[sniffer] False Positive - how to react?
For the first (known) time I see Message Sniffer filter a valid mail. The mail is from my Dell salesperson containing a quote. This is from the IMail log: 20070926 091209 127.0.0.1 SMTPD (064801a658d9) [143.166.85.206] EHLO ausc60pc101.us.dell.com 20070926 091210 127.0.0.1 SMTPD (064801a658d9) [143.166.85.206] MAIL FROM:[EMAIL PROTECTED] 20070926 091210 127.0.0.1 SMTPD (064801a658d9) [143.166.85.206] RCPT TO:[EMAIL PROTECTED] 20070926 091217 127.0.0.1 SMTPD (064801a658d9) [143.166.85.206] d:\ICS2006\IMail\spool\D064801a658d9.SMD 314045 20070926 091217 127.0.0.1 SMTPD (064801a658d9) performing antispam checks This is the related Sniffer log entry: hp2dpjsa20070926071222 d064801a658d9.smd 0 78 Match 1336961 60 6933694583 hp2dpjsa20070926071222 d064801a658d9.smd 0 78 Final 1336961 60 0 26005 83 What is the best way to handle stuff like this? Thanks -- Elektronik-Labor Carls GmbH Co. KG Stefan Paege Fon: +49 5973 9497-23 Fax: +49 5973 9497-19 Elektronik-Labor Carls GmbH & Co. KG Kommanditgesellschaft:Sitz Neuenkirchen, Registergericht Steinfurt HRA 3310 Persönlich haftende Gesellschafterin: Elektronik-Labor Carls, Beteiligungsgesellschaft mbH, Sitz Neuenkirchen, Registergericht Steinfurt HRB 4175 Geschäftsführer: Irmgard Carls, Joachim Schulte # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer] False positive processing
Nope. None of them. I haven't heard back from the replies to a couple of false positives on the 10th, and we haven't heard anything from our submissions on the 16th (6) and 17th (2). I don't remember if we've heard anything from those on the 15th (4). Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Tuesday, March 21, 2006 11:21 AM Subject: Re: [sniffer] False positive processing On Tuesday, March 21, 2006, 9:38:46 AM, Darin wrote: DC DC DC Hi Pete, DC DC DC DC Are you getting behind on false positive processing? We have DC gotten a response in a few days, and are still forwarding false DC positives for an FP report that we asked for a while rule on the 10th. I'm not behind. Did the message get tagged on it's way out of your system? Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False positive processing
On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote: DC Nope. None of them. DC I haven't heard back from the replies to a couple of false positives on the DC 10th, and we haven't heard anything from our submissions on the 16th (6) and DC 17th (2). I don't remember if we've heard anything from those on the 15th DC (4). Right now I'm preparing to process FPs. I have a total of 24. 15 from you. I don't show any others pending. When I'm done I'll go back and look at the 10th, 16th, and 17th to see if I received and responded. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] False positive processing
I have responded off list. Let me know (off list) if you got my response just in case it goes missing again. Thanks, _M On Tuesday, March 21, 2006, 12:04:29 PM, Darin wrote: DC Right. 15 from today. Let me know what you find out. The ones from the DC 10th were replies to FP processing to investigate further and apply white DC rules. The others were normal FP reports. DC Thanks, DC Darin. DC - Original Message - DC From: Pete McNeil [EMAIL PROTECTED] DC To: Darin Cox sniffer@SortMonster.com DC Sent: Tuesday, March 21, 2006 11:52 AM DC Subject: Re[2]: [sniffer] False positive processing DC On Tuesday, March 21, 2006, 11:37:30 AM, Darin wrote: DC Nope. None of them. DC I haven't heard back from the replies to a couple of false positives on DC the DC 10th, and we haven't heard anything from our submissions on the 16th (6) DC and DC 17th (2). I don't remember if we've heard anything from those on the DC 15th DC (4). DC Right now I'm preparing to process FPs. I have a total of 24. 15 from DC you. I don't show any others pending. When I'm done I'll go back and DC look at the 10th, 16th, and 17th to see if I received and responded. DC _M DC This E-Mail came from the Message Sniffer mailing list. For information and DC (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html DC This E-Mail came from the Message Sniffer mailing list. For DC information and (un)subscription instructions go to DC http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False positive processing
Pete, Thanks for the quicker turnaround in the last few days for false positive processing. We're seeing abouthalf day now. Much appreciated! Darin.
[sniffer] False Positives
So when I asked how I would send in false positives, someone mentioned that I should look up the appropriate log entry and send that in. That brings up another question. My log file is 270MB and climbing. I've never opened it cause it's too big. Do you have a reader for your log files? I think it would be nice to have a little list of things to do to send in false positives: 1. Have your users send you the false positive. Save it as an .eml file (?) 2. Look up (somehow) the entry in your log file that corresponds to that .eml file. Copy and paste that text into a new email. 3. Send an email from your primary Sortmonster email address, attaching the .eml file and any log portion as necessary. Is this correct? --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
A program like freeware Baregrep (http://www.baremetalsoft.com/baregrep/) might be helpful to you. Do you not regularly cycle your logs and submit them? John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Thursday, February 23, 2006 4:49 AM To: sniffer@SortMonster.com Subject: [sniffer] False Positives So when I asked how I would send in false positives, someone mentioned that I should look up the appropriate log entry and send that in. That brings up another question. My log file is 270MB and climbing. I've never opened it cause it's too big. Do you have a reader for your log files? I think it would be nice to have a little list of things to do to send in false positives: 1. Have your users send you the false positive. Save it as an .eml file (?) 2. Look up (somehow) the entry in your log file that corresponds to that .eml file. Copy and paste that text into a new email. 3. Send an email from your primary Sortmonster email address, attaching the .eml file and any log portion as necessary. Is this correct? --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Thursday, February 23, 2006, 5:48:55 AM, Kevin wrote: KR So when I asked how I would send in false positives, someone mentioned KR that I should look up the appropriate log entry and send that in. That KR brings up another question. My log file is 270MB and climbing. I've KR never opened it cause it's too big. Do you have a reader for your log KR files? I recommend you delete your current log - or at least set it aside until you've completed work on the FPs in question. There are editors out there (I like slickedit) that will handle files that large. That said, your log file should never get that large. You should rotate it out and send it to us once a day or so. There are some scripts to handle that for you: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Details about your log file are here: http://www.sortmonster.com/MessageSniffer/Help/LogsHelp.html KR I think it would be nice to have a little list of things to do to send KR in false positives: KR 1. Have your users send you the false positive. Save it as an .eml file (?) KR 2. Look up (somehow) the entry in your log file that corresponds to that KR .eml file. Copy and paste that text into a new email. KR 3. Send an email from your primary Sortmonster email address, attaching KR the .eml file and any log portion as necessary. KR Is this correct? Everything you want to know about false positives (most likely) is on this page - including step by step instructions: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positive - no reaction?
