Re: [sniffer] Still having problems
I just wanted to add some stats that I thought might be of some use here. I gathered info on my block rates over the past three days and compared my Sniffer hits to them. There has been no measurable change to my system with an average of 96% of spam getting tagged by Sniffer. I'm at least not seeing any issues. FRIDAY == Blocked: 89.45% of Total Message Volume Sniffer: 85.74% of Total Message Volume - Sniffer Capture Rate on Spam: 95.85% SATURDAY == Blocked: 96.57% of Total Message Volume Sniffer: 92.55% of Total Message Volume - Sniffer Capture Rate on Spam: 95.84% SUNDAY == Blocked: 96.19% of Total Message Volume Sniffer:92.60% of Total Message Volume - Sniffer Capture Rate on Spam: 96.26% The way that I generated these stats was to assume that my "Hold" weight in Declude was an accurate approximate delineation between ham and spam. Then the total for the Sniffer tests was added together and divided by the block rate in order to calculate the "Sniffer Capture Rate on Spam". Hope this helps. Matt Pete McNeil wrote: On Monday, January 10, 2005, 12:38:45 AM, Kirk wrote: KM I would like to attack this more aggressively. The increase we've seen in KM spam getting through over the last week has brought on a dramatic increase KM in customer complaints. What different approaches might I be able to take? I'm sorry to hear that. Spam is an increasing problem. I have adjusted your rulebase to the new rule strength threshold 0.5. Earlier today I coded a number of rules that are based on some of the subjects you submitted. If you can think of any black rules that you would feel comfortable coding on your system please let me know and I will add them. For example, you may be willing to accept single words or word pairs that we could not normally code into the core rulebase. I am open to any ideas you have and I will help you to create rules that meet your criteria. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re[2]: [sniffer] Still having problems
On Monday, January 10, 2005, 11:34:44 AM, Matt wrote: M I just wanted to add some stats that I thought might be of M some use here. I gathered info on my block rates over the past M three days and compared my Sniffer hits to them. There has been no M measurable change to my system with an average of 96% of spam M getting tagged by Sniffer. I'm at least not seeing any issues. Thanks for all of this. I don't think there are any SNF issues - save a current spam storm: 545 new rule already and the day is very young! Some systems see more spam than others, have special needs, or a lower tolerance for leakage. The bursting order of spam sources changes constantly -- so the spam received at any given system can at times see sudden bursts of new spam activity with no apparent cause. This can also happen any time a given system begins to receive new spam sufficiently early when compared to when we see it, or when an update can go out. There are many mechanisms like this in play all the time and they give rise to random peaks and valleys in spam flow on every system -- often these events go un-noticed, but occasionally it can seem as though the dam has burst. In this case I think that a combination of things are happening. Thankfully - a failure in the SNF system doesn't appear to be one of them. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Still having problems
At 12:48 AM 1/10/2005 -0500, you wrote: Earlier today I coded a number of rules that are based on some of the subjects you submitted. If you can think of any black rules that you would feel comfortable coding on your system please let me know and I will add them. For example, you may be willing to accept single words or word pairs that we could not normally code into the core rulebase. I am open to any ideas you have and I will help you to create rules that meet your criteria. Thanks, I'll toss this around and see what particulars I can come up with. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Still having problems
I'm still getting a ton of spam that, theoretically, I shouldn't be seeing. Stuff such as Tadalafil Soft Tabs ads that are identical to samples I've forwarded to [EMAIL PROTECTED] multiple times in the last week, yet are still passing through mxGuard/Sniffer with a LOW spam probability. I recently upgraded from v2r3 to v2.3.2, could I have missed something in changing over? Thanks, -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Still having problems
On Saturday, January 8, 2005, 7:47:14 AM, Kirk wrote: KM I'm still getting a ton of spam that, theoretically, I shouldn't be KM seeing. Stuff such as Tadalafil Soft Tabs ads that are identical to KM samples I've forwarded to [EMAIL PROTECTED] multiple times in the last KM week, yet are still passing through mxGuard/Sniffer with a LOW spam KM probability. I recently upgraded from v2r3 to v2.3.2, could I have missed KM something in changing over? I don't think so. To be sure - check for errors in your log file. The campaigns your talking about are very aggressive - which is to say that the sources, uri, and structure of the messages are changed frequently, so they are going to get past filters more frequently than other messages... I believe we are making progress developing some generalized heuristics for these campaigns though... If you have a sample of something that you see as a chronic problem then please attach it as a zip and send it to support@ so I can see if there's something special about it. If you have ideas for broader black rules that you would like added to your rulebase then please let us know... The rules that we add to the core rulebase are designed to avoid false positives on all of the systems we know about... often we can be much more aggressive on an individual basis. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Still having problems
Is there any tool available with which to analyze sniffer logs to get any kind of count on the number of hits, etc? -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Still having problems
On Saturday, January 8, 2005, 12:45:50 PM, Kirk wrote: KM I've gone through some and haven't found any commonality by sender, etc, KM but it seems that some are getting through that I'd have expected to get KM triggered on the subject line alone. For example: KM Tadalafil Soft Tabs - Great results! KM ready for the sex life you dreamed about? KM Buy medications from the net .Pay 1/2 the price of anywhere else KM Need your prescripiton? We have them KM VIAGRA $2.99Ljk5 KM CARTIER, PIAGET, ROLEX Replicas - Expensive Look, Not Expensive Price We do create some filters on subjects, but we try to do that sparingly since they easily cause false positives. A couple of the subjects you've listed above might be in normal conversations on some lists (surprizing as that might be) so we avoid them. Also, many of these subjects change frequently during these campaigns - they coding estimates are that there are more than 50,000 variations on some of the ones you've listed--- and a generalized rule on the subject alone would open up the potential for false positives. That said, I have been coding complex rules for these - the analysis takes a bit longer, but the rules are coming. KM I've sent numerous examples of each of these in the last week or so yet KM messages with identical subject lines are still getting through classed as KM LOW or CLEAN. This just doesn't seem to match the performance that I've KM become accustomed to, which is why I started questioning whether or not I KM may have messed up something at my end. Thanks for bringing this to our attention and please do keep pushing us and sending us samples. The more information we have the more quickly we can close in on a set of viable heuristics for these campaigns. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Still having problems
At 01:04 PM 1/8/2005 -0500, Pete McNeil wrote: On Saturday, January 8, 2005, 12:47:21 PM, Kirk wrote: KM Is there any tool available with which to analyze sniffer logs to get any KM kind of count on the number of hits, etc? Here's one way http://www.sawmill.net/formats/Message_Sniffer.html That's the only one I found in the searching I've done. I'll probably give the trial version a shot but can't see paying $139 for it. I was hoping maybe someone on the list had developed something, maybe a simple perl script or similar. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] Still having problems
On Saturday, January 8, 2005, 1:20:02 PM, Kirk wrote: KM At 01:04 PM 1/8/2005 -0500, Pete McNeil wrote: On Saturday, January 8, 2005, 12:47:21 PM, Kirk wrote: KM Is there any tool available with which to analyze sniffer logs to KM get any KM kind of count on the number of hits, etc? Here's one way http://www.sawmill.net/formats/Message_Sniffer.html KM That's the only one I found in the searching I've done. I'll probably KM give the trial version a shot but can't see paying $139 for it. I was KM hoping maybe someone on the list had developed something, maybe a simple KM perl script or similar. I'm sure there are some things around. However, I suspect that most folks measure their email server or a higher level AS/AV software's logs (such as Declude, or mxGuard) rather than measuring Message Sniffer directly. What data do you want to summarize? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
