[sniffer] Re: I got a strong attack today

2008-01-04 Thread John T (lists)
   3) then be able to create a temporary rule to help block messages
 - must be viable until SNF has an updated ruleset to start clearing
out
 the attack
 - I don't think declude (what I use w/SNF) has rule expirations (but
 would be a nice feature)

What I do when I create a temp rule is to call it T_date_A and then B and
then C and so forth. I then keep a rule_readme.txt file in the spool\declude
directory that I update.

John T




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Excessive amounts of spam

2007-12-20 Thread John T (lists)
I have not noticed any increase on FPs on the one server that is running it.

John T
 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Darin
 Cox
 Sent: Thursday, December 20, 2007 1:29 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Excessive amounts of spam
 
 I've heard comments that it has a higher catch rate... how about FP rate?
 Higher, the same, or lower?
 
 Darin.
 
 
 - Original Message -
 From: Pi-Web - Frank Jensen [EMAIL PROTECTED]
 To: Message Sniffer Community sniffer@sortmonster.com
 Sent: Thursday, December 20, 2007 4:17 PM
 Subject: [sniffer] Re: Excessive amounts of spam
 
 
 
 We have been running it for - I guess - 2 month now without any trouble.
 
 
  How stable is the beta version?
 
 
 
  Regards David Moore
  [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 
  J.P. MCP, MCSE, MCSE + INTERNET, CNE.
  www.adsldirect.com.au http://www.adsldirect.com.au/ for ADSL and
  Internet www.romtech.com.au http://www.romtech.com.au/ for PC sales
 
  Office Phone: (+612) 9453 1990
  Fax Phone: (+612) 9453 1880
  Mobile Phone: +614 18 282 648
  Skype Phone: ADSLDIRECT
 
  POSTAL ADDRESS:
  PO BOX 190
  BELROSE NSW 2085
  AUSTRALIA.
 
  -
 
  This email message is only intended for the addressee(s) and contains
  information that may be confidential, legally privileged and/or
  copyright. If you are not the intended recipient please notify the
  sender by reply email and immediately delete this email. Use, disclosure
  or reproduction of this email, or taking any action in reliance on its
  contents by anyone other than the intended recipient(s) is strictly
  prohibited. No representation is made that this email or any attachments
  are free of viruses. Virus scanning is recommended and is the
  responsibility of the recipient.
 
  -
 
 
 
  *From:* Message Sniffer Community [mailto:[EMAIL PROTECTED] *On
  Behalf Of *Pete McNeil
  *Sent:* Friday, 21 December 2007 8:10 AM
  *To:* Message Sniffer Community
  *Subject:* [sniffer] Re: Excessive amounts of spam
 
 
 
  Hello David,
 
 
 
  Thursday, December 20, 2007, 3:25:45 PM, you wrote:
 
 
 
 
 
 
 
  Ø  If you are not yet running the latest beta then that might help quite
  a bit since the GBUdb (IP reputation system) does a good job capturing
  new spam from old bots even before rules are coded.
 
  Please clarify are you saying it would help if we had the beta
installed?
 
 
 
  Yes.
 
 
 
  The new GBUdb engine reduces leakage quite a bit. As more systems adopt
  the new version this will improve even more. Most new spam campaigns are
  started with some large fraction of existing bots. Messages from bots
  that have already been identified will be blocked even before new
  content rules can be generated (if needed).
 
 
 
  _M
 
 
 
 
 
 
 
 
 
  --
 
  Pete McNeil
 
  Chief Scientist,
 
  Arm Research Labs, LLC.
 
 
 ##
 ###
 
 
 
  This message is sent to you because you are subscribed to
 
 
 
the mailing list sniffer@sortmonster.com.
 
 
 
  To unsubscribe, E-mail to: [EMAIL PROTECTED]
 
 
 
  To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 
 
 
  To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 
 
 
  Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 
 
 
 
 --
 Mvh. Frank Jensen
 [EMAIL PROTECTED]
 www.pi.dk
 
 
 
 Imponerende, fascinerende og kæmpe
 Plakater f.eks. 149 x 149 = 629 kr
 Vi kan også lave plakat fra dit digitale foto
 
 www.plakatkunst.dk
 
 
 
 ##
 ###
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 
 ##
 ###
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Imail Upgrade

2007-11-04 Thread John T (lists)
Yes, there is a difference. Webmail is different. Additional features in the
SMTP service. Vulnerabilities fixed. Bugs fixed. 

There is indeed a patch for version 8, it is called 8.22 + HF2.

John T
 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Greg
 Sent: Saturday, November 03, 2007 5:31 PM
 To: Message Sniffer Community
 Subject: [sniffer] Imail Upgrade
 
 I'm running an older ver of Imail (8.05) and considering an
 upgrade.  Is there much of a difference.  The only issue I'm
 currently having is there is an exploit that some yahoo is crashing
 the server a couple times a month.  Imail won't patch it so I either
 have to upgrade or move to another platform.  I know this isn't
 Sniffer related but looking for some advice from someone running Imail.
Thanks
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Reporting False Positives

2007-10-26 Thread John T (lists)
To clarify something that came up in another post a couple of weeks ago, is
it necessary to send false positive reports from the specified email
address, or any address as long as it includes the proper information such
as the license in the subject line?

 

John T

 



[sniffer] Re: Beta

2007-10-17 Thread John T (lists)
Thanks as always Pete for a great explination.

John T
 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Pete McNeil
 Sent: Wednesday, October 17, 2007 5:35 AM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Beta
 
 Hello John,
 
 Wednesday, October 17, 2007, 1:41:18 AM, you wrote:
 
  Our SYNC server software rejects connections by default. If an SNF
  node follows the expected connection protocols and authenticates
  properly and consistently then it will be allowed to communicate with
  the system. If it fails to do any of these things or looks suspicious
  in any way then it will be automatically black listed for increasingly
  extended periods and potentially null routed by our fire-walls. The
  security mechanisms are fully automatic and constantly monitored.
 
  If something goes wrong on my server, either by a mistake I make in a
  configuration file or a bug or whatever, and my server in connecting to
the
  SYNC server should be rejected and subsequently black listed, is there a
  notification that takes place that some one will review to see if that
  sniffer license is otherwise valid and otherwise no known problems are
seen
  so that I will then be notified saying hey there is a problem contact
us
  so that the problem can be resolved?
 
 Yes.
 
 The system is completely automated and reliable. There is nothing to
 be concerned about. Quite simply, nothing can go wrong, go wrong, go
 wrong... go..
 
 Seriously though--
 
 In order to be black-listed by our system you would have to be abusing
 the SNF software or using some alternative software to attempt to gain
 access or deny access to the SYNC servers. Otherwise the most you
 could do would be to loose contact for some time.
 
 That said, if any system does something to become black-listed then
 you can be sure it will have our attention.
 
 It is basically impossible for you to cause a properly functioning SNF
 node to become black-listed by altering the configuration file. It is
 far more likely that your SNF node would simply fail to connect.
 
 Chances are that if you were making an adjustment that could cause
 this you would also be watching to make sure that things were working
 correctly when you finished.
 
 In case you did cause the system to lose it's connection with us, the
 system is designed so that SNF nodes will remain reliable and
 effective for extended periods even if they are unable to contact the
 SYNC server. It is also designed to recover gracefully when the
 problem is corrected.
 
 The GBUdb system is highly effective even when it does not share it's
 information with the other SNF nodes. Each GBUdb node learns first
 about it's local traffic. As long as your SNF rulebase file is up to
 date - or even close to being up to date, your system is likely to be
 very effective at filtering spam.
 
 If your SNF/GBUdb node becomes detached from the main system for an
 extended period, it will degrade in it's performance. Once the problem
 is corrected it should recover in a very short time.
 
 In the event we detect any IPs being black listed or acting
 suspiciously we will be watching closely so that we can analyze any
 potential threats and take appropriate actions. If we can identify a
 customer involved in such a case we will contact them to investigate
 and correct the problem.
 
 Locally, your status reports indicate when the last sync event
 occurred. This is one of the ways you can check the status of your
 system. Consider this example from recent telemetry:
 
 timers
 run started=20070928174736 elapsed=1620714/
 sync latest=20071017115919 elapsed=11/
 save latest=20071017111334 elapsed=2756/
 condense latest=20071017081746 elapsed=13304/
 /timers
 
 You can see when the last sync event occurred (about 11 seconds ago in
 this case):
 
 sync latest=20071017115919 elapsed=11/
 
 We plan to encourage the development of third party tools for
 monitoring and analyzing SNF system data. In addition we plan to build
 monitoring and analysis services of our own to include features that
 will notify system administrators when something doesn't look quite
 right.
 
 If you (anyone) develop something nice for displaying and/or
 monitoring SNF status data then please share it with the SNF
 community.
 
 In the mean time - we have done extensive testing and monitoring
 throughout the development process. High availability is (has always
 been) a design requirement and we're confident SNF can deliver that.
 
