[sniffer] Re: RulePanic on 2908567
Update on this rule. Hits started at ~9:20am ET. We saw 365 hits in 40 minutes before we added the rule panic, of which ~5% were FPs. We pulled it since that is a large number of FPs for a single rule. In the next 20 minutes there were another 158 hits logged, but with the rule panic in place. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Wednesday, February 03, 2010 9:02 AM Subject: [sniffer] RulePanic on 2908567 We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? Darin.
[sniffer] Re: RulePanic on 2908567
Darin Cox wrote: We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? The rule was for passport.com -- it has already been removed. _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: RulePanic on 2908567
Darin Cox wrote: Update on this rule. Hits started at ~9:20am ET. We saw 365 hits in 40 minutes before we added the rule panic, of which ~5% were FPs. We pulled it since that is a large number of FPs for a single rule. In the next 20 minutes there were another 158 hits logged, but with the rule panic in place. Our auto-panic monitoring system also shows that many systems panicked the rule on their own. _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: RulePanic on 2908567
We're still seeing hits. I assume the rule removal hasn't propagated to our rulebase yet? BTW, we were seeing hits on the rule across a broad range of emails that related to passport.com. Darin. - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, February 03, 2010 9:41 AM Subject: [sniffer] Re: RulePanic on 2908567 Darin Cox wrote: We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? The rule was for passport.com -- it has already been removed. _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: RulePanic on 2908567
Darin Cox wrote: We're still seeing hits. I assume the rule removal hasn't propagated to our rulebase yet? BTW, we were seeing hits on the rule across a broad range of emails that related to passport.com. The rule will be missing from your next update if it's not already gone when you get this. In any case your panic entry makes it inert. The latest data from the rule panic watcher does not show any further hits -- so it seems to be gone from most systems already. _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com