Hi, I filed this false positive report a day ago and never heard back. Just trying to see if my emails are blocked again. Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, February 20, 2006 10:41 AM To: '[EMAIL PROTECTED]' Subject: License ID nwb655oh This message was a GIF image from one individual to another. Log Entries: nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 Match 836625 61 2245238871 nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 Final 836625 61 0 32767 71 Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCmy vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEaZ EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5ud Epwb2QL MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1nf ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tfo swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+o j+uVYwvZz yvahEwG3Nw2FWDeVazW2UBqjRCGqZCaIU0iTW3aPc0mVZXe4WUuuYVqtaHrGOAf/AAD+N QPUSgjB XizbZg33ShP4Tyb0chHMZFPHcHD1aEmTbISudYzCdoGahgaaky2ZoCesjwq6jD6upSmKi FCIknCF p3Svmk+I0QyBySaa7AvCngvOhzrQqw7OuyL9kQT2iinzrA70rDDflkHQjGb2l07pk3X2r p3Svmk+lL1sWf5 zQ7+30H1xGn841L8622MjIyMkKeJvIiPor2vgZyxjamrqJigoKCTl8aBneGXq9KMq+e2t9Otu+yS wpKlzZ+zxail/7WJ0PazxNO5zPOs4f/akIPXp4vzmIjsuYT6tqjBzLX2zJHz1bX8+JXn/ wpKlzZ+6nT0tnY 2OTZ5NTX5Pjq1ND9/dTo6OgAAACgoKSAgID//wD//wAAAP//AP8A//9YqUYI/ wALCRTo RAqggwcNKTSEqKHDhw0XSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjy pxJs6bN mzhz6tzJs6fPnx4RCpXiZGChJQcHNZFSyJFTR9miSp1KtarVq1izat3KtavXr2DDih1Lt qzZs2jT ql3Ltq3bt3Djyp1Lt67du3jz6t3Lt6/fv4DnPi0kpckgQFEONgHUFKrVbZAjS55MubLly 5gza97M ubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7ZtyYFz697Nu7dvudvUOmWklEoUKosFP nX6u7nz 59CjS59Ovbr169iza9/OvXv15eDDX/8bf40RceRLokQZZHTg8qrh48ufT7++/fv48+vfz This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positive - no reaction?
On average it takes 2 or three days to hear back on false positives. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 9:40 AM Subject: [sniffer] False Positive - no reaction? Hi, I filed this false positive report a day ago and never heard back. Just trying to see if my emails are blocked again. Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Monday, February 20, 2006 10:41 AM To: '[EMAIL PROTECTED]' Subject: License ID nwb655oh This message was a GIF image from one individual to another. Log Entries: nwb655oh 20060219172434 DA9CC319600AA9394.SMD 31 360 Match 836625 61 2245 2388 71 nwb655oh 20060219172434 DA9CC319600AA9394.SMD 31 360 Final 836625 61 0 32767 71 Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCmy vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEaZ EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5ud Epwb2QL MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1nf ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tfo swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+o j+uVYwvZz yvahEwG3Nw2FWDeVazW2UBqjRCGqZCaIU0iTW3aPc0mVZXe4WUuuYVqtaHrGOAf/AAD+N QPUSgjB XizbZg33ShP4Tyb0chHMZFPHcHD1aEmTbISudYzCdoGahgaaky2ZoCesjwq6jD6upSmKi FCIknCF p3Svmk+I0QyBySaa7AvCngvOhzrQqw7OuyL9kQT2iinzrA70rDDflkHQjGb2l07pk3X2r p3Svmk+lL1sWf5 zQ7+30H1xGn841L8622MjIyMkKeJvIiPor2vgZyxjamrqJigoKCTl8aBneGXq9KMq+e2t9Otu+yS wpKlzZ+zxail/7WJ0PazxNO5zPOs4f/akIPXp4vzmIjsuYT6tqjBzLX2zJHz1bX8+JXn/ wpKlzZ+6nT0tnY 2OTZ5NTX5Pjq1ND9/dTo6OgAAACgoKSAgID//wD//wAAAP//AP8A//9YqUYI/ wALCRTo RAqggwcNKTSEqKHDhw0XSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjy pxJs6bN mzhz6tzJs6fPnx4RCpXiZGChJQcHNZFSyJFTR9miSp1KtarVq1izat3KtavXr2DDih1Lt qzZs2jT ql3Ltq3bt3Djyp1Lt67du3jz6t3Lt6/fv4DnPi0kpckgQFEONgHUFKrVbZAjS55MubLly 5gza97M ubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7ZtyYFz697Nu7dvudvUOmWklEoUKosFP nX6u7nz 59CjS59Ovbr169iza9/OvXv15eDDX/8bf40RceRLokQZZHTg8qrh48ufT7++/fv48+vfz This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription
Re: [sniffer] False Positive - no reaction?
I'm a little behind. I'm going to do false positives in the next 10 minutes. I only have 20 to do it should go fast. Sorry for the delay. Thanks, _M On Tuesday, February 21, 2006, 9:40:07 AM, Andy wrote: AS Hi, AS I filed this false positive report a day ago and never heard back. AS Just trying to see if my emails are blocked again. AS Phone: +1 201 934-3414 x20 (Business) AS Fax:+1 201 934-9206 AS -Original Message- AS From: Andy Schmidt [mailto:[EMAIL PROTECTED] AS Sent: Monday, February 20, 2006 10:41 AM AS To: '[EMAIL PROTECTED]' AS Subject: License ID nwb655oh AS This message was a GIF image from one individual to another. AS Log Entries: AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Match 836625 61 2245238871 AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Final 836625 61 0 32767 71 AS Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCmy vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEaZ EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5ud Epwb2QL AS MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1nf ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tfo swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+o j+uVYwvZz yvahEwG3Nw2FWDeVazW2UBqjRCGqZCaIU0iTW3aPc0mVZXe4WUuuYVqtaHrGOAf/AAD+N QPUSgjB XizbZg33ShP4Tyb0chHMZFPHcHD1aEmTbISudYzCdoGahgaaky2ZoCesjwq6jD6upSmKi FCIknCF p3Svmk+I0QyBySaa7AvCngvOhzrQqw7OuyL9kQT2iinzrA70rDDflkHQjGb2l07pk3X2r p3Svmk+lL1sWf5 AS zQ7+30H1xGn841L8622MjIyMkKeJvIiPor2vgZyxjamrqJigoKCTl8aBneGXq9KMq+e2t9Otu+yS wpKlzZ+zxail/7WJ0PazxNO5zPOs4f/akIPXp4vzmIjsuYT6tqjBzLX2zJHz1bX8+JXn/ wpKlzZ+6nT0tnY 2OTZ5NTX5Pjq1ND9/dTo6OgAAACgoKSAgID//wD//wAAAP//AP8A//9YqUYI/ wALCRTo RAqggwcNKTSEqKHDhw0XSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjy pxJs6bN mzhz6tzJs6fPnx4RCpXiZGChJQcHNZFSyJFTR9miSp1KtarVq1izat3KtavXr2DDih1Lt qzZs2jT ql3Ltq3bt3Djyp1Lt67du3jz6t3Lt6/fv4DnPi0kpckgQFEONgHUFKrVbZAjS55MubLly 5gza97M ubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7ZtyYFz697Nu7dvudvUOmWklEoUKosFP nX6u7nz 59CjS59Ovbr169iza9/OvXv15eDDX/8bf40RceRLokQZZHTg8qrh48ufT7++/fv48+vfz AS This E-Mail came from
RE: [sniffer] False Positive - no reaction?