 Hope this helps,
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Beta

2007-10-16 Thread John T (lists)
 Our SYNC server software rejects connections by default. If an SNF
 node follows the expected connection protocols and authenticates
 properly and consistently then it will be allowed to communicate with
 the system. If it fails to do any of these things or looks suspicious
 in any way then it will be automatically black listed for increasingly
 extended periods and potentially null routed by our fire-walls. The
 security mechanisms are fully automatic and constantly monitored.

If something goes wrong on my server, either by a mistake I make in a
configuration file or a bug or whatever, and my server in connecting to the
SYNC server should be rejected and subsequently black listed, is there a
notification that takes place that some one will review to see if that
sniffer license is otherwise valid and otherwise no known problems are seen
so that I will then be notified saying hey there is a problem contact us
so that the problem can be resolved?

John T




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: New Server/Client configuration

2007-10-11 Thread John T (lists)
3) The logs are rotating according to UTC time. How can that be configured
to rotate in local time?

 

John T

 

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of John T (lists)
Sent: Thursday, October 11, 2007 11:05 AM
To: Message Sniffer Community
Subject: [sniffer] New Server/Client configuration

 

A couple of notes I have noticed:

 

1)When SNFServer starts and creates the file id_snf_engine_cfg.log,
would it be a good idea to list the version of the SNFServer?

2)In your announcement about the version 1.4 beta, you said to upgrade
the snf_engine.xml as well. Why? Since there are many configuration options
in the snf_engine.xml, I would not want to take a chance replacing it and
forgetting a setting that had been made/changed.

 

John Tolmachoff

eServices For You

[EMAIL PROTECTED]

(626) 737-6003

Fax (626) 737-6004

 



[sniffer] New Server/Client configuration

2007-10-11 Thread John T (lists)
A couple of notes I have noticed:

 

1)When SNFServer starts and creates the file id_snf_engine_cfg.log,
would it be a good idea to list the version of the SNFServer?

2)In your announcement about the version 1.4 beta, you said to upgrade
the snf_engine.xml as well. Why? Since there are many configuration options
in the snf_engine.xml, I would not want to take a chance replacing it and
forgetting a setting that had been made/changed.

 

John Tolmachoff

eServices For You

 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]

(626) 737-6003

Fax (626) 737-6004

 



[sniffer] Re: Updates to log rotation scripts

2007-10-10 Thread John T (lists)
I think he was asking about the log rotate script that also FTPs a copy up
to sniffer. Do we still need to FTP a log to Sniffer?

John T


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Pete McNeil
 Sent: Tuesday, October 09, 2007 9:28 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Updates to log rotation scripts
 
 Hello tfox,
 
 Tuesday, October 9, 2007, 10:23:46 PM, you wrote:
 
  What updates/file name changes would be necessary for the log rotation
  scripts?
 
 It is possible to generate old style log files from the new version if you
wish. Your
 current scripts can be used as-is in that case.
 
 Hopefully you will be able to make the switch to the new XML based logs.
 
 Both log types can be rotated daily by the new engine. Specifically,
today's date can be
 prepended to the log file names.
 
  How can we monitor the status of SNF in real time, via the XML pages?
 
 The first answer is that the new engine produces a number of status
reports - every
 second, every minute, or every hour.
 
 These status reports and logs, though formatted as XML, have been designed
to be
 relatively easy to see in a simple text editor. It does take a little bit
of getting used to -
 but not too much.
 
  Is there such a thing as an XML reader?
 
 Yep. Your web browser. Just about every web browser can read and translate
XML
 data these days. The trick is -- translate how?
 
 You may want to use an XSLT utility, or more likely the XSLT capabilities
in your web
 server environment or even in your web browser alone.
 
 For example, you could take one of the status files, copy it to a new
file. Add a few
 lines of text - specifically to add a style-sheet definition and document
type so that the
 XML is complete. Then you should be able to open the resulting file in
your favorite
 browser.
 (You will have to create an XSL file (style sheet) to translate the XML
file into what you
 want to see.)
 
 [[ This is the approach I used to create the rate chart shown in
 nowSimplePrescale.png, then I moved the whole thing to our web server to
make it
 more automatic. ]]
 
 Another way you might go is to import the XML from the log or status
report into a
 database. (Here again you may want/need to prepend a line or two of text
to make
 the XML completely compatible with your
 environment)
 
 Then you would be able to extract reports from your database in the usual
way.
 
 We're hopeful that folks who are savvy about XML and XSL will create and
share
 useful translations and tools for SNF users. We look forward to supporting
that effort.
 
 Internally we've done a few quick things to watch the telemetry we get
from SNF
 nodes and our own servers. The approach we've taken is to use the inherent
XSLT
 capabilities of our web/jsp servers and the basic capabilities in IE and
Firefox.
 
 Attached are some screen shots of live data I am looking at right now.
 This telemetry comes from one of our spamtrap pre-filters.
 
 nowSimplePrescale.png uses a simple XSL file that took me about 20 minutes
to throw
 together while thumbing through a text book.
 
 nowNodeDashbaord.png took a bit more work and leverages a flash based live
gauge
 tool that periodically pulls xml data from our internal servers (so it's
animated). The
 flash gadget came from here:
 
 http://www.maani.us/gauge/
 
 We will also be creating some monitoring tools and services on our web
site to take
 advantage of the live data provided by the new SNF engine and some of our
new
 back-end tools.
 
 If anyone creates any useful XSL, tools, etc then please let us know and
we will be
 happy to post them on our site and create appropriate reciprocal links.
 
 Hope this helps,
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: All about GBUdb

2007-10-09 Thread John T (lists)
OK, a couple of questions.

If an IP is found to be BAD, the website states a non-zero code will be
returned. Well, I know that those of us using Declude and using listed
return codes other than non-zero will have a problem with this. Can this be
set to a specific return code that we can then use with Declude?

Same question on the UGLY, can it be set to return a specific return code so
that we can use that with Declude?

John T


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Pete McNeil
 Sent: Saturday, October 06, 2007 6:06 PM
 To: Message Sniffer Community
 Subject: [sniffer] All about GBUdb
 
 Hello Sniffer Folks,
 
 At your convenience please review the following:
 

http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.G
BUdb
 
 This page describes one of the key features of the new SNF engine
 (currently in wide beta testing). GBUdb is an IP reputation system
 built on a collaborative learning engine. Each SNF node equipped with
 GBUdb learns the behavior of the message sources it encounters and
 shares that information with other SNF/GBUdb nodes in the cloud.
 
 This learning and sharing process happens in near real-time
 (zero-minute) and allows the new SNF engine to improve both filtering
 accuracy and system efficiency (with a little help from it's friends).
 
 Let us know if you have any questions or comments.
 
 Thanks!
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Address

2007-09-24 Thread John T (lists)
 Some of the spammers are apparently using my email address as the sender.
Any
 way to defeat that or capitalize on it?  I get several bounces a week from
all over the
 world.

Ah, the American spirit at work. If you can't stop it, make money on it.

;-)

(And yes, I know that is not what you meant. At least I hope not.)

John T




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Category idea

2007-09-21 Thread John T (lists)
I have been asked by a client to help find a way to catch headhunters and
such that attempt to recruit currant employees. I have yet to spend time on
this as it seems creating a filter in Declude for this while maintaining
low/no false positives would be some what difficult.

While this is outside of what normally would be considered SPAM, I was
wondering if Message Sniffer ever considered a category for such things.

John T




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Appriver issue

2007-05-19 Thread John T (lists)
Inserting my 2 cents here since that is all that it is worth.

 

In backing up what Matt said, let me relate a similar example of a problem
that occurred a year and a half ago to a major IT security products vendor:

 

At about 6:15 AM PT on a week day in the middle of a normal busy week, their
content filtering servers begin to become unresponsive. At first, it was
intermittent and hard to pinpoint. But within about 45 minutes, they stopped
responding completely. Well, their appliances did what they were designed to
do by default configuration, fail safe. Block all access if the content
filtering server does not respond. All one had to do though was to log onto
the appliance and change the failsafe block to allow. But this is where the
fun (not) began. There are hundreds or more of library's, both public and
private, as well as schools, that are using those appliances and that
content filtering service. Guess what? They are bound by law to have content
filtering in place, meaning they could not turn the fail safe off. Companies
and schools and libraries started screaming bloody murder and demanded a
resolution an hour ago. The content filtering service was finally restored
about 2:30 PM if I recall correctly. 

 

So, what happened? I mean this is a big company and it should have things in
place to prevent this. Right?

 

They did. As much as some one would expect them to.

 

They had 4 servers. The servers were fine, they were still running. There
were no software changes, and in fact their tests showed the servers were
still responding. They were located at a location with multiple internet
connections, and all tests showed the internet connections were all up and
working. Power was flowing fine and all UPSs as well as the generator were
all fine. Finally, after about 2 hours, the problem was found: My
understanding is that a single module in a enterprise router failed but in a
way that was hard to find. Once found, the hardware vendor sent a
replacement part by courier to replace.

 

My understanding is that it cost them well over 10 grand to eliminate that
one single point of failure. And that was just for the hardware.

 

Just goes to prove once again that in IT, 80% of the result is 20% of the
cost. That remain 20% of result is what costs the 80%.

