[sniffer] Re: Direct SmarterMail integration -- Some Testers ?

2010-06-09 Thread Mxuptime.com
Folks,

Having integrated Sniffer into MxScan for SmarterMail, I would like to
shared some of my thoughts :

1. From what I can see at the moment neither Commtouch nor Declude has
direct hooks into the SMTP sessions. Any integration at SMTP session level
would definitely require some changes from SmarterMail's end.

2. The PROC folder is basically another way for 3rd party utilities to
interface to the MTA, however take note this happens after the SMTP session
has been completed and NOT during.

3.  The command line option works but as someone pointed out earlier it is
also being used by other 3rd party apps/processes for customer jobs. While
it would be possible to encapsulate all 3rd party command line applications
using a script it would be not be ideal. SM command line also has its own
timeout settings. It tends to get message when u have more than 1 command
line application in use.

Cheers
-Matt

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf
Of E. H. (Eric) Fletcher
Sent: Thursday, June 10, 2010 10:06 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Direct SmarterMail integration -- Some Testers ?

I'd definitely favor B.  Sniffer is so good at what it does that there is
some real potential there depending on the degree to which you integrate
with the SM anti-spam features like SMTP blocking for example.  This would
take some real work of course.

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf
Of Pete McNeil
Sent: Wednesday, June 09, 2010 6:46 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Direct SmarterMail integration -- Some Testers ?

On 6/9/2010 6:54 PM, E. H. (Eric) Fletcher wrote:
 I wonder whether it doesn't become a solution in search of a problem.


We're asked about it frequently, and since the command line option 
already exists it's worth fleshing out a bit.

We've avoided building an interface for the proc hooks because:

A. There are already solutions there for that (as you point out).

B. We would really like to see a much tighter integration with SM that 
can take full advantage (during SMTP, not after).

If enough folks are interested in a proc hook based implementation of 
SNF then we will do it, of course.

_M


-- 
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com


#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: Outgoing spam filtering

2010-02-21 Thread MxUptime.com
I would recommend putting in place a throttling and alert mechanism so that
when the outgoing emails exceed  a certain threshold the server limits the
outgoing SMTP for the particular account and alerts the admin. I have never
been a fan of outright filtering of outbound emails as these normally lead
to a higher rate of false positives.

 

Cheers

-Matt

 

From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf
Of Kaj Søndergaard Laursen
Sent: Sunday, February 21, 2010 7:10 PM
To: Message Sniffer Community
Subject: [sniffer] Outgoing spam filtering

 

Hi

 

I have now twice had users who are sending spam. One of them I am very
certain must be a phishing victim – a connection from an IP in Nigeria at
the same time the users was connected from her home DSL. 

 

We are using Microsoft Exchange and sending through a Microsoft SMTP server
on the DMZ. We do not have any spam-filtering on-premise at the moment. Only
inbound smtp is filtered by our colleagues in another part of the
organization (we are part of a university). So I’m just asking on this list
because I know that there is a lot of experts on this list (and I used
sniffer when I ran the spam-filtering myself).

 

I talked with the support at one of the bigger Danish spam-filtering
providers that were listing all our mail as spam. The only recommendation
they could give was to change the IP-address that I was using to send mail.
That won’t help the receivers of the spam much J

 

So can you recommend anything to stop outbound spam? Should I just run it
through a spam-filter like I do with inbound, or is there a better solution?



 

Venlig hilsen

Kaj Laursen
IT-chef
Telefonnr.: 9629 6229 


  _  

Aarhus Universitet, Handels- og IngeniørHøjskolen  | Birk Centerpark 15 |
7400 Herning 
97 20 83 11 |  mailto:i...@hih.au.dk i...@hih.au.dk |
http://www.hih.au.dk/ www.hih.au.dk 

  _  

 

 



[sniffer] Re: New proactive false positive prevention initiatives

2010-02-04 Thread MxUptime.com
Hi Steve

 

Since this was asked, MxScan for SmarterMail is currently available for Free
in beta mode. 

 

Cheers

-Matt

 

From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf
Of Steve Guluk
Sent: Friday, February 05, 2010 6:10 AM
To: Message Sniffer Community
Subject: [sniffer] Re: New proactive false positive prevention initiatives

 

Hey Pete, 

Is there a hook to use Sniffer in SmarterMail 6?

