[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
Hello Andrew, Thursday, June 8, 2006, 11:32:47 AM, you wrote: > Ditto. > I advise people to use Insert, Item. Far easier than explaining how to > drag and drop (or tie shoelaces). It might be nice to have a SnagIt of that process to share w/ users. > I've noticed that whether the headers survive when they are sent to > another Exchange+Outlook company are a crap shoot. > Generally speaking, if the message is handled by Outlook, it's not the > same message anymore. For example, a BASE64 encoded message becomes > plain text, and attached graphics don't show up at all in the "View > Source" version. I just had an interesting FP case like this. By the time the match record got to me along with what was supposed to be the original message, there were at least 9K bytes missing - including the bytes that presumably contained the rule match. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
Darin, Thunderbird allows you to choose the default forwarding method as either inline or as attachment. It might actually default to inline, I can't remember, but whenever it does message/rfc822 attachments, it is as a whole unlike some other clients that edit it down to the bare minimum of what the consider to be useful like addressing, subject date and MIME stuff if appropriate. I'm definitely guilty of being a Netscape diehard, and I'm very happy that the Mozilla project brought things back to life again. I fully understand the attachment trick with Outlook thanks to the confirmations. This will be easier than having people cut and paste the headers in. This doesn't happen much, but there is nothing worse than getting a spam report without header info. I also understand the encoding issues with forwarding in Outlook/OE. It's a shame that this happens. Maybe having a copy of Thunderbird around for this purpose might fit in where this is an issue. Sounds like adding Sniffer headers would be the best solution for this issue on a wider basis since you definitely can't convince every admin not to submit using Outlook/OE. Soon I'm going to code up my Sniffer FP reports to be automatically triggered when a message is reprocessed from my spam review system, so I won't have to even bother with the source any more. That should only take a couple of hours, and it would be time well spent. I always fix issues and whitelist locally where appropriate, but I also report to Sniffer for the benefit of all in addition to making sure that a FP rule will not tag something outside of the scope of what I whitelisted, and I have to report in order to be able to see what the content of the rule was. Customers do most of the reprocessing now, I just do the back end stuff. Matt Darin Cox wrote: Thunderbird and Netscape just takes the full original source and attaches it as a message/rfc822 attachment. I forwarded this message back to the list by just pressing "Forward". Interesting that they include the headers with a simple forward, without specifying forward as attachment. I haven't ever seen that behaviour before in a mail client. Seems like a few forwards would create a very bloated message with all of the old headers. I'm pretty sure that Outlook Express works simply by just pressing Forward As Attachment, or at least it gives me enough of the original, including the full headers, to determine how to block the spam. Yes it does. However you've missed the point. The issue is not how to get the headers. It is how to keep an email client from encoding the message and headers differently, so that Sniffer can properly identify the rule that caught the message. Please excuse me for wanting more detail about the Outlook attachment trick, but would you mind attaching this message to a response so that I could look at the headers and such? Sorry, I don't use Outlook. But I can tell you the steps to take in Outlook 2003 (other versions are almost exactly the same). I have my Outlook users follow these with no problem. 1. Create a new email message 2. Click the arrow beside the paperclip icon, select item instead of file from the dropdown 3. Browse mailboxes from the popup dialog to select the message to attach. 4. Viola, original message and headers attached. There was a discussion about Outlook's behavior with Scott some time ago. Apparently Microsoft was pressured by customers to remove headers when forwarding because they felt that they were a security/privacy risk. No one told them that Outlook was a security/privacy risk on it's own :) ...but that's another story. I would probably feel different if I had the need for groupware though, but digs at Microsoft are irresistible sometimes. I don't remember that discussion, and am not sure we're talking about the same thing. If you attach the original message via the steps above, you get the full original message, headers and body. We have a number of customers who send spam reports this way, mostly on Outlook 2002 and 2003. Darin # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