 

John T

 

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Matt
Sent: Friday, May 18, 2007 9:44 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Appriver issue

 

I have something that I would also like to clear up.

When I indicated that AppRiver had removed it's contact page, it likely just
wasn't operating at the time that I was attempting to access it.
Considering their issues, it would not be a surprise to see other issues
like this caused, but it seemed suspicious since their home page was working
and not their contact page.  I did note that it was working by the time that
it was pointed out that it was up.

In no way did I ever believe that Pete or Sniffer had any direct involvement
in the system that created these problems, and in no way should this reflect
badly on Pete or Sniffer as far as I am concerned.

I was slightly miffed after getting off the phone with them where their
reaction quite clearly indicated that they were aware of the issue.  I
suggested that they take their servers off-line due to the issues that were
being caused, but I was probably barking up the wrong tree.  The servers
weren't taken off line for another hour or so, or maybe this is when the
delivery servers caught up with the queued E-mail destined for my client.
I'm not sure why they didn't act on this sooner.  When you have a loop, it
is important to stop it, and their multi-homing made it difficult for others
to block.  One user received about 500 copies of the same message (and also
called them), and there were other examples that we saw which were much more
limited.  I do hope that they didn't choose to introduce new software at 11
a.m. ET on the busiest E-mail day of the week, and that this was only when
the problems surfaced...

Everyone that deals with significant volumes of E-mail has issues from time
to time, and I wouldn't draw conclusions about AppRiver based on just this
one circumstance.  I would imagine that it is hard to plan for how to deal
with a broad scale looping issue, and I'm sure this was a learning
experience for them.

Matt




 


[sniffer] Re: Sniffer as passthrough filter

2007-03-08 Thread John T (lists)
Yes, it is called email gateway service and many of us do that and it is
fairly straightforward to setup but there are a number of steps.

John T

 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
 Of K Mitchell
 Sent: Thursday, March 08, 2007 6:16 PM
 To: Message Sniffer Community
 Subject: [sniffer] Sniffer as passthrough filter
 
   I've been running Message Sniffer here with IMail and mxGuard for a
 number of the domains we service. I have another customer that runs their
 own Exchange server, and wishes to continue doing so, but inquired as to
 the possibility of us doing pass-through filtering for them. Is this
 possible with the setup I have?
 
 Thanks,
 
 --
 Kirk Mitchell-General Manager[EMAIL PROTECTED]
 Keystone Connect Unlock Your World
 Altoona, PA  814-941-5000   http://www.keyconn.net
 
 
 #
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Blocking emails with Cyrillic characters

2006-12-13 Thread John T (Lists)
As some one who speaks Russian, it would be more productive for you to
forward those spams to sniffer for processing rather than create a rule
based on normal common language characters. Besides, that is not what I
expect from Sniffer. My understand of the premise of Message Sniffer is to
create rules that search for a pattern in spam messages that can be reliably
duplicated. Having a rule solely based on inclusion of common language
characters would under-mind that trust we have in Message Sniffer.

 

John T

eServices For You

 

Life is a succession of lessons which must be lived to be understood.

Ralph Waldo Emerson (1802-1882)

 

 

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Steve Guluk
Sent: Wednesday, December 13, 2006 12:43 PM
To: Message Sniffer Community
Subject: [sniffer] Blocking emails with Cyrillic characters

 

 

Hello Comrades, 

Could we get a rule that looks for various common Russian words (or Cyrillic
characters) and then gives them a spam value?

 

Do you sell much Sniffer Product to Russia? If not, rules that focus on
common russian words would be great for blocking much of the spam that makes
it's way past Sniffer. You could always create a way for people that want
Russian emails to exclude this rule. No?

 

Not that I know all the details of how you guys create your rules but a rule
looking for common Cyrillic  characters could catch all spam formatted in
Russian as well as other languages that use similar characters. Otherwise
you should hire some coders that understand these languages as I get a heap
of spam that passes Sniffer by using what looks like Russian or Cyrillic
characters.

 

I run iMail 8.22 so if anyone has any other ideas that could block these
please post your suggestions, I guess we could create a phrase list from
some of the Cyrillic  spams..?

 

Regards, 

 

 

Steve Guluk

SGDesign

(949) 661-9333

ICQ: 7230769

 

 

 





 



[sniffer] Re: Yahoo! Is Retarded

2006-10-26 Thread John T (Lists)









;)







John T

eServices For You



Life is a succession
of lessons which must be lived to be understood.

Ralph Waldo Emerson
(1802-1882)











-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Thursday, October 26, 2006 8:48 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Yahoo! Is
Retarded



I like your new sig, John.



How's this for an addendum?



Experience is that which you
acquire, just after you needed it.





Andrew 8)













From: Message Sniffer
Community [mailto:[EMAIL PROTECTED] On
Behalf Of John T (Lists)
Sent: Thursday, October 26, 2006 8:13 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Yahoo! Is
Retarded

Youre preaching to the choir.





John T

eServices For You



Life is a succession of
lessons which must be lived to be understood.

Ralph Waldo Emerson
(1802-1882)









-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Jonathan Hickman
Sent: Thursday, October 26, 2006 7:24 AM
To: Message Sniffer Community
Subject: [sniffer] Yahoo! Is
Retarded





Now, myword choice of
'Retarded' is merely to illuminate the slowness of Yahoo! in regards to this
issue and the severity of their decision and not to indicate that they are
mentally handicapped which is an accusation for which I have no basis.
However, as evidence of this, please review the following URLs:











http://ca.answers.yahoo.com/question/index?qid=20061024160658AAAh0QY





http://answers.yahoo.com/question/index?qid=20061024080547AAf54ah











Jonathan Hickman
















[sniffer] Re: Declude header not modified correctly

2006-10-24 Thread John T (Lists)









Declude is not ignoring the problem. David
Barker is aware of it and has responded discussion concerning this problem on
the Declude Junkmail list.





John T

eServices For You



Seek, and ye shall
find!







-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Herb Guenther
Sent: Tuesday, October 24, 2006 4:11 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Declude
header not modified correctly



Just as a follow up, I have not had any email returned
from Declude in the last 4 business days. So, they are just ignoring the
problem even tho the tools are all doing their part to identify the messages
are spam, the header mod is useless so it goes right thru the filters. So
their answer was to have me update to the latest version, which did not solve
the problem, and then I did not hear back from them after any email and a call.

Herb

Kami Razvan wrote: 

We see that a lot too.. we run
2.14



Kami









From: Message
Sniffer Community [mailto:sniffer@sortmonster.com]
On Behalf Of Darin Cox
Sent: Monday, October
 16, 2006 5:44 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Significant
increase in false positives



We see this occasionallywith Declude
1.82. What version are you running?






Darin.

















- Original Message - 



From: Herb Guenther 





To: Message
Sniffer Community 





Sent: Monday, October
 16, 2006 5:35 PM





Subject: [sniffer]
Re: Significant increase in false positives











Hi Darin;

Not seeing a lot of false pos messages, but there are lots of spam messages
sneaking through our system because declude is not modifying the header
correctly. It is adding a header stub to the bottom of the message so
that users mail client filters which look for the modified subject line is not
working. Anyone else having that issue?

Herb





-- Herb GuentherLanex, LLCwww.lanex.com(262)789-0966x102 Office(262)780-0424 DirectThis e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.






#

This message is sent to you because you are subscribed to

  the mailing list sniffer@sortmonster.com.

To unsubscribe, E-mail to: [EMAIL PROTECTED]

To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]

To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]

Send administrative queries to  [EMAIL PROTECTED]


[sniffer] Re: Declude header not modified correctly

2006-10-24 Thread John T (Lists)









http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Integration





John T

eServices For You



Seek, and ye shall
find!







-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Joe Wolf
Sent: Tuesday, October 24, 2006 4:17 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Declude
header not modified correctly





I have this problem as well, but I'm running an older
version of Declude. 











As far as I know there's no way to fix the problem
other than supposedly the newest version fixes the issue. I'm not going
to spend another penny on Declude so I'm stuck with the problem unless I switch
mail servers.











Declude went down hill when the new owners took
over. They have a group of worshopers on their list that attacks anyone
critical of management which makes it impossible to give critical information
on the product.











I love Sniffer. I wish all products worked as
good as Sniffer does. I just wish it didn't run underneath a third party
plug in (Declude) to run on Imail or Smartermail. 











Does anyone know of a different mail server that's
EASY to use that offers the features of Imail and doesn't require Declude to
run Sniffer?











Thanks,





-Joe







- Original Message - 





From: Herb Guenther 





To: Message
Sniffer Community 





Sent: Tuesday, October
 24, 2006 6:11 PM





Subject: [sniffer]
Re: Declude header not modified correctly









Just as a follow up, I have not had any email returned
from Declude in the last 4 business days. So, they are just ignoring the
problem even tho the tools are all doing their part to identify the messages
are spam, the header mod is useless so it goes right thru the filters. So
their answer was to have me update to the latest version, which did not solve
the problem, and then I did not hear back from them after any email and a call.