 

I just had to move to SmarterMail rather than pay over $3k to upgrade iMail
to run on a 64bit windows box. I'm using eWall at this point for Message
Sniffer but may retire that with iMail.

 

On Feb 4, 2010, at 1:57 PM, Pete McNeil wrote:





Hello Sniffer Folks,

I thought I would drop you a note to let you know some things we're doing
behind the scenes to improve filtering accuracy and prevent false positives.

Unqualified false positive candidates:

In partnership with our larger customers we have created a new system to
proactively review captured messages that _might_ be unreported false
positives (usually they are spam, but some aren't). Through this review
process we are able to remove and modify pattern rules that cause occasional
low-level false positives that would otherwise not be reported. This system
is already allowing us to recode or remove dozens of rules per day to make
them more accurate; and to update our rule coding practices and support
systems to further improve our accuracy moving forward.

Real-time rule / IP conflict analysis:

Today we have completed a new false-positive early-warning system. This
system monitors conflicts between IP reputations and pattern rule matches
across the entire fleet of Message Sniffer installations in real-time. Any
time a pattern match is in disagreement with a source IP's reputation that
information is analyzed and pumped through a sophisticated collection of
filters and data-mining tools. The resulting analysis is displayed in
real-time in our spam-weather center so that our staff can respond
immediately (24x365) if there is any sign of a bad rule.

Since we launched this new system and operating protocols earlier today we
have already had several events -- All of them turned out to be valid
anti-spam rules capturing content from bot nets that had previously sent
*berserkers to improve their IP reputations, or where some of the campaigns
in question had leaked sufficiently to produce temporary positive IP
reputations on some systems. This information itself is very interesting now
that we can see it more clearly and we are already working on ways to
identify these cases and reduce the leakage associated with them.

As always your comments, ideas, and suggestions are both welcome and
encouraged.

Best,

_M

PS: *berserkers - Blackhats sometimes send messages that are random and/or
carry no payload. These berserkers, sometimes sent by accident by broken
bots or broken spam scripts, have the effect of improving the IP reputations
of the systems that send them because there is no sufficient content to
filter against. In addition these messages are often sent at such low rates
that most adaptive filtering systems fail to respond to them--- if those
systems were to be (conventionally) sensitized to the berserkers they would
also significantly increase their false-positive rates.

We call these berserkers based on the practice of old Norse warriors who, in
an uncontrollable state (chaotic, berserk (in a fit of madness), and with
the belief they are immune to weapons), would charge directly into the
enemies ranks fearlessly attacking anything and everything (friend or foe).

http://en.wikipedia.org/wiki/Berserker



#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



 

Regards, 

 

 

Steve Guluk

SGDesign

(949) 661-9333

 

 

 

 

 

 

 

 

 

 

 





 



[sniffer] Re: New IMPROVED getRulebase.cmd script

2009-03-11 Thread MxUptime.com
Pete

 

Have you considered using Rsync as the delivery mechanism for the downloads
instead of CURL/WGET?



[sniffer] Re: ClamAID

2009-02-05 Thread MxUptime.com
As a correction to my previous post, both of the win32 build oss.netfarm.it
and hideout.ath.cx is actually a port from clamwin.com.

Thanks

-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf
Of Andy Schmidt
Sent: Friday, February 06, 2009 1:14 AM
To: Message Sniffer Community
Subject: [sniffer] Re: ClamAID

Hi,

http://oss.netfarm.it/clamav seems to be ideal. I just installed it.

a) runs as a Windows Service (using clamd --install)
b) has registry settings to point to db and conf subfolders
c) accepts trailing backslash

The only remaining issue with Declude is the Declude's inability of
extracting the infected file name and virus name from the Reports.txt file
- but that's really a problem with Declude's lack of parsing ability.

Gee - I wish Sniffer had a configuration option to tie into ClamD...

Best Regards,
Andy




#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com



[sniffer] Re: ClamAID

2009-02-04 Thread Mxuptime.com
Hi

Just to add to the following topic. We've been bundling win32 builds of
ClamD together with our product since the beginning and have some experience
working with the win32 versions. These are my observations and thoughts :

1. http://w32.clamav.net/ has not been updated quite awhile and is rather
outdated. 

