffer] Last chance to renew at the old price!
> >
> > On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote:
> >
> > >> -Original Message-
> > >> From: [EMAIL PROTECTED]
> > >> [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch
> > >>
> > >> If you don't feel that's the case, then you
> > >> are free to decide if you think otherwise.  Thanks and take care!
> >
> > FT> EASY FOX TRANSLATION:
> >
> > FT> "Like it, or lump it."
> >
> > Translated another way...
> >
> > We could keep things as they are, stand still while spam generation
> > technology advances rapidly, whither away, and die.
> >
> > OR
> >
> > We could charge a bit more, accelerate development and make sure that
> > SNF stays out in front and even expands the gap.
> >
> > I, for one, am not willing to make the first choice, and I doubt that
> > it would be in anyone's best interests - except, perhaps, the
> > blackhats.
> >
> > _M
> >
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For
> > information and (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> >
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Joe Jobs...

[John T (Lists)]

Because the vendors are so lame as to have that enabled by default.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Kevin Stanford
> Sent: Thursday, December 15, 2005 10:11 AM
> To: sniffer@SortMonster.com
> Subject: RE: [sniffer] Joe Jobs...
> 
> That brings a question up...why do some/many/most postmasters feel that it
> is so important to notify senders of a virus to a "spoofed" email address?
> Also, I have yet to see a legitimate email that contained a virus..so why
> not turn the notification off all together?
> 
> Just curious...
> 
> Kevin
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Pete McNeil
> Sent: Thursday, December 15, 2005 11:30 AM
> To: sniffer@sortmonster.com
> Subject: [sniffer] Joe Jobs...
> 
> Hello Sniffer Folks,
> 
>   Please be aware that there are several spam and possibly virus
>   (other malware?) campaigns being transmitted with my madscientist
>   address and possibly other addresses from our company in the From:
>   headers and SMTP envelope.
> 
>   Though this has happened in the past at low levels, I have noted
>   recently a very high level of bounces and warnings returning to me
>   (erroneously) from systems that claim they have received viruses and
>   spam from my address.
> 
>   I suspect that this might have been triggered by recent press
>   activity, - especially a Washington Post article which included my
>   email address without modification.
> 
>   If you receive any of these messages, please treat them as the
>   spam/malware that they are and ignore the source.
> 
>   I have verified that we are not sending any such messages (
>   unintentionally) from any of our systems.
> 
> Thanks,
> _M
> 
> Pete McNeil (Madscientist)
> President, MicroNeil Research Corporation Chief SortMonster
> (www.sortmonster.com) Chief Scientist (www.armresearch.com)
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Large amounts of spam still getting through

[John T (Lists)]

I wonder is that is some kind Outlook vulnerability.

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Robert Grosshandler
> Sent: Saturday, October 15, 2005 10:43 AM
> To: sniffer@SortMonster.com
> Subject: RE: Re[2]: [sniffer] Large amounts of spam still getting through
> 
> We're seeing the header info in the body problem.  It seems to be always
> spam.  Another way it manifests itself is that Declude can't alter the
> Subject line properly.
> 
> The folks at Declude tell us that they're aware of it, and that they are
> just waiting for more "pre altered by Declude" examples to code for it.
> 
> Rob
> 
> 
> M. Stein wrote:
> 
> >By the way, has anyone seen the spam that gets through that has the
header
> info in >the body of the mail message instead of where it's supposed to
be?
> How is that possible?
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Large amounts of spam still getting through

[John T (Lists)]

On a very off topic note, why are we still both up?