Ditto. I advise people to use Insert, Item. Far easier than explaining how to drag and drop (or tie shoelaces). I've noticed that whether the headers survive when they are sent to another Exchange+Outlook company are a crap shoot. Generally speaking, if the message is handled by Outlook, it's not the same message anymore. For example, a BASE64 encoded message becomes plain text, and attached graphics don't show up at all in the "View Source" version. When reporting false positives, I do the best job I can at producing the message that triggered (if it was caught as spam, I scan the message with the current rulebase first; sometimes the rule is already retired) and also dig out the IMail/Declude unique ID and thereby the Message Sniffer log lines. Andrew 8) > -Original Message- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Thursday, June 08, 2006 6:45 AM > To: Message Sniffer Community > Subject: [sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions] > > >Thunderbird and Netscape just takes the full original source and > >attaches it as a message/rfc822 attachment. I forwarded > this message > >back to the list by just pressing "Forward". > > Interesting that they include the headers with a simple > forward, without specifying forward as attachment. I haven't > ever seen that behaviour before in a mail client. Seems like > a few forwards would create a very bloated message with all > of the old headers. > > >I'm pretty sure that > >Outlook Express works simply by just pressing Forward As > Attachment, or > >at least it gives me enough of the original, including the full > >headers, to determine how to block the spam. > > Yes it does. However you've missed the point. The issue is > not how to get the headers. It is how to keep an email > client from encoding the message and headers differently, so > that Sniffer can properly identify the rule that caught the message. > > >Please excuse me for wanting more detail about the Outlook > attachment > >trick, but would you mind attaching this message to a > response so that > >I could look at the headers and such? > > Sorry, I don't use Outlook. But I can tell you the steps to > take in Outlook > 2003 (other versions are almost exactly the same). I have my > Outlook users follow these with no problem. > > 1. Create a new email message > 2. Click the arrow beside the paperclip icon, select item > instead of file from the dropdown 3. Browse mailboxes from > the popup dialog to select the message to attach. > 4. Viola, original message and headers attached. > > >There was a discussion about Outlook's behavior with Scott some time > >ago. Apparently Microsoft was pressured by customers to > remove headers > >when forwarding because they felt that they were a security/privacy > >risk. No one told them that Outlook was a security/privacy risk on > >it's own :) ...but that's another story. I would probably feel > >different if I had the need for groupware though, but digs > at Microsoft > >are irresistible sometimes. > > I don't remember that discussion, and am not sure we're > talking about the same thing. If you attach the original > message via the steps above, you get the full original > message, headers and body. We have a number of customers who > send spam reports this way, mostly on Outlook 2002 and 2003. > > Darin > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To > switch to the DIGEST mode, E-mail to > <[EMAIL PROTECTED]> To switch to the INDEX mode, > E-mail to <[EMAIL PROTECTED]> Send administrative > queries to <[EMAIL PROTECTED]> > > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
>Thunderbird and Netscape just takes the full original source and >attaches it as a message/rfc822 attachment. I forwarded this message >back to the list by just pressing "Forward". Interesting that they include the headers with a simple forward, without specifying forward as attachment. I haven't ever seen that behaviour before in a mail client. Seems like a few forwards would create a very bloated message with all of the old headers. >I'm pretty sure that >Outlook Express works simply by just pressing Forward As Attachment, or >at least it gives me enough of the original, including the full headers, >to determine how to block the spam. Yes it does. However you've missed the point. The issue is not how to get the headers. It is how to keep an email client from encoding the message and headers differently, so that Sniffer can properly identify the rule that caught the message. >Please excuse me for wanting more detail about the Outlook attachment >trick, but would you mind attaching this message to a response so that I >could look at the headers and such? Sorry, I don't use Outlook. But I can tell you the steps to take in Outlook 2003 (other versions are almost exactly the same). I have my Outlook users follow these with no problem. 1. Create a new email message 2. Click the arrow beside the paperclip icon, select item instead of file from the dropdown 3. Browse mailboxes from the popup dialog to select the message to attach. 4. Viola, original message and headers attached. >There was a discussion about Outlook's behavior with Scott some time >ago. Apparently Microsoft was pressured by customers to remove headers >when forwarding because they felt that they were a security/privacy >risk. No one told them that Outlook was a security/privacy risk on it's >own :) ...but that's another story. I would probably feel different if >I had the need for groupware though, but digs at Microsoft are >irresistible sometimes. I don't remember that discussion, and am not sure we're talking about the same thing. If you attach the original message via the steps above, you get the full original message, headers and body. We have a number of customers who send spam reports this way, mostly on Outlook 2002 and 2003. Darin # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>