Sorry - didn't mean to be pushy. I just thought that false positives are worse than missed spam, so I had assumed that they would always be at the top of the queue. I can wait (PS - would have calmed my nerves, if there had been some automatic ticket number response that reassured me that my email was received. The web site makes it sound as if there's a million reasons why a false positive might not be accepted - so an automatic confirmation might be a good self-service tool. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 09:55 AM To: Andy Schmidt Subject: Re: [sniffer] False Positive - no reaction? I'm a little behind. I'm going to do false positives in the next 10 minutes. I only have 20 to do it should go fast. Sorry for the delay. Thanks, _M On Tuesday, February 21, 2006, 9:40:07 AM, Andy wrote: AS Hi, AS I filed this false positive report a day ago and never heard back. AS Just trying to see if my emails are blocked again. AS Phone: +1 201 934-3414 x20 (Business) AS Fax:+1 201 934-9206 AS -Original Message- AS From: Andy Schmidt [mailto:[EMAIL PROTECTED] AS Sent: Monday, February 20, 2006 10:41 AM AS To: '[EMAIL PROTECTED]' AS Subject: License ID nwb655oh AS This message was a GIF image from one individual to another. AS Log Entries: AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Match 836625 61 2245238871 AS nwb655oh20060219172434 DA9CC319600AA9394.SMD 31 360 AS Final 836625 61 0 32767 71 AS Original Message: Received: from mailout08.sul.t-online.com [194.25.134.20] by hm-software.com with ESMTP (SMTPD32-8.15) id A9CC319600AA; Sun, 19 Feb 2006 12:24:28 -0500 Received: from fwd34.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1FAsIN-00064u-06; Sun, 19 Feb 2006 18:24:27 +0100 Received: from athome ([EMAIL PROTECTED] 6 ]) by fwd34.sul.t-online.de with smtp id 1FAsIB-0X4oka0; Sun, 19 Feb 2006 18:24:15 +0100 Message-ID: [EMAIL PROTECTED] From: Bjoern Schmidt [EMAIL PROTECTED] To: Jochen Schug [EMAIL PROTECTED], Harald Mergard [EMAIL PROTECTED] Subject: Hier das Bild zu meinem Service-request Date: Sun, 19 Feb 2006 18:24:15 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_01C63581.B0813970 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-ID: GWI0CrZ-Ye-ErQseZpWkpcMBFfC4ce2pefaSy9EIpXJHQ-BFOxDqQt X-TOI-MSGID: bdd1884c-5835-410b-822a-2343e2bb5047 This is a multi-part message in MIME format. --=_NextPart_000_0005_01C63581.B0813970 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C63581.B0813970 --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ciao Bjoern Schmidt [EMAIL PROTECTED] www.barchetta.cc =20 Barchetta - The Classic and Sports Car Channel Updated News as It = Happens. --=_NextPart_001_0006_01C63581.B0813970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.2802 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVnbsp;/DIV DIVFONT face=3DArial size=3D2CiaoBRBjoern SchmidtBRA=20 href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRA=20 href=3Dhttp://www.barchetta.cc;www.barchetta.cc/Anbsp;nbsp; = BRBarchetta -=20 The Classic and Sports Car Channel Updated News as It=20 Happens./FONT/DIV/BODY/HTML --=_NextPart_001_0006_01C63581.B0813970-- --=_NextPart_000_0005_01C63581.B0813970 Content-Type: image/gif; name=Neues Projekt erstellen.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Neues Projekt erstellen.gif R0lGODdhAAUABHcAACwAAAUABIcAAACAgACAgICAAIAAgIDAwMDA3MCm y vAB NwAnHQAwLQwxMzgYCVwPLFYAO3M1OEgyPXEPVBARVjgRZw4eaSo0WTA9ZQosdDEfVkEa Z EkZZ3A5 SFszT3ksdEckbXtKOExmLGVFVhZKUTJHaBVIcyhwWTdsdipPU1lbW2xIbUhNY39qQF5u d Epwb2QL AS MJcHLKMxP7wvPdwdSJoYQaUMYK4qT5EmUrgxZZo6cL0ZUsQUftoIdusjWtgtUuUpZNsuc+ZCPoVS U4VOU7tObJlQe6VrVYd0co1zeKtXXcZFW/BGZstGbNRLcc5IcNJaZ8xUdttPeehtdM1n f ucGlQAB swA1jzU7qTo9l0A+pUAAygAA8wAuzy5HjzVEoztijAZshS50qgx6uyRKmUlCj2NLp0tf swA1jzU7qTo9l0A+o swA1jzU7qTo9l0A+WBpk1J8 jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+4wrvQay/UjxvVOlYBKhbF/gIB3k6l/ jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+u jHxgoV9urm514XU9g74UgtkPkuoVrfE5lds3g+oBRldBJ j+1boNRRs/Rlhtxlm8xmnNV0h9x7l8l5ld5njOBohvxqkeBjm/t3juNwjf98muF7mf9+ j+o j+uVYwvZz
Re[2]: [sniffer] False Positive - no reaction?
On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false positives are AS worse than missed spam, so I had assumed that they would always be at the AS top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email was AS received. The web site makes it sound as if there's a million reasons why a AS false positive might not be accepted - so an automatic confirmation might be AS a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] False Positive - no reaction?