Herb

Kami Razvan wrote: 

We see that a lot too.. we run
2.14



Kami









From: Message
Sniffer Community [mailto:sniffer@sortmonster.com]
On Behalf Of Darin Cox
Sent: Monday, October
 16, 2006 5:44 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Significant
increase in false positives



We see this occasionallywith Declude
1.82. What version are you running?






Darin.

















- Original Message - 



From: Herb Guenther 





To: Message
Sniffer Community 





Sent: Monday, October
 16, 2006 5:35 PM





Subject: [sniffer]
Re: Significant increase in false positives











Hi Darin;

Not seeing a lot of false pos messages, but there are lots of spam messages
sneaking through our system because declude is not modifying the header
correctly. It is adding a header stub to the bottom of the message so
that users mail client filters which look for the modified subject line is not
working. Anyone else having that issue?

Herb





-- Herb GuentherLanex, LLCwww.lanex.com(262)789-0966x102 Office(262)780-0424 DirectThis e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.#This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com.To unsubscribe, E-mail to: [EMAIL PROTECTED]To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]Send administrative queries to [EMAIL PROTECTED]










[sniffer] Re: FW: Retest (KMM38446283V14479L0KM)

2006-10-18 Thread John T (Lists)
HA HA

HO HO

ROFLOL

Do you really think Yahoo and the other big ego head companies care about
us?

It would take a mass amount of paid Yahoo users to make some thing happen.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Tech Support
 Sent: Wednesday, October 18, 2006 6:58 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: FW: Retest (KMM38446283V14479L0KM)
 
 The time and resources spent dealing with this add up to serious cash
 
 I'm thinking class action lawsuit :)
 
 
 
 - Original Message -
 From: Matrosity Hosting [EMAIL PROTECTED]
 To: Message Sniffer Community sniffer@sortmonster.com
 Sent: Wednesday, October 18, 2006 8:36 PM
 Subject: [sniffer] FW: Retest (KMM38446283V14479L0KM)
 
 
  Whatever, yahoo.
 
  You can't just admit your system was hosed and actually still is.
 
  Bill Foresman
  Matrosity Hosting
  www.matrosity.com
  850.656.2644
 
  -Original Message-
  From: Yahoo! Customer Support [mailto:[EMAIL PROTECTED]
  Sent: Wednesday, October 18, 2006 7:39 PM
  To: [EMAIL PROTECTED]
  Subject: Re: Retest (KMM38446283V14479L0KM)
 
  Hello,
 
  Thank you for contacting Yahoo! Customer Care.
 
  We have investigated the issue described in your report and believe the
  problem has been resolved. We apologize for any inconvenience.
 
  Emails from the mail server(s) you are using have recently become
  deprioritized due to potential issues with its mailings.
 
  These deprioritizations were temporary but may be re-triggered if the
  sending IP profile continues to be poor. Typically, deprioritizations
are
  triggered by bad individual sender or MAIL FROM profiles.
 
  To continue to receive prioritized delivery or if your servers are being
  delivered to Yahoo! Mail's Bulk Mail folder, please visit the following
  URL's for more information:
 
http://help.yahoo.com/help/us/mail/spam/spam-18.html
 
http://help.yahoo.com/help/us/mail/bulk/bulk-01.html
 
  If you are not the administrator for the mail server(s) affected, we
  encourage you to contact the administrator so they can address the
  possible
  issues regarding mailings from the mail server.
 
  If you notice any further difficulties with delivering to Yahoo! Mail
  accounts after this time, please let us know by replying to this email.
  Please provide the text of any error messages you may have received and
a
  copy of the email (with the full headers). Also, by providing the
specific
  IP address of the mail server that experienced the delivery issue, it
will
  help us to troubleshoot the issue efficiently.
 
  Thank you again for contacting Yahoo! Customer Care.
 
  Regards,
 
  Raoul
 
  Yahoo! Customer Care
  http://www.yahoo.com/
 
  27129662
 
 
 
  Original Message Follows:
  -
 
  Mail-Id: 1161088172-2180
  Name: Bill Foresman
 
  IPs in the form 255.255.255.255 (separate multiple IP submissions by new
  lines):
  69.8.234.8
 
  Indicate the error message(s) you have received.
  10:17 00:24 SMTP-(373302740f62)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(278301774a27)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(3b5b01fb0583)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(31dc0257057c)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(306301c6026c)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(27c101704a84)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(370f01ce0f1b)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(367c02540dfe)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(3215025705df)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(37f301fe10c1)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(2d3e016f53e1)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(37e5027410aa)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(39ad01de02b3)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(2ea30212569a)
  Trying yahoo.com (0)
 
  10:17 00:24 SMTP-(373302740f62)
  451 Message temporarily deferred -
  4.16.50
 
  Optionally, add a comment to your submission.
  No clue why this is happening to us!
  I've checked multiple poen relay test
  and all come back negative.
 
  While Viewing: http://help.yahoo.com/help/us/mail/defer/defer-02.html
 
  Form Name: http://add2.dir.scd.yahoo.com/fast/help/us/mail/cgi_retest
  ---
 
 
 
 
 
 #
 
  This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED]
  To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
  To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
  Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the 

[sniffer] Re: email

2006-10-17 Thread John T (Lists)
I have seen reports that Network Non-Solutions is having DNS Server issues
today.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Pete McNeil
 Sent: Tuesday, October 17, 2006 2:29 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: email
 
 Hello Computer,
 
 Tuesday, October 17, 2006, 3:20:18 PM, you wrote:
 
  Dear Pete,
 
  I sent an E-mail to the Sniffer Community over an hour ago, and it has
not
  yet been received by anyone.  I noticed that 2pm was the last sniffer
mail
  I got.  Are these being held up for some reason?
 
 I don't think so - at least not on purpose. There have been a lot of
 odd DNS based things going on today.
 
 I will look into it, but at the moment things seem to be working.
 
 _M
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Thanks Sniffer

2006-10-10 Thread John T (Lists)
I have noticed in the last couple of weeks a greatly improved response time
in reports of false positives.

Just want to say thanks.

John T
eServices For You

Seek, and ye shall find!





#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Experimental Abstract

2006-10-09 Thread John T (Lists)
I concur Pete in that I have been thinking about upping the weight for the
EXP tests. I recently changed ABST from 20 to 25. I attach at 25, hold at 30
and delete at 35.

SNIFFER-TRAVEL  47  20
SNIFFER-INSURANCE   48  20
SNIFFER-AV-PUSH 49  20
SNIFFER-WAREZ   50  30
SNIFFER-SPAMWARE51  40
SNIFFER-SNAKEOIL52  40
SNIFFER-SCAMS   53  40
SNIFFER-PORN54  40
SNIFFER-MALWARE 55  25
SNIFFER-INKPRINTING 56  20
SNIFFER-SCHEMES 57  30
SNIFFER-CREDIT  58  30
SNIFFER-GAMBLING59  30
SNIFFER-GENERAL 60  25
SNIFFER-EXP-ABST61  25
SNIFFER-OBFUSCATION 62  25
SNIFFER-EXP-IP  63  20

John T
eServices For You

Seek, and ye shall find!

 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Pete McNeil
 Sent: Monday, October 09, 2006 3:15 PM
 To: Message Sniffer Community
 Subject: [sniffer] Re: Experimental Abstract
 
 Hello Alberto,
 
 In earlier times we had a philosophy that no single test should trap a
 message. The idea was that my combining tests the accuracy of the
 filter system would always (qualified) be improved.
 
 The blackhats have become extremely aggressive about burning IPs and
 generating image spam and/or other abstracted, short lived, and
 narrowly targeted campaigns.
 
 As a result of these changes, it is often the case that our abstract
 rules are the only thing that will fire on a message.
 
 The bad news is that holding on any single test will probably lead to
 more false positives.
 
 The good news is that SNF:Experimental/Abstract has a very low false
 positive rate.
 
 It may be time to alter our philosophy w/ regard to the
 experimental/abstract rules group and recommend that wherever
 practical, messages should probably be held (not deleted) based on a
 hit in this rule group.
 
 Hope this helps,
 
 _M
 
 Monday, October 9, 2006, 5:59:44 PM, you wrote:
 
  Hello
 
  I'm getting storms of spam and Sniffer sets them as (Experimental
  Abstract)
  Can someone explain how have I to treat them?
 
  Many thanks in advance
  Alberto
 
 
 
 
 #
 
  This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
  To unsubscribe, E-mail to: [EMAIL PROTECTED]
  To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
  To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
  Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: [Fwd: keep up with the jones']

2006-10-03 Thread John T (Lists)
???/

John T
eServices For You

Seek, and ye shall find!

-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Kim W. Premuda
Sent: Tuesday, October 03, 2006 6:00 PM
To: Message Sniffer Community
Subject: [sniffer] [Fwd: keep up with the jones']



 Original Message  
Subject: 
keep up with the jones'
Date: 
Tue, 03 Oct 2006 17:52:39 -0800
From: 
Larry Swinton [EMAIL PROTECTED]
To: 
[EMAIL PROTECTED]












tips to live by... 