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of William Van Hefner
> Sent: Saturday, October 15, 2005 1:01 AM
> To: sniffer@SortMonster.com
> Subject: RE: [sniffer] Large amounts of spam still getting through
> 
> John,
> 
> This may be slightly OT. Hope Pete doesn't mind. :-)
> 
> The default in greylisting that comes with Postfix is 300 seconds,
although
> you can change that value to whatever you want. The first reason that
> greylisting was implemented was because almost no spamware ever tried
> resending messages at the time the idea was originally brought about. Now,
I
> would say that about 85% of spamware and zombies never retry. It is the
BIG
> spamhauses that always retry, and Sniffer is an excellent companion for
> catching those. It is currently best suited for stopping zombie spamware,
> and the majority of small spammers that never retry sending messages.
> 
> As far as the delay timing goes, that is really up to each individual
admin
> and should be fine tuned depending upon what kind of traffic patterns you
> are dealing with. I could certainly see the need for some admins to crank
> the delay up to 15-20 minutes, while I have other hosting customers that
are
> whitelisted entirely (you can whitelist individual domains or just users
> using greylisting). The best use may be to whitelist some user addresses,
> and leave others with significant delays. I always believe that users
should
> use a "personal" e-mail address, and another one that is strictly for
> mailing lists, online ordering, and stuff like that.
> 
> There is a lot of tweaking that can be done with greylisting, but it is
only
> one part of the overall antispam picture. One of its biggest advantages is
> the bandwidth and CPU processing it can save you, as it rejects a
> substantial amount of spam with very little bandwidth consumption. There
are
> also technically no "false positives", as all mail (even spam) will
> eventually be passed through. Obviously, it only works best for SOME spam
> though, and other things like Sniffer solve different parts of the puzzle.
> Between the different methods I am using, which don't even include
Bayesian
> at the moment, I am seeing far better than a 99% success (rejecting or
> deleting spam) rate, with very few false positives.
> 
> 
> 
> William Van Hefner
> Network Administrator
> 
> Vantek Communications, Inc.
> 555 H Street, Ste. C
> Eureka, CA 95501
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Saturday, October 15, 2005 12:41 AM
> > To: sniffer@SortMonster.com
> > Subject: RE: [sniffer] Large amounts of spam still getting through
> >
> >
> > 5 minutes would hardily be noticed. Discussions I was having
> > with others involved delays of an hour or two.
> >
> > I do not see how "greylisting" a message for 5 minutes would
> > help except when fighting harvesting or dictionary type spam attacks.
> >
> > John T
> > eServices For You
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
> > On
> > > Behalf Of William Van Hefner
> > > Sent: Saturday, October 15, 2005 12:22 AM
> > > To: sniffer@SortMonster.com
> > > Subject: RE: [sniffer] Large amounts of spam still getting through
> > >
> > > John,
> > >
> > > I have no clue what the "legal implications" would be, as
> > long as both
> > > my customers know that I'm using it and the sender is notified
> > > appropriately via SMTP. I use greylisting via IMGate/Postfix and it
> > > works like a charm.
> > It
> > > takes a good couple of weeks to build up decent whitelist
> > (both manual
> > > whitelisting and automated whitelisting are recommended), but after
> > > that
> > it
> > > is pretty much smooth sailing. I've yet to have a single complaint
> > > from my users over greylisting, other than the fact that it delayed
> > > their e-mails
> > by
> > > around 5 minutes for the first couple of weeks. If I had planned it
> > better,
> > > even those delays would largely not have occurred.
> > >
> > > I know of no way to implement greylisting on a Windows box. See
> > > greylisting.org for more info.
> > >
> > >
> > > William Van Hefner
> > > Network Administra

RE: [sniffer] Large amounts of spam still getting through

[John T (Lists)]

5 minutes would hardily be noticed. Discussions I was having with others
involved delays of an hour or two.

I do not see how "greylisting" a message for 5 minutes would help except
when fighting harvesting or dictionary type spam attacks.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of William Van Hefner
> Sent: Saturday, October 15, 2005 12:22 AM
> To: sniffer@SortMonster.com
> Subject: RE: [sniffer] Large amounts of spam still getting through
> 
> John,
> 
> I have no clue what the "legal implications" would be, as long as both my
> customers know that I'm using it and the sender is notified appropriately
> via SMTP. I use greylisting via IMGate/Postfix and it works like a charm.
It
> takes a good couple of weeks to build up decent whitelist (both manual
> whitelisting and automated whitelisting are recommended), but after that
it
> is pretty much smooth sailing. I've yet to have a single complaint from my
> users over greylisting, other than the fact that it delayed their e-mails
by
> around 5 minutes for the first couple of weeks. If I had planned it
better,
> even those delays would largely not have occurred.
> 
> I know of no way to implement greylisting on a Windows box. See
> greylisting.org for more info.
> 
> 
> William Van Hefner
> Network Administrator
> 
> Vantek Communications, Inc.
> 555 H Street, Ste. C
> Eureka, CA 95501
> 707.476.0833 ph
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Friday, October 14, 2005 12:55 PM
> > To: sniffer@SortMonster.com
> > Subject: RE: [sniffer] Large amounts of spam still getting through
> >
> >
> > There has been a good amount of discussion about temporarily
> > "grey listing" an e-mail message and there are many questions
> > surrounding it, one of which is legal.
> >
> > John T
> > eServices For You
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
> > On
> > > Behalf Of Mike Nice
> > > Sent: Friday, October 14, 2005 12:43 PM
> > > To: sniffer@SortMonster.com
> > > Subject: Re: [sniffer] Large amounts of spam still getting through
> > >
> > > > getting much better at what they do.  When a spammer uses
> > Geocities
> > links,
> > > > hijacks real accounts on major providers to send spam through, and
> > changes
> > > > their techniques every few hours, it makes it difficult
> > for Sniffer
> > > > to proactively block them, and the delay between rulebase updates
> > > > means a delay in catching things that have been tagged.
> > >
> > >   This brings to mind a technique with optional adaptive delay -
> > > enabled
> > by
> > > the user. Each mail is assigned a 'triplicate': (To_Email,
> > From_Email,
> > > and domain_of_sending_server).  Previously unknown triplicates are
> > > held for a period of time before being examined for spam.
> > The delay
> > > is long enough that SpamCop, Sniffer, and InvURIBL mailtraps see
> > > copies of the spam and update the blacklists.
> > >
> > >This would be hard to do with the stock IMail, but
> > possibly could
> > > be
> > done
> > > by Declude with the V3 architecture and a database.
> > >
> > >It still doesn't provide a good answer to the problem of
> > spammers
> > > hijacking a computer and sending spam through legitimate servers.
> > >
> > >
> > > This E-Mail came from the Message Sniffer mailing list. For
> > > information
> > and
> > > (un)subscription instructions go to
> > > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For
> > information and (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Large amounts of spam still getting through

[John T (Lists)]

There has been a good amount of discussion about temporarily "grey listing"
an e-mail message and there are many questions surrounding it, one of which
is legal.