Hi Pete, I agree that the email notification is tricky - because you might respond to spam - and, you may NOT respond to someone who did not use an authorized address. On the other hand, if I KNEW there was an auto-response and I did NOT get a response, it would be an indication to me, the user, that I must have done something wrong. So - in a sense - no response is also a message I can act on. The only other suggestion I have is to create a 24 hour 'queue' display on the web site. All you need to show is a column of the sender domain names of the email (not the entire sender email address). If I submit a false positive I can confirm that it made it into your queue by checking the web page. This way, you don't need to send automated emails. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 11:04 AM To: Andy Schmidt Subject: Re[2]: [sniffer] False Positive - no reaction? On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false AS positives are worse than missed spam, so I had assumed that they AS would always be at the top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email AS was received. The web site makes it sound as if there's a million AS reasons why a false positive might not be accepted - so an automatic AS confirmation might be a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] False Positive - no reaction?
I like this idea more than the email notification. I really don't need more emails. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 10:16 AM Subject: RE: Re[2]: [sniffer] False Positive - no reaction? Hi Pete, I agree that the email notification is tricky - because you might respond to spam - and, you may NOT respond to someone who did not use an authorized address. On the other hand, if I KNEW there was an auto-response and I did NOT get a response, it would be an indication to me, the user, that I must have done something wrong. So - in a sense - no response is also a message I can act on. The only other suggestion I have is to create a 24 hour 'queue' display on the web site. All you need to show is a column of the sender domain names of the email (not the entire sender email address). If I submit a false positive I can confirm that it made it into your queue by checking the web page. This way, you don't need to send automated emails. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 11:04 AM To: Andy Schmidt Subject: Re[2]: [sniffer] False Positive - no reaction? On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false AS positives are worse than missed spam, so I had assumed that they AS would always be at the top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email AS was received. The web site makes it sound as if there's a million AS reasons why a false positive might not be accepted - so an automatic AS confirmation might be a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] False Positive - no reaction?
That queue concept would be wonderful! Hopefully it would have some simple info extracted to show recipient, sender, subject, header info, and info on the rule(s) it failed. One of my ongoing challenges is matching responses to reports and following up to see what additional actions are required. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 11:16 AM Subject: RE: Re[2]: [sniffer] False Positive - no reaction? Hi Pete, I agree that the email notification is tricky - because you might respond to spam - and, you may NOT respond to someone who did not use an authorized address. On the other hand, if I KNEW there was an auto-response and I did NOT get a response, it would be an indication to me, the user, that I must have done something wrong. So - in a sense - no response is also a message I can act on. The only other suggestion I have is to create a 24 hour 'queue' display on the web site. All you need to show is a column of the sender domain names of the email (not the entire sender email address). If I submit a false positive I can confirm that it made it into your queue by checking the web page. This way, you don't need to send automated emails. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 21, 2006 11:04 AM To: Andy Schmidt Subject: Re[2]: [sniffer] False Positive - no reaction? On Tuesday, February 21, 2006, 10:16:11 AM, Andy wrote: AS Sorry - didn't mean to be pushy. I just thought that false AS positives are worse than missed spam, so I had assumed that they AS would always be at the top of the queue. It is a very tough balancing act. Don't feel bad at all - you're not being pushy. The current goal is to respond in less than 24 hours and if possible to review twice per day. Yesterday a number of urgent tasks toppled that schedule. The first review happened (at around 0600) but there were no FPs at that time. I'm working to increase the review cycle... there are just a lot of things going on right now. Just so everyone knows, we do hear - loud and clear - that responding to FPs is important, and we have been much better about it over the recent past. I expect that service aspect to improve moving forward along with other things. AS I can wait (PS - would have calmed my nerves, if there had been some AS automatic ticket number response that reassured me that my email AS was received. The web site makes it sound as if there's a million AS reasons why a false positive might not be accepted - so an automatic AS confirmation might be a good self-service tool. That's a good point. I'll look at that possibility when I rewrite the false processing bot. We're getting a lot of spam lately at our false@ address and I would want to make sure that there was no outscatter. I can tell the bot to only respond to validated senders, but then there is the issue of email reliability in the response... what if you don't get the response I mean. ... There are still folks that occasionally (some frequently) send false reports from unauthorized addresses --- those would not get a response... I'm overthinking this now %^b When I get to the false processing bot I will add a response mechanism. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] False Positive - no reaction?
On Tuesday, February 21, 2006, 11:16:43 AM, Andy wrote: snip/ AS The only other suggestion I have is to create a 24 hour 'queue' display on AS the web site. All you need to show is a column of the sender domain names of AS the email (not the entire sender email address). If I submit a false AS positive I can confirm that it made it into your queue by checking the web AS page. This way, you don't need to send automated emails. Agreed. Thanks for the suggestion. I'll add that to the plan for upgrading the false processing engine. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positive - RESEND
Hello, Could you please tell me what would cause an email to fail rule # 831417 This was a good email flagged this morning and deleted. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positive
Answered off-list _M On Tuesday, February 14, 2006, 2:07:48 PM, Steve wrote: SG Hello, SG Could you please tell me what would cause an email to fail rule # 831417 SG This was a good email flagged this morning and deleted. SG Regards, SG Steve Guluk SG SGDesign SG (949) 661-9333 SG ICQ: 7230769 SG This E-Mail came from the Message Sniffer mailing list. For SG information and (un)subscription instructions go to SG http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positives
My users have been getting a lot of FPs by Sniffer lately. They send me the email with the FULL HEADERS displayed and I forward this email on to SortMonster. The program they use to analyze incoming submissions check MY email headers, determine that SNIFFER was not at fault and sends me back an email saying it didn't find any flags. How the heck am I supposed to submit FPs from my users to SNIFFER?!! I also save my user's email and attach it to my submissions to sortmonster, but these too are not flagged. Very frustrating, esp since SNIFFER FPs are particularly dangerous since I give it so much weight. --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Search your sniffer logs and include the log lines for that particular message. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Wednesday, February 15, 2006 3:55 PM To: sniffer@SortMonster.com Subject: [sniffer] False Positives My users have been getting a lot of FPs by Sniffer lately. They send me the email with the FULL HEADERS displayed and I forward this email on to SortMonster. The program they use to analyze incoming submissions check MY email headers, determine that SNIFFER was not at fault and sends me back an email saying it didn't find any flags. How the heck am I supposed to submit FPs from my users to SNIFFER?!! I also save my user's email and attach it to my submissions to sortmonster, but these too are not flagged. Very frustrating, esp since SNIFFER FPs are particularly dangerous since I give it so much weight. --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