2: And he said, Behold now, I am old, I know not the day of my death: 
31: And the plenty shall not be known in the land by reason of that famine
following; for it shall be very grievous. 
7: And the sons of Jacob came out of the field when they heard it: and the
men were grieved, and they were very wroth, because he had wrought folly in
Israel in lying with Jacob's daughter; which thing ought not to be done. 
4: Unstable as water, thou shalt not excel; because thou wentest up to thy
father's bed; then defiledst thou it: he went up to my couch. 
24: And God said, Let the earth bring forth the living creature after his
kind, cattle, and creeping thing, and beast of the earth after his kind: and
it was so. 
31: And the plenty shall not be known in the land by reason of that famine
following; for it shall be very grievous. 
5: And in the fourteenth year came Chedorlaomer, and the kings that were
with him, and smote the Rephaims in Ashteroth Karnaim, and the Zuzims in
Ham, and the Emims in Shaveh Kiriathaim, 
32: And the man came into the house: and he ungirded his camels, and gave
straw and provender for the camels, and water to wash his feet, and the
men's feet that were with him. 
5: And Abraham said unto his young men, Abide ye here with the ass; and I
and the lad will go yonder and worship, and come again to you, 
17: And these are the sons of Reuel Esau's son; duke Nahath, duke Zerah,
duke Shammah, duke Mizzah: these are the dukes that came of Reuel in the
land of Edom; these are the sons of Bashemath Esau's wife. 
30: And Joseph made haste; for his bowels did yearn upon his brother: and he
sought where to weep; and he entered into his chamber, and wept there. 



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Sharon Daniels is out of the office.

2006-08-07 Thread John T (Lists)
Bleeping wonderful.

We have to put up with this for a week?

I guess a nice little Outlook rule is called for.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 [EMAIL PROTECTED]
 Sent: Monday, August 07, 2006 10:02 AM
 To: Message Sniffer Community
 Subject: [sniffer] Sharon Daniels is out of the office.
 
 
 
 
 
 I will be out of the office starting  07/08/2006 and will not return until
 15/08/2006.
 
 I will respond to your message when I return.  If your request is urgent
 please resend your message to [EMAIL PROTECTED] or call 623-5700.
 
 Have a great day!
 Sharon
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



[sniffer] Re: Fwd: Re: ------------------------------------------------

2006-08-03 Thread John T (Lists)








As Pete has said before, do not send
spam reports to the list.



There is a separate appropriate email
address for that.





John T

eServices For You



Seek, and ye shall
find!







-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Filippo Palmili
Sent: Thursday,
 August 03, 2006 2:08 AM
To: Message Sniffer Community
Subject: [sniffer] Fwd: Re: Prima
esperienza di striptease e poi sesso anale trovi qui



Hello,
please include in rules this SPAM.

regards
Filippo












[sniffer] Re: Help

2006-07-27 Thread John T (Lists)








Stop using the silly WHITELIST TODOMAIN
for one thing.



What is the IP address they are coming
from? Could be a compromised client?





John T

eServices For You



Seek, and ye shall
find!







-Original Message-
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of
Filippo Palmili
Sent: Thursday, July
 27, 2006 9:11 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Help



Whese:

#=
WHITELISTS ===

#WHITELISTHABEAS
PREWHITELIST ON
WHITELISTAUTH
#WHITELISTLOCAL

#(PRO version only) enables addresses in the web address book to automatically
be white listed.
#AUTOWHITELISTON

# - Domain Example -WHITELIST
FROM
@declude.com

# - User Example -WHITELIST
FROM
[EMAIL PROTECTED]

# - IP Example - 
#WHITELISTIP
63.246.13.90

# - TO Example - 
#WHITELIST TO
postmaster@
#WHITELIST TO
abuse@

WHITELIST TO [EMAIL PROTECTED]
WHITELIST TO [EMAIL PROTECTED]

WHITELIST TODOMAIN @mydomain
WHITELIST TODOMAIN @mydomain
WHITELIST TODOMAIN @mydomain
WHITELIST TODOMAIN @mydomain


Filippo

At 18:06 27/07/2006, you wrote:



***
My mail server have the relay activated only for certain IP address and
networks.
Filippo
***

Sorry, I didn't read your message close enough.

What whitelist settings do you have in global.cfg?

Paul Navarre



#
This message is sent to you because you are subscribed to
 the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]










[sniffer] Re: My rulebase download and log upload script

2006-07-10 Thread John T (Lists)
Reading through the updated script, I notice you are uploading the log file
whenever the script runs. I currently upload the log file once per day.

Pete, what is the preferred timing for uploading the log file?

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Colbeck, Andrew
 Sent: Friday, July 07, 2006 6:24 PM
 To: Message Sniffer Community
 Subject: [sniffer] My rulebase download and log upload script
 
 The last thing before I leave for the weekend...
 
 I finally got around to updating my download/upload script so that I can
 upload compressed logs.
 
 In the course of doing that, I found that my upgraded version of wget
 has changed its behaviour; as of the 1.10.x series, if you specify -O to
 specify the target filename, various options are ignored including the
 -N for download only if server side is newer.  Therefore, ever since I
 upgraded my wget, I've been downloading a compressed rulebase file on
 *each* run.
 
 Some of this script is antique and some of it is new.  I just downloaded
 the standard download script that Bill Landry ushered into this world,
 and my script was certainly informed by the discussions of that on this
 list.
 
 (I'm not trying to replace that script, I'm just giving credit where
 credit is due.)
 
 My .cmd file script is attached as a .txt file; as I mentioned a while
 back, I use both the IMail external script mailbox method to launch
 this file when SortMonster/ARM sends me my notification, and I also run
 it on a schedule with the AT command so that one of them will work to
 get timely updates.
 
 Andrew 8)
 




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Sniffer updates down?

2006-06-02 Thread John T (Lists)
Well, I figured out what the problem is, sort of.

This last Monday I finally reconfigured the network at my Data Center for
using 2 Internet connections. 

For some reason, DNS queries going out the secondary connection are timing
out.

Fun Fun Fun.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Goran Jovanovic
 Sent: Friday, June 02, 2006 3:57 PM
 To: Message Sniffer Community
 Subject: Re: [sniffer]Sniffer updates down?
 
 Hi John,
 
 I got my Sniffer update at 5:03 pm no problem from Toronto
 
 Goran Jovanovic
 Omega Network Solutions
 
 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
 Behalf Of John T (Lists)
 Sent: Friday, June 02, 2006 5:23 PM
 To: Message Sniffer Community
 Subject: [sniffer]Sniffer updates down?
 
 I am getting errors since late last night that host can not be found.
 
 John T
 eServices For You
 
 Seek, and ye shall find!
 
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread John T (Lists)
Disregard my last post.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Colbeck, Andrew
 Sent: Wednesday, May 24, 2006 9:38 AM
 To: Message Sniffer Community
 Subject: Re: [sniffer]Possible Paypal Phishing
 
 It's really from PostDirect.com aka YesMail.com ...
 
 You can tell that it's authorized because the reverse DNS which ends in
 PayPal.com (ok, that does set off alarm bells when it's someone else's
 netblock) matches the forward lookup of the resulting address at PayPal.
 
 Therefore, PayPal is deliberately allowing that reverse IP in someone
 else's netblock.
 
 That, or both the netblock and PayPal's DNS have been p0wned.
 
 Andrew 8)
 
 
 
  -Original Message-
  From: Message Sniffer Community
  [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
  Sent: Wednesday, May 24, 2006 9:31 AM
  To: Message Sniffer Community
  Subject: [sniffer]Possible Paypal Phishing
 
  Attached are the headers to an e-mail I am suspecting as a
  clever phising that has me worried.
 
  It looks like a legit message sent on behalf of Paypal,
  however, it is sent from an IP address not owned by Paypal
  BUT which has a REVDNS that ends in paypal.com.
 
  The message is full of links to images.postdirect.com but
  does have legit links to paypal.com.
 
  John T
  eServices For You
 
  Seek, and ye shall find!
 
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread John T (Lists)
That is what has me worried.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Jay
 Sudowski - Handy Networks LLC
 Sent: Wednesday, May 24, 2006 9:51 AM
 To: Message Sniffer Community
 Subject: Re: [sniffer]Possible Paypal Phishing
 
 The owner of a domain need not authorize a reverse DNS PTR record in any
 way, shape or form.  If the netblock was owned, or the netblock owner
 had delegated rDNS to a malicious customer, they could easily set rDNS
 to whatever they wanted.  Aol.com, paypal.com, ebay.com, chase.com ...
 
 -Jay
 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
 Behalf Of Colbeck, Andrew
 Sent: Wednesday, May 24, 2006 12:38 PM
 To: Message Sniffer Community
 Subject: Re: [sniffer]Possible Paypal Phishing
 
 It's really from PostDirect.com aka YesMail.com ...
 
 You can tell that it's authorized because the reverse DNS which ends in
 PayPal.com (ok, that does set off alarm bells when it's someone else's
 netblock) matches the forward lookup of the resulting address at PayPal.
 
 Therefore, PayPal is deliberately allowing that reverse IP in someone
 else's netblock.
 
 That, or both the netblock and PayPal's DNS have been p0wned.
 