John T
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Mike Nice
> Sent: Friday, October 14, 2005 12:43 PM
> To: sniffer@SortMonster.com
> Subject: Re: [sniffer] Large amounts of spam still getting through
> 
> > getting much better at what they do.  When a spammer uses Geocities
links,
> > hijacks real accounts on major providers to send spam through, and
changes
> > their techniques every few hours, it makes it difficult for Sniffer to
> > proactively block them, and the delay between rulebase updates means a
> > delay in catching things that have been tagged.
> 
>   This brings to mind a technique with optional adaptive delay - enabled
by
> the user. Each mail is assigned a 'triplicate': (To_Email, From_Email, and
> domain_of_sending_server).  Previously unknown triplicates are held for a
> period of time before being examined for spam.  The delay is long enough
> that SpamCop, Sniffer, and InvURIBL mailtraps see copies of the spam and
> update the blacklists.
> 
>This would be hard to do with the stock IMail, but possibly could be
done
> by Declude with the V3 architecture and a database.
> 
>It still doesn't provide a good answer to the problem of spammers
> hijacking a computer and sending spam through legitimate servers.
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] New virus...

[John T (Lists)]

No need to block zips, with Declude just add "BANZIPEXTSON" to your
virus.cfg file since the payload is an exe within the zip and since we are
all already banning executable files, correct?

John T
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Wednesday, October 05, 2005 8:41 PM
> To: sniffer@sortmonster.com
> Subject: [sniffer] New virus...
> Importance: High
> 
> Hello sniffer,
> 
>   Hello folks... watch out for a new virus email with an attachment
>   named "pword _ change . zip" - extra spaces added to skip filters
>   ;-)
> 
>   We're adding some SNF rules to catch it. No word about it on virus
>   lists or scanner services yet (that I can see).
> 
>   You may want to temporarily block .zip files - or at least this
>   particular zip file until the new rules can be pushed out and the
>   virus scanners catch up.
> 
> Thanks,
> _M
> 
> Pete McNeil (Madscientist)
> President, MicroNeil Research Corporation
> Chief SortMonster (www.sortmonster.com)
> Chief Scientist (www.armresearch.com)
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] [Declude.JunkMail] 3.05.5 issues

[John T (Lists)]

Work on one thing at a time.

 

Leave Sniffer in persistent mode and
work on the threads.

 

You have it at 15 now, and things are
backing up. Turn it up to say 25 and see what happens.

 

Also, are you running an heavy resource
filters such as body filters?

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand
Sent: Tuesday,
 October 04, 2005 10:45 AM
To: Declude.JunkMail@declude.com
Cc: sniffer@SortMonster.com
Subject: RE: [sniffer]
[Declude.JunkMail] 3.05.5 issues

 

I have got it down to 15 and tried to set
sniffer back to persistent mode again

 

However I find that with sniffer in
persistent mode as David suggested, the proc directory starts back
logging.  which means the system is not keeping up with the flow of
mail.  Within 20 minutes I had 1400 files in the proc directory.  I
stopped the sniffer service and now it is gradually catching up.

 

Any more suggestions as to what can get
tuned?

 

I appreciate the assistance

 

Thank you



 



Harry
Vanderzand 
inTown
Internet & Computer Services 
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222



 





 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
Sent: Tuesday,
 October 04, 2005 1:06 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail]
3.05.5 issues

Trial and error is best. Set it to some
thing like 20 and watch what happens.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand
Sent: Tuesday,
 October 04, 2005 9:27 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail]
3.05.5 issues

 

thank you

 

I was under the understanding given me by
David from Declude that it was appropriate given the amount of power my
hardware has.

 

What would you recommend for my hardware?

 

Thanks John, I always appreciate your
active involvement in the list



 



Harry
Vanderzand 
inTown
Internet & Computer Services 
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222



 





 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
Sent: Tuesday,
 October 04, 2005 12:11 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail]
3.05.5 issues

Your threads is way too high, and I
suspect that there are time outs occurring and not all scanning is being done.

 



John T

eServices For You



 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand
Sent: Tuesday,
 October 04, 2005 6:17 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] 3.05.5
issues

 



I find that since being on the new version
that more spam is slipping through.  We have imail v8.05, declude and
sniffer on win 2000 server dual xeon 3.4Ghz with 2Gb ram.  Threads are set
to 50 with no other setting in declude.cfg





 





Any advice you can give me to tighten it
to where we had it before?  I have had several clients complaining





 





Other than changing from V2.06.16 to 3.05
nothing else has changed on the server





 





thank you





 



Harry Vanderzand 
inTown Internet & Computer Services 
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222