I second the motion. We have been submitting spam for over a year and I don't know if a single one was received. Thank you Jim, for the suggestion. Michael Stein Computer House www.computerhouse.com - Original Message - From: Jim Matuska Jr. [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Wednesday, February 15, 2006 4:40 PM Subject: RE: [sniffer] False Positives Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, February 15, 2006, 4:32:14 PM, Robert wrote: RG The X-SNF header. Sounds like a good idea. Is there a cheat sheet someplace RG for making that happen, if possible, in a Declude / Imail environment? RG Thanks ahead of time, In the distribution the option is described in the .cfg file. However, in the Declude environment I don't know of any easy way to make use of it. What would be best is if Declude could be persuaded to pick up the .xhdr file SNF produces and add it to the headers it is already adding to the the message. This way, the message would only need to be altered once (less I/O) for all of the headers. MDaemon systems using the plugin have the SNF headers by default. Most *nix systems also use the .xhdr option and then allow the programs that follow to respond to the headers planted by SNF. A number of custom-built systems are also using it. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
Jim, Not at this time. The two processes are entirely different. The False Positives process is highly interactive. The standardized responses were implemented to allow for some automation on both sides. Spam submissions are always treated as anonymous for security reasons and also because of the volume. At one point today we were processing 5000 spam per hour. At those rates it is not practical to respond to each submission. Advanced features near V4 (some time in the future) will allow us to handle some spam submissions specifically for a particular license ID --- so there are some plans for this later on. However, for the short and medium term all spam submissions will remain anonymous. If you have a chronic spam for which you would like a local black rule added then you should send a zip'd copy to support@ along with your requests. We will help you adjust your rulebase accordingly. For example, some relatively closed systems are able to use broad rules for certain character sets, file attachment types, or other features to eliminate messages they simply will never see in practice. _M On Wednesday, February 15, 2006, 4:40:50 PM, Jim wrote: JMJ Pete, JMJ Is there anyway to get an automatic response similar to the one listed below JMJ for the FP address, but for submissions to your spam@ address? It would be JMJ nice to get some feedback when submitting spam. JMJ Jim Matuska Jr. JMJ Computer Tech2, CCNA JMJ Nez Perce Tribe JMJ Information Systems JMJ [EMAIL PROTECTED] JMJ JMJ -Original Message- JMJ From: [EMAIL PROTECTED] JMJ [mailto:[EMAIL PROTECTED] JMJ On Behalf Of Pete McNeil JMJ Sent: Wednesday, February 15, 2006 1:28 PM JMJ To: Kevin Rogers JMJ Subject: Re: [sniffer] False Positives JMJ On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. JMJ Just to clarify a bit, here is the standard response you're probably JMJ talking about: JMJ [FPR:0] JMJ The message did not match any active black rules as submitted. The rules JMJ may have been modified or removed. If you provide matching log entries JMJ from your system then we can research this further. JMJ Note that sometimes our false processing system may not identify the JMJ rules that matched this message on your system due to changes in the JMJ submitted content that might occur during the forwarding process. JMJ Please also be sure you are running the latest version, that your JMJ rulebase file is up to date, and that you do not have any unresolved JMJ errors in your Sniffer log file. Bug fixes in newer versions may resolve JMJ false positive issues or reduce the risk of false positives through JMJ enhanced features and new technologies. Certain errors in your log file JMJ may indicate a corrupted rulebase. JMJ --- JMJ The software we use to scan false positive submissions is a version of JMJ SNF that includes every rule we have in our system. If the messages JMJ does not match any of these rules, MOST of the time it means that the JMJ rule has been removed already. JMJ If that is not the case, then the next step is to provide matching log JMJ entries. On some systems this is not necessary because the headers may JMJ already contain SNF x-header data that shows the rules involved. JMJ This process is not intended to make things difficult, but to save JMJ time. The majority of the time, our local scanner will identify the JMJ rule or rules in question and we will respond accordingly. JMJ When that is not the case we simply need more data to move forward JMJ with the investigation. JMJ Usually, when a rule is still in the system and it does not match a JMJ false positive submission it is because the original message was JMJ altered during the forwarding process or that some condition of being JMJ attached has prevented the scanner on this end from reproducing the JMJ result you had on your system. JMJ Hope this helps, JMJ _M JMJ This E-Mail came from the Message Sniffer mailing list. For information and JMJ (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html JMJ This E-Mail came from the Message Sniffer mailing list. For JMJ information and (un)subscription instructions go to JMJ http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, February 15, 2006, 4:48:43 PM, Computer wrote: CHS I second the motion. We have been submitting spam for over a year and I CHS don't know if a single one was received. In general, if you've not received an error during delivery, we most certainly got your message... it may have even made it to the queue (if it wasn't already filtered by new rules). One way to be sure we receive your spam is to create a pop3 box on your system for your spam submissions and provide us with the login data (email address (as login), password, FQDN of the pop3 server). This way, if the mail in that box gets deleted you know one of our bots has pulled it in and added it to our queues. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positive
Hello, Could you please tell me what would cause an email to fail rule # 831417 This was a good email flagged this morning and deleted. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positives
Hi, Over the last 2 days I have seen a major increase in false positives. Literally all hotmail and yahoo address are being caught by sniffer inclusive of other legit domains. Please confirm what may be causing this and what I can do to resolve the issue. Regards, Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positives
Hi, Over the last 2 days I have seen a major increase in false positives. Literally all hotmail and yahoo address are being caught by sniffer inclusive of other legit domains. Please confirm what may be causing this and what I can do to resolve the issue. Regards, Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
Same with me. Last night there was a rules update and it fixed the problem. Check the date of your rules update. - Original Message - From: Ali Resting [EMAIL PROTECTED] To: sniffer@sortmonster.com Cc: [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:57 AM Subject: [sniffer] False Positives Hi, Over the last 2 days I have seen a major increase in false positives. Literally all hotmail and yahoo address are being caught by sniffer inclusive of other legit domains. Please confirm what may be causing this and what I can do to resolve the issue. Regards, Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
Agreed. We counted 100 false positives yesterday, compared to our normal rate of less than 5. No false positives since 6pm ET yesterday, though. Thank goodness. Darin. - Original Message - From: Frederick Samarelli [EMAIL PROTECTED] To: sniffer@SortMonster.com Cc: [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:42 AM Subject: Re: [sniffer] False Positives Same with me. Last night there was a rules update and it fixed the problem. Check the date of your rules update. - Original Message - From: Ali Resting [EMAIL PROTECTED] To: sniffer@sortmonster.com Cc: [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 8:57 AM Subject: [sniffer] False Positives Hi, Over the last 2 days I have seen a major increase in false positives. Literally all hotmail and yahoo address are being caught by sniffer inclusive of other legit domains. Please confirm what may be causing this and what I can do to resolve the issue. Regards, Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Wednesday, January 18, 2006, 8:57:56 AM, Ali wrote: AR Hi, AR Over the last 2 days I have seen a major increase in false positives. AR Literally all hotmail and yahoo address are being caught by sniffer AR inclusive of other legit domains. AR Please confirm what may be causing this and what I can do to resolve the AR issue. Please visit: http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, January 18, 2006, 8:42:22 AM, Frederick wrote: FS Same with me. Last night there was a rules update and it fixed the problem. FS Check the date of your rules update. Please visit http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives
On Wednesday, January 18, 2006, 8:54:49 AM, Darin wrote: DC Agreed. We counted 100 false positives yesterday, compared to our normal DC rate of less than 5. DC No false positives since 6pm ET yesterday, though. Thank goodness. Please visit: http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] False Positives
On Wednesday, January 18, 2006, 2:14:34 PM, Darin wrote: DC Are you just blanket responding to every message to the list with this? If DC so, you might be wasting your time. I've been following the list, so I know DC things are back to normal after yesterday's snafu. Sorry about that... It wasn't my intention. I did need to make the same response to a number of folks though-- A number of folks had apparently not seen any of the related messages on the list. I wanted to make sure it was covered. I was a bit overzealous. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Postive Processing more automation?