 Andrew 8)
 
 
 
  -Original Message-
  From: Message Sniffer Community
  [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
  Sent: Wednesday, May 24, 2006 9:31 AM
  To: Message Sniffer Community
  Subject: [sniffer]Possible Paypal Phishing
 
  Attached are the headers to an e-mail I am suspecting as a
  clever phising that has me worried.
 
  It looks like a legit message sent on behalf of Paypal,
  however, it is sent from an IP address not owned by Paypal
  BUT which has a REVDNS that ends in paypal.com.
 
  The message is full of links to images.postdirect.com but
  does have legit links to paypal.com.
 
  John T
  eServices For You
 
  Seek, and ye shall find!
 
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]
 
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread John T (Lists)
But how is PayPal's DNS involved in this as at what point are the Paypal DNS
servers queried?

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of
 Colbeck, Andrew
 Sent: Wednesday, May 24, 2006 9:38 AM
 To: Message Sniffer Community
 Subject: Re: [sniffer]Possible Paypal Phishing
 
 It's really from PostDirect.com aka YesMail.com ...
 
 You can tell that it's authorized because the reverse DNS which ends in
 PayPal.com (ok, that does set off alarm bells when it's someone else's
 netblock) matches the forward lookup of the resulting address at PayPal.
 
 Therefore, PayPal is deliberately allowing that reverse IP in someone
 else's netblock.
 
 That, or both the netblock and PayPal's DNS have been p0wned.
 
 Andrew 8)
 
 
 
  -Original Message-
  From: Message Sniffer Community
  [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
  Sent: Wednesday, May 24, 2006 9:31 AM
  To: Message Sniffer Community
  Subject: [sniffer]Possible Paypal Phishing
 
  Attached are the headers to an e-mail I am suspecting as a
  clever phising that has me worried.
 
  It looks like a legit message sent on behalf of Paypal,
  however, it is sent from an IP address not owned by Paypal
  BUT which has a REVDNS that ends in paypal.com.
 
  The message is full of links to images.postdirect.com but
  does have legit links to paypal.com.
 
  John T
  eServices For You
 
  Seek, and ye shall find!
 
 
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to  [EMAIL PROTECTED]



RE: [sniffer] Test

2006-05-16 Thread John T (Lists)
Pong

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: sniffer@sortmonster.com [mailto:[EMAIL PROTECTED] On Behalf
Of Pete
 McNeil
 Sent: Monday, May 15, 2006 10:12 PM
 To: sniffer@sortmonster.com
 Subject: Test
 
 Hello sniffer,
 
   Just testing.
 
 --
 Pete McNeil
 Chief Scientist,
 Arm Research Labs, LLC.
 
 
 #
 
 This message is sent to you because you are subscribed to
   the mailing list sniffer@sortmonster.com.
 To unsubscribe, E-mail to: [EMAIL PROTECTED]
 To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
 To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
 Send administrative queries to  [EMAIL PROTECTED]




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer....

2006-05-05 Thread John T (Lists)
Well, I am at the point that I could care less about geocities false
positives. If GeoCities is going to allow this much spam junk then I could
care less about allowing them.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Pete McNeil
 Sent: Friday, May 05, 2006 9:09 AM
 To: John T (Lists)
 Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer
 
 We've had that rule before and had to pull it for false positives.
 
 _M
 
 
 On Friday, May 5, 2006, 11:41:50 AM, John wrote:
 
 JTL FYI, I created a Declude Filter:
 
 JTL Subject END NOTCONTAINS news
 JTL BODY25  CONTAINShttp://geocities.com/
 
 JTL Been catching every one like that.
 
 JTL John T
 JTL eServices For You
 
 JTL Seek, and ye shall find!
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
 JTL On
  Behalf Of Daniel Bayerdorffer
  Sent: Friday, May 05, 2006 7:38 AM
  To: sniffer@SortMonster.com
  Subject: RE: [sniffer] Lot of Drugs Spam getting through sniffer
 
  Here too.
 
  --
  Daniel Bayerdorffer  [EMAIL PROTECTED]
  Numberall Stamp  Tool Co., Inc.
  PO Box 187 Sangerville, ME 04479 USA
  TEL 207-876-3541  FAX 207-876-3566
  www.numberall.com
 
 
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
   Sent: Friday, May 05, 2006 10:34 AM
   To: sniffer@sortmonster.com
   Subject: [sniffer] Lot of Drugs Spam getting through sniffer
  
   The last few days tons on Drus spam is coming in and sniffer
   is catching
   none of it.
  
   Chuck Schick
   Warp 8, Inc.
   (303)-421-5140
   www.warp8.com
  
  
  
   This E-Mail came from the Message Sniffer mailing list. For
   information and (un)subscription instructions go to
   http://www.sortmonster.com/MessageSniffer/Help/Help.html
  
 
 
 
 
  This E-Mail came from the Message Sniffer mailing list. For information
 JTL and
  (un)subscription instructions go to
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 JTL This E-Mail came from the Message Sniffer mailing list. For
 JTL information and (un)subscription instructions go to
 JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....

2006-05-05 Thread John T (Lists)
Just when you think we won the battle, they move the targets and change the
rules.

This is why we need people like Pete and Darrell to help us fight this ever
changing war.

A big thanks.

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Pete McNeil
 Sent: Friday, May 05, 2006 11:37 AM
 To: John T (Lists)
 Subject: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer
 
 On Friday, May 5, 2006, 1:08:14 PM, John wrote:
 
 JTL Well, I am at the point that I could care less about geocities false
 JTL positives. If GeoCities is going to allow this much spam junk then I
could
 JTL care less about allowing them.
 
 That's fine.
 
 There are probably a number of systems that feel that way. I only
 meant to say that we've tried a block-first strategy w/ geocities
 before and had to remove it. YMMV.
 
 You should also know (may remember) that the blackhats experimented a
 while ago with using several other hosting sites, including msn, and
 seeding them in round-robin fashion so that they all appeared in each
 campaign. Since this experiment stopped abruptly I doubt that it has
 been abandoned - rather, it was put on the shelf for a while. At the
 time it was clearly effective for them. I think it likely they will do
 that again (don't know when) since they are putting some new effort
 into this path. I don't have any evidence of it yet.
 
 I discovered that on 20060503 the blackhats made some significant
 changes to their use of geocities links and their transmission
 patterns. I've re-tuned the F002 bot to compensate and it is currently
 reviewing a handful of new geocities links every minute and adding
 approximately 1.2 new rules per minute.
 
 I suspect that the lull we observed may have had something to do with
 their tooling up for this set of campaigns.
 
 _M
 
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] Updates slow

2006-03-20 Thread John T (Lists)
It seems today that updates have been slow to retrieve, the last one being
averaging 54 Kbps. Updates are triggered on the e-mail update notice.

John T
eServices For You

Seek, and ye shall find!




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] New Web Site!

2006-03-17 Thread John T (Lists)
What is the purpose of using a WIKI site?

John T
eServices For You

Seek, and ye shall find!


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Pete McNeil
 Sent: Friday, March 17, 2006 8:07 AM
 To: sniffer@sortmonster.com
 Subject: [sniffer] New Web Site!
 
 Hello Sniffer Folks,
 
   Today we are making a major transition. The old Message Sniffer web
   site will be torn down and replaced with a new WIKI:
 
   http://kb.armresearch.com/index.php?title=Message_Sniffer
 
   The top Message Sniffer page will retain it's index for a while but
   instead of sending you to the original pages the links will take you
   to appropriate pages in the new WIKI.
 
   Also - if you try to go directly to an old page you will be
   redirected automatically to the appropriate new page.
 
   The WIKI requires that you create an account and log-in before
   making any changes. We know there are blackhats out there so we will
   be watching very closely... If we find there is abuse, we will
   disable the ability to create accounts and you will need to contact
   us at support@ if you want the ability to post -- let's hope it
   doesn't come to that.
 
   We will continue to update, improve, and correct the wiki - it will,
   in fact, be under constant development.
 
   Have fun!
 
 Thanks,
 
 _M
 
 Pete McNeil (Madscientist)
 President, MicroNeil Research Corporation
 Chief SortMonster (www.sortmonster.com)
 Chief Scientist (www.armresearch.com)
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


[sniffer] New add compain

2006-03-10 Thread John T (Lists)
I am seeing a log of spam with a subject line of with fw: or re: followed by
the username portion of the reciepient. Any way to create a rule for this?

John T
eServices For You

Seek, and ye shall find!





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread John T (Lists)









1. What is YOUR motive for taking such a
tone?



2. I never made an out right
solicitation. It was done in for the benefit of others. I am a small business
and to my bottom line, every dollar or 5 dollars or 10 dollars count. I clearly
said I am not in the business of selling software or hardware. I have turned
away requests before from people that have contacted me off list about
software. It is extremely rare that I will sell to other than my clients.



3. How do you respond to the posting on
this very list by Pete just a bit ago that the seller selling at such a low rate
is a valid reseller?



4. How do you respond to the posting on
this very list by Michael Murdock that yes you can renew with Declude at a
lower cost?



Your responses are injecting that I am
taking advantage of something or trying to take away something from
SortMonster. That is not true at all.