2. There are no official Win32 builds of ClamAV at the moment but from what
I understand/read the next release .95 will have a native official win build

3. There are 3 popular updated win32 builds that include ClamD. One that
runs in Cygwin (http://www.sosdg.org/clamav-win32) by Brielle Burns and the
other 2 native win32 builds available at http://hideout.ath.cx/clamav and
http://oss.netfarm.it/clamav. If i am not mistaken both of these win32
builds were actually built from http://w32.clamav.net and then updated to
the current versions

The Sosdg build has been extremely solid but sometime back Brielle mentioned
that the project would be discountinued. But Later decided to continue with
the project. The only shortcoming is that if you have other Cygwin
daemon/services running you might have issues if there are different
versions of the cygwin1.dll in use. For what its worth, SmarterMail uses
this build.

Overall, I have not found a lot of difference in both the other 2 native
win32 builds. And they appear to be updated fairly quickly and frequently.
Its fairly straightfoward to have clamD running as services but the ClamD
daemon (in my experience) has known to have crashed once in awhile and as
such you will need to have a watchdog/recovery service monitor the daemon
and restart when necessary.

Cheers
-Matt


-Original Message-
From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf
Of Andrew Wallo
Sent: Thursday, February 05, 2009 4:38 AM
To: Message Sniffer Community
Subject: [sniffer] Re: ClamAID

 Sniffer Folks, - ASchmidt...

snip
 ClamAV's web site states that they won't [ continue to support] and 
 development has been stopped?
 http://w32.clamav.net/
/snip

Oddly, I would have bet hard cash that page didn't say that just a week ago.

I went there just recently in order to affirm I had the same dated MSI as 
was on their site prior to release of ClamAID.  Plus a live webinar I 
attended with ClamAV folks at the end of Dec, personally reassured me that 
they intended to move forward on the Win Updates.  ( Which is why that page 
out-and-out shocked me. ) Nevermind the fact that a lot of the emulation 
ports were dieing off because of the 'official' native win32 was easier to 
utilize.

However, all is not lost.  If you read the ClamAV site... Nigel Horn has 
been recently promoted in their organization and it was his efforts that 
kept the Windows port alive.  I've included a recent letter from him to the 
ClamAV win32 list below, ( just posted ) which claims they will resume 
support at some (undefined) time in the future.  Based on other 
expectations, probably not until after their main codebase rewrite releases 
in March of 09.  Add deadline extentions etc. and you are probably well into

fall.  ( Clearly to long to rely on an outdated engine. ) But Nigel seems 
inclined to enable interested parties to push the ports independantly.

Since the other two independant win32 ports do not include the clamd.exe 
port, Pete and I are in discussion about whether it will be more efficient 
to take on an ArmResearch port to win32, and throwing out the ClamAV MSI 
altogether.  This would solve a lot of the ClamAID's complexity in fixing 
the install issues that come with the existing ClamAV MSI and it would get 
us an updated engine a lot sooner than is likely with the waiting list of 
upgrades from ClamAV.

We'll keep you posted.

Andrew Wallo







Folks,

I'm sorry that I've not been able to put time and effort into continuing
the support of ClamAV on the Windows system.

The ClamAV team intend to restart support for Windows as soon as we can.

In the meantime I am also aware that not much has been happening on the
Powertools front. For those of you that don't know, the Powertools
is a suite of programs that enhance the features of ClamAV under Windows.

* clamdService - a service to start clamd and freshclam

* clamAVShellExt - an extension to Windows Explorer to add the option to
  right-click any file/folder and have that file/folder scanned by ClamAV

* clamOffice - an extension to Microsoft Word to use ClamAV to scan for
viruses when a document is opened

* clamAVaddin - an extension to Microsoft Office to use ClamAV to scan
for viruses when an email is received.

Given that I'm aware that people use the above tools, I've uploaded the
code to https://sourceforge.net/projects/clamav-power/. The sources are
  available under SVN, at
https://clamav-power.svn.sourceforge.net/svnroot/clamav-power/.

-Nigel 


#
This message is sent to you because you are subscribed to
  the mailing list 

[sniffer] Re: Sniffer Helper App?