On Saturday, October 15, 2005, 3:51:22 PM, Scott wrote: When I submit false positives to Sniffer about half come back rule clean. I then have to go to the logs and pull out those messages and resubmit the false positives with the log lines. I believe I am FTPing up my log files to Sniffer nightly. Isn't there a way to automatically pull these log lines out of the logs I have already sent up to Sniffer? We process a huge volume of log file data. The logs are processed for their statistics and discarded so that we can keep up. There is an option to have SNF produce a .xhdr file that can be included in the message by some systems. If a message contains those headers then it is possible to look up the necessary data from the headers. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] False positive
Pete, other than database update e-mails, I see know e-mails from @microneil.com or [EMAIL PROTECTED] in the last 2 days received by my server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, September 13, 2005 4:45 AM To: John Tolmachoff (Lists) Subject: Re[2]: [sniffer] False positive I have your response in my sent folder. I will send it again.. _M On Monday, September 12, 2005, 8:37:52 PM, John wrote: JTL I also have sent some false positives in the last 2 weeks with no response, JTL the lastest being at 09/10/05 at 9:49 AM PDT. JTL John T JTL eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] JTL On Behalf Of Pete McNeil Sent: Friday, September 09, 2005 5:08 AM To: Ali Resting Subject: Re: [sniffer] False positive On Friday, September 9, 2005, 2:17:31 AM, Ali wrote: AR Hi Peter, AR I have submited 3 email to [EMAIL PROTECTED] with all the required AR fields as per you instaructions on the website, I have not received JTL any AR feedback whether this request has been effected. I cleared the false positives queue last night. I don't see any messages in there from you today. You should have received a response for each submission. I will review my responses and get back to you off list. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information JTL and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html JTL This E-Mail came from the Message Sniffer mailing list. For JTL information and (un)subscription instructions go to JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] False positive
Perhaps your system is blocking these messages? Please check. I've left the FP response out of this message -- I suspect that something in the response is causing the message to be blocked. Let me know if you get this one - you should get it twice - once directly and once through the list. (Sorry for the extra traffic list folks ;-) ) Thanks, _M On Wednesday, September 14, 2005, 2:05:35 AM, John wrote: JTL Pete, other than database update e-mails, I see know e-mails from JTL @microneil.com or [EMAIL PROTECTED] in the last 2 days received by my JTL server. JTL John T JTL eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] JTL On Behalf Of Pete McNeil Sent: Tuesday, September 13, 2005 4:45 AM To: John Tolmachoff (Lists) Subject: Re[2]: [sniffer] False positive I have your response in my sent folder. I will send it again.. _M On Monday, September 12, 2005, 8:37:52 PM, John wrote: JTL I also have sent some false positives in the last 2 weeks with no JTL response, JTL the lastest being at 09/10/05 at 9:49 AM PDT. JTL John T JTL eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] JTL On Behalf Of Pete McNeil Sent: Friday, September 09, 2005 5:08 AM To: Ali Resting Subject: Re: [sniffer] False positive On Friday, September 9, 2005, 2:17:31 AM, Ali wrote: AR Hi Peter, AR I have submited 3 email to [EMAIL PROTECTED] with all the JTL required AR fields as per you instaructions on the website, I have not received JTL any AR feedback whether this request has been effected. I cleared the false positives queue last night. I don't see any messages in there from you today. You should have received a response for each submission. I will review my responses and get back to you off list. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information JTL and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html JTL This E-Mail came from the Message Sniffer mailing list. For JTL information and (un)subscription instructions go to JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information JTL and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html JTL This E-Mail came from the Message Sniffer mailing list. For JTL information and (un)subscription instructions go to JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False positive
I have your response in my sent folder. I will send it again... _M On Monday, September 12, 2005, 8:37:52 PM, John wrote: JTL I also have sent some false positives in the last 2 weeks with no response, JTL the lastest being at 09/10/05 at 9:49 AM PDT. JTL John T JTL eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] JTL On Behalf Of Pete McNeil Sent: Friday, September 09, 2005 5:08 AM To: Ali Resting Subject: Re: [sniffer] False positive On Friday, September 9, 2005, 2:17:31 AM, Ali wrote: AR Hi Peter, AR I have submited 3 email to [EMAIL PROTECTED] with all the required AR fields as per you instaructions on the website, I have not received JTL any AR feedback whether this request has been effected. I cleared the false positives queue last night. I don't see any messages in there from you today. You should have received a response for each submission. I will review my responses and get back to you off list. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information JTL and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html JTL This E-Mail came from the Message Sniffer mailing list. For JTL information and (un)subscription instructions go to JTL http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False positive
I also have sent some false positives in the last 2 weeks with no response, the lastest being at 09/10/05 at 9:49 AM PDT. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, September 09, 2005 5:08 AM To: Ali Resting Subject: Re: [sniffer] False positive On Friday, September 9, 2005, 2:17:31 AM, Ali wrote: AR Hi Peter, AR I have submited 3 email to [EMAIL PROTECTED] with all the required AR fields as per you instaructions on the website, I have not received any AR feedback whether this request has been effected. I cleared the false positives queue last night. I don't see any messages in there from you today. You should have received a response for each submission. I will review my responses and get back to you off list. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False positive
Hi Peter, I have submited 3 email to [EMAIL PROTECTED] with all the required fields as per you instaructions on the website, I have not received any feedback whether this request has been effected. Regards Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False positive