Your comment about competing is very unusual,
in that in essence many of us are natural competitors to one anther, yet day
after day we help each other, in essence helping our competitor.





John T

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)
Sent: Wednesday,
 December 28, 2005 6:01 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!





You certainlycrossed a line of
ethical integrity at the very least.











Pete: If you don't already have a
'non-compete' agreement in your reseller agreement its time.





I would never have believed someone would
actually try to sell your reseller rates to your customer base.











It's simply appalling. And should be
grounds for termination.

















-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)
Sent: Wednesday,
 December 28, 2005 8:46 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

Absolutely not. In fact, if you read my
post after this, I am questioning whether or not it can be sold for a lower
price.



I am not here to undermine any one, as
after all where do you think the license that I sell comes from?



After all, we are all here to help one
another.





John T

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)
Sent: Wednesday,
 December 28, 2005 5:41 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!





John T:Did you just solicit
the ENTIRE sniffer community with pricing that will undermine Pete?











Never bit the hand that feeds you my
friend.











-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)
Sent: Wednesday,
 December 28, 2005 8:17 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last
chance to renew at the old price!

Although I am a registered reseller, I
normally only sell hardware and software to clients as part of my services.



However, if any one is interested in a
price, contact me off list.





John T

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!



After posting this,
another reseller pm me their renewal rate of $269. I didn't know Sniffer had
another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html


















RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-28 Thread John T (Lists)









Joe, you are correct. I searched for and
got out my agreement and it states Minimum Advertised Price. 



Memory does not always work so well.



It is no ECC you know.





John T

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Wolf
Sent: Wednesday,
 December 28, 2005 5:43 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!





FYI, a reseller agreement may include a MAP (Minimum
Advertised Price) but it is illegal in the United States for the agreement to determine a minimum selling
price. Any such stipulation in an agreement would put both of you in
violation of federal price-fixing laws.











-Joe







- Original Message - 





From: John
T (Lists) 





To: sniffer@SortMonster.com






Sent: Wednesday,
 December 28, 2005 7:29 PM





Subject: RE: Re[2]:
[sniffer] Last chance to renew at the old price!









According to the Reseller agreement I
signed when I became a reseller of Message Sniffer, I can not charge that low
of a price.



As such, Pete or some one at Sniffer
would need to notify me that I had permission to sell at such a low price.



What I mean is, be careful. 





John T

eServices For You







-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin
Sent: Wednesday,
 December 28, 2005 5:00 PM
To: sniffer@SortMonster.com
Subject: Re: Re[2]: [sniffer] Last
chance to renew at the old price!



After posting this,
another reseller pm me their renewal rate of $269. I didn't know Sniffer had
another reseller besides Declude.

Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html



At 01:21 PM 12/28/2005, you wrote:

Can we renew at declude.com since their pricing is $292.50? I assume
their prices will increase on Jan 1, 2006 too.



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html














RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread John T (Lists)
The only problem with that, and one which I do not know how large of a
problem it is, is if you have always provided a single product, and suddenly
divide it into 2 levels, you end up with twice the amount of critics: Those
that pay less but expect more, those that pay more and then expect even
more.

John T
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Rick Robeson
 Sent: Tuesday, December 27, 2005 2:54 PM
 To: sniffer@SortMonster.com
 Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!
 
 The thought does occur to me of how other companies have dealt with
similar
 issues.
 That issue being how to address a market requiring internal expansion
(i.e.
 expanded reinvestment) while not alienating an existing satisifed customer
 base. Many companies simply split their product line into 'basic' and
 'premium' services. If the need is as great as Michael says, and the new
 revisions will result in vastly improved service, than most of their
 existing customers should want to move forward. However, giving people the
 option to 'stand still' is viable, good marketing, and good strategy. At
 this point, you have a certain catch 22. Everyone that pays now (for next
 year) is still paying you at the same rate (meaning no expanded funds),
but
 is now wondering if they're doing the right thing. Almost seems like the
 only way to make the current strategy pay off would have been to demand
the
 increased fees from all clients and not given the grace period for
renewing
 at the old rate. At least that way, you'd have gotten something in return
 for any perceived customer dissatisfaction.
 
 Consider expanding to a two-tier service option. It really can work well,
 especially when in the future you might want to charge even more, but not
 alienate 'new' customers who need a lower buy-in.
 
 
 Rick Robeson
 getlocalnews.com
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Fox, Thomas
 Sent: Tuesday, December 27, 2005 2:40 PM
 To: sniffer@SortMonster.com
 Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!
 
 
 Your interpretation of a bit as being 50+%
 is disingenuous at best, and thievery at the
 worst.
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
  Sent: Tuesday, December 27, 2005 5:34 PM
  To: Fox, Thomas
  Subject: Re[2]: [sniffer] Last chance to renew at the old price!
 
  On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote:
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch
  
   If you don't feel that's the case, then you
   are free to decide if you think otherwise.  Thanks and take care!
 
  FT EASY FOX TRANSLATION:
 
  FT Like it, or lump it.
 
  Translated another way...
 
  We could keep things as they are, stand still while spam generation
  technology advances rapidly, whither away, and die.
 
  OR
 
  We could charge a bit more, accelerate development and make sure that
  SNF stays out in front and even expands the gap.
 
  I, for one, am not willing to make the first choice, and I doubt that
  it would be in anyone's best interests - except, perhaps, the
  blackhats.
 
  _M
 
 
 
  This E-Mail came from the Message Sniffer mailing list. For
  information and (un)subscription instructions go to
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
  ---
  [This E-mail scanned for viruses by Declude Virus]
 
 
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread John T (Lists)
Pete, I am both a Sniffer reseller and user, and I was blind sided by this
announcement.

John T
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Pete McNeil
 Sent: Tuesday, December 27, 2005 2:11 PM
 To: Darin Cox
 Subject: Re[2]: [sniffer] Last chance to renew at the old price!
 
 I'm sorry that it wasn't more visible. We have been talking about this
 for several months and have made a few announcements. It has also been
 on the web site for several months.
 
 My announcement today was just to make sure that anyone who had not
 heard didn't get blind-sided. Sorry it didn't turn out that way. We
 will be working on some better out-reach problems to help avoid this
 in the future.
 
 _M
 
 On Tuesday, December 27, 2005, 4:02:15 PM, Darin wrote:
 
 DC Wow... last minute notice.  It's difficult to budgets for these things
with
 DC so little notice.  Please consider a couple month's notice the next
time.
 
 DC Darin.
 
 
 DC - Original Message -
 DC From: Pete McNeil [EMAIL PROTECTED]
 DC To: sniffer@sortmonster.com
 DC Sent: Tuesday, December 27, 2005 12:42 PM
 DC Subject: [sniffer] Last chance to renew at the old price!
 
 
 DC Hello Sniffer folks,
 
 DC   This is just a friendly reminder that prices will be going up
 DC   January 1.
 
 DC   You can add a year to your SNF subscription at the current price if
 DC   you renew before January 1.
 
 DC   Details are here:
 DC https://www.armresearch.com/message-sniffer/forms/form-renewal.asp
 
 DC Thanks,
 DC _M
 
 DC Pete McNeil (Madscientist)
 DC President, MicroNeil Research Corporation
 DC Chief SortMonster (www.sortmonster.com)
 DC Chief Scientist (www.armresearch.com)
 
 
 DC This E-Mail came from the Message Sniffer mailing list. For
information and
 DC (un)subscription instructions go to
 DC http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 DC This E-Mail came from the Message Sniffer mailing list. For
 DC information and (un)subscription instructions go to
 DC http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Joe Jobs...

2005-12-15 Thread John T (Lists)
Because the vendors are so lame as to have that enabled by default.

John T
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Kevin Stanford
 Sent: Thursday, December 15, 2005 10:11 AM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] Joe Jobs...
 
 That brings a question up...why do some/many/most postmasters feel that it
 is so important to notify senders of a virus to a spoofed email address?
 Also, I have yet to see a legitimate email that contained a virus..so why
 not turn the notification off all together?
 
 Just curious...
 
 Kevin
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 On Behalf Of Pete McNeil
 Sent: Thursday, December 15, 2005 11:30 AM
 To: sniffer@sortmonster.com
 Subject: [sniffer] Joe Jobs...
 
 Hello Sniffer Folks,
 
   Please be aware that there are several spam and possibly virus
   (other malware?) campaigns being transmitted with my madscientist
   address and possibly other addresses from our company in the From:
   headers and SMTP envelope.
 
   Though this has happened in the past at low levels, I have noted
   recently a very high level of bounces and warnings returning to me
   (erroneously) from systems that claim they have received viruses and
   spam from my address.
 
   I suspect that this might have been triggered by recent press
   activity, - especially a Washington Post article which included my
   email address without modification.
 
   If you receive any of these messages, please treat them as the
   spam/malware that they are and ignore the source.
 
   I have verified that we are not sending any such messages (
   unintentionally) from any of our systems.
 
 Thanks,
 _M
 
 Pete McNeil (Madscientist)
 President, MicroNeil Research Corporation Chief SortMonster
 (www.sortmonster.com) Chief Scientist (www.armresearch.com)
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Large amounts of spam still getting through

2005-10-15 Thread John T (Lists)
5 minutes would hardily be noticed. Discussions I was having with others
involved delays of an hour or two.

