Re: [sniffer] False Positives
On Thursday, February 23, 2006, 5:48:55 AM, Kevin wrote: KR> So when I asked how I would send in false positives, someone mentioned KR> that I should look up the appropriate log entry and send that in. That KR> brings up another question. My log file is 270MB and climbing. I've KR> never opened it cause it's too big. Do you have a reader for your log KR> files? I recommend you delete your current log - or at least set it aside until you've completed work on the FPs in question. There are editors out there (I like slickedit) that will handle files that large. That said, your log file should never get that large. You should rotate it out and send it to us once a day or so. There are some scripts to handle that for you: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html Details about your log file are here: http://www.sortmonster.com/MessageSniffer/Help/LogsHelp.html KR> I think it would be nice to have a little list of things to do to send KR> in false positives: KR> 1. Have your users send you the false positive. Save it as an .eml file (?) KR> 2. Look up (somehow) the entry in your log file that corresponds to that KR> .eml file. Copy and paste that text into a new email. KR> 3. Send an email from your primary Sortmonster email address, attaching KR> the .eml file and any log portion as necessary. KR> Is this correct? Everything you want to know about false positives (most likely) is on this page - including step by step instructions: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
A program like freeware Baregrep (http://www.baremetalsoft.com/baregrep/) might be helpful to you. Do you not regularly cycle your logs and submit them? John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Thursday, February 23, 2006 4:49 AM To: sniffer@SortMonster.com Subject: [sniffer] False Positives So when I asked how I would send in false positives, someone mentioned that I should look up the appropriate log entry and send that in. That brings up another question. My log file is 270MB and climbing. I've never opened it cause it's too big. Do you have a reader for your log files? I think it would be nice to have a little list of things to do to send in false positives: 1. Have your users send you the false positive. Save it as an .eml file (?) 2. Look up (somehow) the entry in your log file that corresponds to that .eml file. Copy and paste that text into a new email. 3. Send an email from your primary Sortmonster email address, attaching the .eml file and any log portion as necessary. Is this correct? --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
I second the motion. We have been submitting spam for over a year and I don't know if a single one was received. Thank you Jim, for the suggestion. Michael Stein Computer House www.computerhouse.com - Original Message - From: "Jim Matuska Jr." <[EMAIL PROTECTED]> To: Sent: Wednesday, February 15, 2006 4:40 PM Subject: RE: [sniffer] False Positives Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR> My users have been getting a lot of FPs by Sniffer lately. They send me KR> the email with the FULL HEADERS displayed and I forward this email on to KR> SortMonster. The program they use to analyze incoming submissions check KR> MY email headers, determine that SNIFFER was not at fault and sends me KR> back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR> My users have been getting a lot of FPs by Sniffer lately. They send me KR> the email with the FULL HEADERS displayed and I forward this email on to KR> SortMonster. The program they use to analyze incoming submissions check KR> MY email headers, determine that SNIFFER was not at fault and sends me KR> back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
The X-SNF header. Sounds like a good idea. Is there a cheat sheet someplace for making that happen, if possible, in a Declude / Imail environment? Thanks ahead of time, Rob --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR> My users have been getting a lot of FPs by Sniffer lately. They send me KR> the email with the FULL HEADERS displayed and I forward this email on to KR> SortMonster. The program they use to analyze incoming submissions check KR> MY email headers, determine that SNIFFER was not at fault and sends me KR> back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Search your sniffer logs and include the log lines for that particular message. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Wednesday, February 15, 2006 3:55 PM To: sniffer@SortMonster.com Subject: [sniffer] False Positives My users have been getting a lot of FPs by Sniffer lately. They send me the email with the FULL HEADERS displayed and I forward this email on to SortMonster. The program they use to analyze incoming submissions check MY email headers, determine that SNIFFER was not at fault and sends me back an email saying it didn't find any flags. How the heck am I supposed to submit FPs from my users to SNIFFER?!! I also save my user's email and attach it to my submissions to sortmonster, but these too are not flagged. Very frustrating, esp since SNIFFER FPs are particularly dangerous since I give it so much weight. --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
On Wednesday, January 18, 2006, 8:57:56 AM, Ali wrote: AR> Hi, AR> Over the last 2 days I have seen a major increase in false positives. AR> Literally all hotmail and yahoo address are being caught by sniffer AR> inclusive of other legit domains. AR> Please confirm what may be causing this and what I can do to resolve the AR> issue. Please visit: http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html and http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
Agreed. We counted 100 false positives yesterday, compared to our normal rate of less than 5. No false positives since 6pm ET yesterday, though. Thank goodness. Darin. - Original Message - From: "Frederick Samarelli" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Wednesday, January 18, 2006 8:42 AM Subject: Re: [sniffer] False Positives Same with me. Last night there was a rules update and it fixed the problem. Check the date of your rules update. - Original Message - From: "Ali Resting" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Wednesday, January 18, 2006 8:57 AM Subject: [sniffer] False Positives > Hi, > > Over the last 2 days I have seen a major increase in false positives. > Literally all hotmail and yahoo address are being caught by sniffer > inclusive of other legit domains. > > Please confirm what may be causing this and what I can do to resolve the > issue. > > Regards, > > Ali > > --- > This message was scanned for viruses by the Real Image Anti-virus filters > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
Same with me. Last night there was a rules update and it fixed the problem. Check the date of your rules update. - Original Message - From: "Ali Resting" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Wednesday, January 18, 2006 8:57 AM Subject: [sniffer] False Positives Hi, Over the last 2 days I have seen a major increase in false positives. Literally all hotmail and yahoo address are being caught by sniffer inclusive of other legit domains. Please confirm what may be causing this and what I can do to resolve the issue. Regards, Ali --- This message was scanned for viruses by the Real Image Anti-virus filters This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] false positives which catagories?