2008-07-01 Thread Mxuptime.com
I will have to second this. I've moved off Imail to other Windows based
Email servers (MailEnable and Smartermail) and no regrets in the past.

 

If you are looking to block based on countries you can still use the Reverse
DNSBLs that are country specific. However, this will only work well if you
selectively block a few countries because if you have a long list of
countries to block it would add to your overall processing time

 

Cheers

-Matt

 

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of David Moore
Sent: Wednesday, July 02, 2008 7:03 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Sniffer Helper App?

 

I MOVED FROM Imail 8 to SmarterMail 4.3 and then 5.1, best thing I ever did
( the cost of an Imail maintenance contract for Enterprise unlimited users
/ domains). SmarterMail has grey listing built in so 90-95% spam gets killed
at source the other spam is handled out of the box by SpamAssassin. I do
have mXGuard and Sniffer full licences but as yet I haven't had to enable
them. (mainly because I have only just installed SmarterMail v5.1)

 

Regards David Moore

[EMAIL PROTECTED]

 

J.P. MCP, MCSE, MCSE + INTERNET, CNE.

www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales

 

Office Phone: (+612) 9453 1990

Fax Phone: (+612) 9453 1880

Mobile Phone: +614 18 282 648

Skype Phone: ADSLDIRECT

 

POSTAL ADDRESS:

PO BOX 190

BELROSE NSW 2085

AUSTRALIA.

 

-

 

This email message is only intended for the addressee(s) and contains
information that may be confidential, legally privileged and/or copyright.
If you are not the intended recipient please notify the sender by reply
email and immediately delete this email. Use, disclosure or reproduction of
this email, or taking any action in reliance on its contents by anyone other
than the intended recipient(s) is strictly prohibited. No representation is
made that this email or any attachments are free of viruses. Virus scanning
is recommended and is the responsibility of the recipient.

-

 

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Steve Guluk
Sent: Wednesday, 2 July 2008 5:18 AM
To: Message Sniffer Community
Subject: [sniffer] Sniffer Helper App?

 

Hello, 

I run iMail 9.0 and would like a program that can do GeoIP to screen foreign
countries before they even get to iMail. I used to use MXGuard (still have
an active license) but my server could not handle the CPU draw. I moved to
eWall which really has some great potential as it is a nice light gateway
client that works with Sniffer but it also crashes and has a few other
problems (this program also introduced me to GeoIP).

 

Any other suggestions as I am beat after trying to get some decent spam
relief as well as relief from an aging server. My server is an AMD 2.0 with
Raid  and 2 gigs of Ram   It's faired well over the last couple years
but the spam levels ramping up are starting to take their toll and I don't
want to move to a new server just yet.

 

eWalls got me spoiled on the GeoIP feature where it polls a DB for country
info based on the incoming IP and can delete emails before they reach iMail.


 

Any suggestions on what I should consider to help with spam and also use
Sniffer. Is Declude worth while? Some other light gateway like eWall ?

 

Thanks in advance for any suggestions, 

 

 

Steve Guluk

SGDesign

(949) 661-9333

ICQ: 7230769

 

 

 

 

 

 

 

 

 



[sniffer] Re: Backscatter Spam

2008-06-28 Thread Mxuptime.com
Intersting idea but the BATV appears to be something that you would need to
run on the MTA level (i.e the MailServer would need to support the
functionality) because it rewrites the return address on outgoing emails.

 

On a side note, I have noticed a significant drop in backscatter when SPF is
implemented for the particular domain. Most of the backscatter appears to
come from valid antispam appliances like the Barracuda boxes which would
normally use SPF. These devices perform the SPF test during the SMTP
connection and rejects it immediately as opposed to bouncing the message
back. So the SPF does help.

 

-Matt

 

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Matthew J. Grim
Sent: Sunday, June 29, 2008 1:25 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Backscatter Spam

 

As an aside, Mdaemon has an excellent backscatter prevention system.

They appear to be using BATV
http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validationhttp:/en.wikipedi
a.org/wiki/Bounce_Address_Tag_Validation , an internet draft at the moment.

Matt in Tampa



[sniffer] Backscatter Spam

2008-06-27 Thread Mxuptime.com
Off lately I have noticed a large increase of backscatter. Is anyone else
running into issues with these? Some of these get caught by Sniffer but a
bulk of it also makes it through