I do not see how greylisting a message for 5 minutes would help except
when fighting harvesting or dictionary type spam attacks.

John T
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of William Van Hefner
 Sent: Saturday, October 15, 2005 12:22 AM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] Large amounts of spam still getting through
 
 John,
 
 I have no clue what the legal implications would be, as long as both my
 customers know that I'm using it and the sender is notified appropriately
 via SMTP. I use greylisting via IMGate/Postfix and it works like a charm.
It
 takes a good couple of weeks to build up decent whitelist (both manual
 whitelisting and automated whitelisting are recommended), but after that
it
 is pretty much smooth sailing. I've yet to have a single complaint from my
 users over greylisting, other than the fact that it delayed their e-mails
by
 around 5 minutes for the first couple of weeks. If I had planned it
better,
 even those delays would largely not have occurred.
 
 I know of no way to implement greylisting on a Windows box. See
 greylisting.org for more info.
 
 
 William Van Hefner
 Network Administrator
 
 Vantek Communications, Inc.
 555 H Street, Ste. C
 Eureka, CA 95501
 707.476.0833 ph
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
  Sent: Friday, October 14, 2005 12:55 PM
  To: sniffer@SortMonster.com
  Subject: RE: [sniffer] Large amounts of spam still getting through
 
 
  There has been a good amount of discussion about temporarily
  grey listing an e-mail message and there are many questions
  surrounding it, one of which is legal.
 
  John T
  eServices For You
 
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED]
  On
   Behalf Of Mike Nice
   Sent: Friday, October 14, 2005 12:43 PM
   To: sniffer@SortMonster.com
   Subject: Re: [sniffer] Large amounts of spam still getting through
  
getting much better at what they do.  When a spammer uses
  Geocities
  links,
hijacks real accounts on major providers to send spam through, and
  changes
their techniques every few hours, it makes it difficult
  for Sniffer
to proactively block them, and the delay between rulebase updates
means a delay in catching things that have been tagged.
  
 This brings to mind a technique with optional adaptive delay -
   enabled
  by
   the user. Each mail is assigned a 'triplicate': (To_Email,
  From_Email,
   and domain_of_sending_server).  Previously unknown triplicates are
   held for a period of time before being examined for spam.
  The delay
   is long enough that SpamCop, Sniffer, and InvURIBL mailtraps see
   copies of the spam and update the blacklists.
  
  This would be hard to do with the stock IMail, but
  possibly could
   be
  done
   by Declude with the V3 architecture and a database.
  
  It still doesn't provide a good answer to the problem of
  spammers
   hijacking a computer and sending spam through legitimate servers.
  
  
   This E-Mail came from the Message Sniffer mailing list. For
   information
  and
   (un)subscription instructions go to
   http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
  This E-Mail came from the Message Sniffer mailing list. For
  information and (un)subscription instructions go to
  http://www.sortmonster.com/MessageSniffer/Help/Help.html
 
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] Large amounts of spam still getting through

2005-10-15 Thread John T (Lists)
On a very off topic note, why are we still both up?

John T
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of William Van Hefner
 Sent: Saturday, October 15, 2005 1:01 AM
 To: sniffer@SortMonster.com
 Subject: RE: [sniffer] Large amounts of spam still getting through
 
 John,
 
 This may be slightly OT. Hope Pete doesn't mind. :-)
 
 The default in greylisting that comes with Postfix is 300 seconds,
although
 you can change that value to whatever you want. The first reason that
 greylisting was implemented was because almost no spamware ever tried
 resending messages at the time the idea was originally brought about. Now,
I
 would say that about 85% of spamware and zombies never retry. It is the
BIG
 spamhauses that always retry, and Sniffer is an excellent companion for
 catching those. It is currently best suited for stopping zombie spamware,
 and the majority of small spammers that never retry sending messages.
 
 As far as the delay timing goes, that is really up to each individual
admin
 and should be fine tuned depending upon what kind of traffic patterns you
 are dealing with. I could certainly see the need for some admins to crank
 the delay up to 15-20 minutes, while I have other hosting customers that
are
 whitelisted entirely (you can whitelist individual domains or just users
 using greylisting). The best use may be to whitelist some user addresses,
 and leave others with significant delays. I always believe that users
should
 use a personal e-mail address, and another one that is strictly for
 mailing lists, online ordering, and stuff like that.
 
 There is a lot of tweaking that can be done with greylisting, but it is
only
 one part of the overall antispam picture. One of its biggest advantages is
 the bandwidth and CPU processing it can save you, as it rejects a
 substantial amount of spam with very little bandwidth consumption. There
are
 also technically no false positives, as all mail (even spam) will
 eventually be passed through. Obviously, it only works best for SOME spam
 though, and other things like Sniffer solve different parts of the puzzle.
 Between the different methods I am using, which don't even include
Bayesian
 at the moment, I am seeing far better than a 99% success (rejecting or
 deleting spam) rate, with very few false positives.
 
 
 
 William Van Hefner
 Network Administrator
 
 Vantek Communications, Inc.
 555 H Street, Ste. C
 Eureka, CA 95501
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
  Sent: Saturday, October 15, 2005 12:41 AM
  To: sniffer@SortMonster.com
  Subject: RE: [sniffer] Large amounts of spam still getting through
 
 
  5 minutes would hardily be noticed. Discussions I was having
  with others involved delays of an hour or two.
 
  I do not see how greylisting a message for 5 minutes would
  help except when fighting harvesting or dictionary type spam attacks.
 
  John T
  eServices For You
 
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED]
  On
   Behalf Of William Van Hefner
   Sent: Saturday, October 15, 2005 12:22 AM
   To: sniffer@SortMonster.com
   Subject: RE: [sniffer] Large amounts of spam still getting through
  
   John,
  
   I have no clue what the legal implications would be, as
  long as both
   my customers know that I'm using it and the sender is notified
   appropriately via SMTP. I use greylisting via IMGate/Postfix and it
   works like a charm.
  It
   takes a good couple of weeks to build up decent whitelist
  (both manual
   whitelisting and automated whitelisting are recommended), but after
   that
  it
   is pretty much smooth sailing. I've yet to have a single complaint
   from my users over greylisting, other than the fact that it delayed
   their e-mails
  by
   around 5 minutes for the first couple of weeks. If I had planned it
  better,
   even those delays would largely not have occurred.
  
   I know of no way to implement greylisting on a Windows box. See
   greylisting.org for more info.
  
  
   William Van Hefner
   Network Administrator
  
   Vantek Communications, Inc.
   555 H Street, Ste. C
   Eureka, CA 95501
   707.476.0833 ph
  
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
Sent: Friday, October 14, 2005 12:55 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Large amounts of spam still getting through
   
   
There has been a good amount of discussion about
  temporarily grey
listing an e-mail message and there are many questions
  surrounding
it, one of which is legal.
   
John T
eServices For You
   
   
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
On
 Behalf Of Mike Nice
 Sent: Friday, October 14, 2005 12:43 PM
 To: sniffer@SortMonster.com
 Subject: Re: [sniffer

RE: Re[2]: [sniffer] Large amounts of spam still getting through

2005-10-15 Thread John T (Lists)
I wonder is that is some kind Outlook vulnerability.

John T
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Robert Grosshandler
 Sent: Saturday, October 15, 2005 10:43 AM
 To: sniffer@SortMonster.com
 Subject: RE: Re[2]: [sniffer] Large amounts of spam still getting through
 
 We're seeing the header info in the body problem.  It seems to be always
 spam.  Another way it manifests itself is that Declude can't alter the
 Subject line properly.
 
 The folks at Declude tell us that they're aware of it, and that they are
 just waiting for more pre altered by Declude examples to code for it.
 
 Rob
 
 
 M. Stein wrote:
 
 By the way, has anyone seen the spam that gets through that has the
header
 info in the body of the mail message instead of where it's supposed to
be?
 How is that possible?
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] New virus...

2005-10-06 Thread John T (Lists)
No need to block zips, with Declude just add BANZIPEXTSON to your
virus.cfg file since the payload is an exe within the zip and since we are
all already banning executable files, correct?

John T
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
 Behalf Of Pete McNeil
 Sent: Wednesday, October 05, 2005 8:41 PM
 To: sniffer@sortmonster.com
 Subject: [sniffer] New virus...
 Importance: High
 
 Hello sniffer,
 
   Hello folks... watch out for a new virus email with an attachment
   named pword _ change . zip - extra spaces added to skip filters
   ;-)
 
   We're adding some SNF rules to catch it. No word about it on virus
   lists or scanner services yet (that I can see).
 
   You may want to temporarily block .zip files - or at least this
   particular zip file until the new rules can be pushed out and the
   virus scanners catch up.
 
 Thanks,
 _M
 
 Pete McNeil (Madscientist)
 President, MicroNeil Research Corporation
 Chief SortMonster (www.sortmonster.com)
 Chief Scientist (www.armresearch.com)
 
 
 This E-Mail came from the Message Sniffer mailing list. For information
and
 (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html