The ham or spam is based on weight. I use subject tag at 100, hold at 200, delete at 300. For analysis purposes messages less than 200 are considered ham. Messages 200 and over are considered spam. - Original Message - From: "Keith Johnson" <[EMAIL PROTECTED]> To: Sent: Thursday, August 11, 2005 7:13 AM Subject: RE: [sniffer] false positives which catagories? Scott, HS = Test says ham, final result was spam. This is an inaccurate ham result. 'False negative' How are you auto determining that an email that was ham was really spam? Are you keying in this info into your stats based on your viewing of the email or by user complaint? Obviously, if Declude triggers and email to have action on it based on spam settings it was spam and if it didn't take action on it and it went through to your users it was ham. Thanks again for the aid. Keith From: [EMAIL PROTECTED] on behalf of Scott Fisher Sent: Thu 8/4/2005 10:02 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] false positives which catagories? I have my sniffer result histories by category posted at: http://it.farmprogress.com/declude/Testsbymonth.html Look about 90% down the page. - Original Message - From: Bonno Bloksma <mailto:[EMAIL PROTECTED]> To: sniffer@SortMonster.com Sent: Thursday, August 04, 2005 1:40 AM Subject: [sniffer] false positives which catagories? Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] false positives which catagories?
If the test fails, but the message does not hit the hold or delete weight. Not a perfect measurement, as it does not capture all ham (ham that hits the hold or delete weight), and misses some spam (spam that does not hit the hold or delete weight), but it is the most accurate and least subjective measurement. Darin. - Original Message - From: "Keith Johnson" <[EMAIL PROTECTED]> To: Sent: Thursday, August 11, 2005 8:13 AM Subject: RE: [sniffer] false positives which catagories? Scott, HS = Test says ham, final result was spam. This is an inaccurate ham result. 'False negative' How are you auto determining that an email that was ham was really spam? Are you keying in this info into your stats based on your viewing of the email or by user complaint? Obviously, if Declude triggers and email to have action on it based on spam settings it was spam and if it didn't take action on it and it went through to your users it was ham. Thanks again for the aid. Keith From: [EMAIL PROTECTED] on behalf of Scott Fisher Sent: Thu 8/4/2005 10:02 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] false positives which catagories? I have my sniffer result histories by category posted at: http://it.farmprogress.com/declude/Testsbymonth.html Look about 90% down the page. - Original Message - From: Bonno Bloksma <mailto:[EMAIL PROTECTED]> To: sniffer@SortMonster.com Sent: Thursday, August 04, 2005 1:40 AM Subject: [sniffer] false positives which catagories? Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] false positives which catagories?
Scott, HS = Test says ham, final result was spam. This is an inaccurate ham result. 'False negative' How are you auto determining that an email that was ham was really spam? Are you keying in this info into your stats based on your viewing of the email or by user complaint? Obviously, if Declude triggers and email to have action on it based on spam settings it was spam and if it didn't take action on it and it went through to your users it was ham. Thanks again for the aid. Keith From: [EMAIL PROTECTED] on behalf of Scott Fisher Sent: Thu 8/4/2005 10:02 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] false positives which catagories? I have my sniffer result histories by category posted at: http://it.farmprogress.com/declude/Testsbymonth.html Look about 90% down the page. - Original Message - From: Bonno Bloksma <mailto:[EMAIL PROTECTED]> To: sniffer@SortMonster.com Sent: Thursday, August 04, 2005 1:40 AM Subject: [sniffer] false positives which catagories? Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma <>
Re: [sniffer] false positives which catagories?
I have my sniffer result histories by category posted at: http://it.farmprogress.com/declude/Testsbymonth.html Look about 90% down the page. - Original Message - From: Bonno Bloksma To: sniffer@SortMonster.com Sent: Thursday, August 04, 2005 1:40 AM Subject: [sniffer] false positives which catagories? Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma
RE: [sniffer] False Positives.
Pete, Can you send these kinds of emails to Hamed instead of me please. thanks Judy Burnett Everyones Internet, Ltd. 835 Greens Parkway, Suite 150 Houston, TX 77067 713-579-2802 Fax: 713-942-8621 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, May 09, 2005 6:49 PM To: Chuck Schick Subject: Re: [sniffer] False Positives. On Monday, May 9, 2005, 7:40:00 PM, Chuck wrote: CS> I am all of a sudden having all of the mail from one of our hosted domains CS> fail the sniffer-phishing. The domain is srinternational.com - could you CS> please check on this. All of the emails are different - just from the same CS> domain. Responding off list with rule details. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives.
On Monday, May 9, 2005, 7:40:00 PM, Chuck wrote: CS> I am all of a sudden having all of the mail from one of our hosted domains CS> fail the sniffer-phishing. The domain is srinternational.com - could you CS> please check on this. All of the emails are different - just from the same CS> domain. Responding off list with rule details. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html