Here is another copy of my initial reply. _M On Friday, September 9, 2005, 2:17:31 AM, Ali wrote: AR Hi Peter, AR I have submited 3 email to [EMAIL PROTECTED] with all the required AR fields as per you instaructions on the website, I have not received any AR feedback whether this request has been effected. AR Regards AR Ali AR --- AR This message was scanned for viruses by the Real Image Anti-virus filters AR This E-Mail came from the Message Sniffer mailing list. For AR information and (un)subscription instructions go to AR http://www.sortmonster.com/MessageSniffer/Help/Help.html---BeginMessage--- Hello Ali, Monday, September 5, 2005, 4:36:28 AM, you wrote: AR Original From - Ali Resting [EMAIL PROTECTED] AR resulted in no license ID. AR TmpFile - tmpMailScan13727.tmp AR Your submission matched the following rules... [FPR:U] Please submit false positives from a registered email address or authorized alias. AR Clean AR Rule 0-000 not found. ID NameSource Age Strength 353069 get free movie tickets .edirect.co.za 118 1.84206058734099 [FPR:B] The rule is below threshold, and/or badly or broadly coded so it will be removed from the core rulebase. -- Best regards, Sniffermailto:[EMAIL PROTECTED]---BeginMessage--- +OK 3827 octets Received: from realnet.co.sz [196.28.7.119] by SortMonster.com with ESMTP (SMTPD32-6.05) id A3355D0601CA; Mon, 05 Sep 2005 04:35:01 -0400 Received: from real7 [196.31.58.4] by realnet.co.sz (SMTPD32-7.07) id A241281E0198; Mon, 05 Sep 2005 10:30:57 +0200 From: Ali Resting [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: License ID q12spfrk Date: Mon, 5 Sep 2005 10:45:34 +0200 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal X-Declude-Sender: [EMAIL PROTECTED] [196.31.58.4] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: Whitelisted [0] X-Declude-Spoolname: D03351ca.SMD X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 422568617 Status: U Please whitelist the following domains: standardbank.co.za and sbic.co.za. These are legit messages. Find attached the sniffer logs and the contents of the message. Sniffer Log: q12spfrk20050904092020 20050904072019_30057.msg0 60 Match 353069 60 6186619951 q12spfrk20050904092020 20050904072019_30057.msg0 60 Final 353069 60 0 32562 51 Message: Received: from sbic.co.za (unknown [196.8.126.20]) by spam-gw.realnet.co.sz (Postfix) with SMTP id 72CC31CA499 for [EMAIL PROTECTED]; Sun, 4 Sep 2005 07:20:19 -0200 (GMT+2) Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 To: Robert [EMAIL PROTECTED] From: Standard Bank [EMAIL PROTECTED] Reply-To: Standard Bank [EMAIL PROTECTED] Subject: Your Standard Bank Provisional Statement - 2005-09-04(Card No..250) Sensitivity: non-sensitive Date: Sun, 4 Sep 2005 07:32:49 +0200 X-Mailer: Striata Communications' SimpleMail v. 1.37.2.1 X-Tag: F37C4CD243C513818B7BBA1849950E77 Content-Type: multipart/mixed; boundary==_NextPart_Mixed_SimpleMail_by_Striata_Communications X-Format: MixedAlternative This is a multi-part message in MIME format. --=_NextPart_Mixed_SimpleMail_by_Striata_Communications Content-Type: multipart/alternative; boundary==_NextPart_alternative_SimpleMail_by_Striata_Communications Content-Transfer-Encoding: 7bit --=_NextPart_alternative_SimpleMail_by_Striata_Communications Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable ---o0o Standard Bank Standard Bank Internet Banking ---o0o Robert, attached is your provisional statement. We have encrypted it to make it secure. To unlock the statement you need your card number, password and=20 to have installed the decoder. If you do not have the decoder installed please download it from https://www.standardbank.co.za/secure/decoder/secur=edecoder.html or call us on 0860 123 000 for any assistance. If you've forgotten your password, logon to Internet banking, click on Account Management then Email Statements and your password and card=20 number will be displayed. Call 0860 123 000 with any queries=20 (+27 11 299 4701 if your calling from outside South Africa ) or email us at [EMAIL PROTECTED] Enjoy your day THEN the contents follow --- This message was scanned for viruses by the Real Image Anti-virus filters . ---End Message--- ---End Message---
Re: [sniffer] False positive
On Friday, September 9, 2005, 2:17:31 AM, Ali wrote: Apologies to the list... I intended to send those responses directly. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] false positives which catagories?
Scott, HS = Test says ham, final result was spam. This is an inaccurate ham result. 'False negative' How are you auto determining that an email that was ham was really spam? Are you keying in this info into your stats based on your viewing of the email or by user complaint? Obviously, if Declude triggers and email to have action on it based on spam settings it was spam and if it didn't take action on it and it went through to your users it was ham. Thanks again for the aid. Keith From: [EMAIL PROTECTED] on behalf of Scott Fisher Sent: Thu 8/4/2005 10:02 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] false positives which catagories? I have my sniffer result histories by category posted at: http://it.farmprogress.com/declude/Testsbymonth.html Look about 90% down the page. - Original Message - From: Bonno Bloksma mailto:[EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, August 04, 2005 1:40 AM Subject: [sniffer] false positives which catagories? Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma winmail.dat
Re: [sniffer] false positives which catagories?
If the test fails, but the message does not hit the hold or delete weight. Not a perfect measurement, as it does not capture all ham (ham that hits the hold or delete weight), and misses some spam (spam that does not hit the hold or delete weight), but it is the most accurate and least subjective measurement. Darin. - Original Message - From: Keith Johnson [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, August 11, 2005 8:13 AM Subject: RE: [sniffer] false positives which catagories? Scott, HS = Test says ham, final result was spam. This is an inaccurate ham result. 'False negative' How are you auto determining that an email that was ham was really spam? Are you keying in this info into your stats based on your viewing of the email or by user complaint? Obviously, if Declude triggers and email to have action on it based on spam settings it was spam and if it didn't take action on it and it went through to your users it was ham. Thanks again for the aid. Keith From: [EMAIL PROTECTED] on behalf of Scott Fisher Sent: Thu 8/4/2005 10:02 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] false positives which catagories? I have my sniffer result histories by category posted at: http://it.farmprogress.com/declude/Testsbymonth.html Look about 90% down the page. - Original Message - From: Bonno Bloksma mailto:[EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, August 04, 2005 1:40 AM Subject: [sniffer] false positives which catagories? Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False positive on whole domain
I'm pretty sure the rule that caused your trouble has been removed. _M On Thursday, August 4, 2005, 7:24:09 PM, Robert wrote: RM After two attempts to email support and two attempts to RM register a real false positive to [EMAIL PROTECTED], I would be RM really grateful for some help. I suspect our email attempts may RM have failed to reach sortmonster. RM RM All email to and from one of our domains since about the 21st RM July is being detected as spam by Sniffer. The domain in question RM is: RM g r o u n d h o g. u k. c o m RM RM We run SmarterMail with Declude so as to be able to run RM Sniffer which has proven with the exception above to be highly RM effective at reducing the massive amount of junk mail delivered to RM our clients on their respective domains. We have set Sniffer so RM that it alone can trigger Hold emails. RM RM I have twice sent appropriate emails to [EMAIL PROTECTED], RM but received no acknowledgement or response, so I dont know if RM they were received or not. RM RM Can anyone give advice as to how to proceed? RM RM Robert This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] false positives which catagories?
Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma
[sniffer] False positive on whole domain
After two attempts to email support and two attempts to register a real false positive to [EMAIL PROTECTED], I would be really grateful for some help. I suspect our email attempts may have failed to reach sortmonster. All email to and from one of our domains since about the 21st July is being detected as spam by Sniffer. The domain in question is: g r o u n d h o g. u k. c o m We run SmarterMail with Declude so as to be able to run Sniffer which has proven with the exception above to be highly effective at reducing the massive amount of junk mail delivered to our clients on their respective domains. We have set Sniffer so that it alone can trigger Hold emails. I have twice sent appropriate emails to [EMAIL PROTECTED], but received no acknowledgement or response, so I dont know if they were received or not. Can anyone give advice as to how to proceed? Robert
Re: [sniffer] False positive on whole domain
We do respond to all false reports that are made to us if we can properly identify the sender - and often even if that is not the case. I will research this further and contact you off list. Thanks, _M On Thursday, August 4, 2005, 7:24:09 PM, Robert wrote: RM After two attempts to email support and two attempts to RM register a real false positive to [EMAIL PROTECTED], I would be RM really grateful for some help. I suspect our email attempts may RM have failed to reach sortmonster. RM RM All email to and from one of our domains since about the 21st RM July is being detected as spam by Sniffer. The domain in question RM is: RM g r o u n d h o g. u k. c o m RM RM We run SmarterMail with Declude so as to be able to run RM Sniffer which has proven with the exception above to be highly RM effective at reducing the massive amount of junk mail delivered to RM our clients on their respective domains. We have set Sniffer so RM that it alone can trigger Hold emails. RM RM I have twice sent appropriate emails to [EMAIL PROTECTED], RM but received no acknowledgement or response, so I dont know if RM they were received or not. RM RM Can anyone give advice as to how to proceed? RM RM Robert This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positive?
[EMAIL PROTECTED] Is there any reason this would be in the sniffer file...I tried to do some troubleshooting and finally just whitelisted their address...and they got itbut I don't think Declude was holding it...I have SNIFFER on Delete... Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Monday, July 11, 2005 8:54 AM Subject: [sniffer] Update on outages etc... Hello Sniffer Folks, All of the critical equipment is now restored. We also have some additional equipment we will be bringing online over the coming weeks that will help us improve our update rates. We are currently short staffed due to the effects of Hurricane Dennis, but we expect that to change within the next 48 hours. The outward results from the outage and the short staffing will be that updates are slightly behind and that support may take a bit longer than usual. Sorry for any inconvenience. I will keep you posted :-) Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positive?
pure-speculation There is a lot of symantec spam out there (that looks like it's not from them of course)... It's possible that something used in one of those made it into their auto confirm, or that a robot picked something up in a cross reference on a trap. /pure-speculation The only way to tell for sure is to get the SNF log entries that match the FP and then I can look up the rule(s). Hope this helps, _M On Thursday, July 14, 2005, 11:18:01 AM, Richard wrote: RF [EMAIL PROTECTED] RF Is there any reason this would be in the sniffer file...I tried to do some RF troubleshooting and finally just whitelisted their address...and they got RF itbut I don't think Declude was holding it...I have SNIFFER on Delete... RF Richard Farris RF Ethixs Online RF 1.270.247. Office RF 1.800.548.3877 Tech Support RF Crossroads to a Cleaner Internet RF - Original Message - RF From: Pete McNeil [EMAIL PROTECTED] RF To: sniffer@sortmonster.com RF Sent: Monday, July 11, 2005 8:54 AM RF Subject: [sniffer] Update on outages etc... Hello Sniffer Folks, All of the critical equipment is now restored. We also have some additional equipment we will be bringing online over the coming weeks that will help us improve our update rates. We are currently short staffed due to the effects of Hurricane Dennis, but we expect that to change within the next 48 hours. The outward results from the outage and the short staffing will be that updates are slightly behind and that support may take a bit longer than usual. Sorry for any inconvenience. I will keep you posted :-) Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html RF This E-Mail came from the Message Sniffer mailing list. For RF information and (un)subscription instructions go to RF http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False
I am finding that most if not all email from Comcast senders are failing Sniffer. Fred This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives.
Pete, Can you send these kinds of emails to Hamed instead of me please. thanks Judy Burnett Everyones Internet, Ltd. 835 Greens Parkway, Suite 150 Houston, TX 77067 713-579-2802 Fax: 713-942-8621 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 09, 2005 6:49 PM To: Chuck Schick Subject: Re: [sniffer] False Positives. On Monday, May 9, 2005, 7:40:00 PM, Chuck wrote: CS I am all of a sudden having all of the mail from one of our hosted domains CS fail the sniffer-phishing. The domain is srinternational.com - could you CS please check on this. All of the emails are different - just from the same CS domain. Responding off list with rule details. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False
On Tuesday, May 10, 2005, 9:35:59 AM, Frederick wrote: FS I am finding that most if not all email from Comcast senders are failing FS Sniffer. Please submit a false positive report to false@ and include matching SNF log entries if possible. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] False Positives.
On Tuesday, May 10, 2005, 9:37:29 AM, Judy wrote: JB Pete, JB Can you send these kinds of emails to Hamed instead of me please. JB thanks I have changed your subscription. Please note you can alter your sniffer@ list subscription at any time. Information is on our help page: http://www.sortmonster.com/MessageSniffer/Help/Help.html Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positives.
I am all of a sudden having all of the mail from one of our hosted domains fail the sniffer-phishing. The domain is srinternational.com - could you please check on this. All of the emails are different - just from the same domain. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives.
On Monday, May 9, 2005, 7:40:00 PM, Chuck wrote: CS I am all of a sudden having all of the mail from one of our hosted domains CS fail the sniffer-phishing. The domain is srinternational.com - could you CS please check on this. All of the emails are different - just from the same CS domain. Responding off list with rule details. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html