RE: [sniffer] False Positives

2006-02-23 Thread John Carter
A program like freeware Baregrep (http://www.baremetalsoft.com/baregrep/)
might be helpful to you.

Do you not regularly cycle your logs and submit them?

John C

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Kevin Rogers
Sent: Thursday, February 23, 2006 4:49 AM
To: sniffer@SortMonster.com
Subject: [sniffer] False Positives

So when I asked how I would send in false positives, someone mentioned that
I should look up the appropriate log entry and send that in.  That brings up
another question.  My log file is 270MB and climbing.  I've never opened it
cause it's too big.  Do you have a reader for your log files? 

I think it would be nice to have a little list of things to do to send in
false positives:


1. Have your users send you the false positive.  Save it as an .eml file (?)
2. Look up (somehow) the entry in your log file that corresponds to that 
.eml file.  Copy and paste that text into a new email.
3. Send an email from your primary Sortmonster email address, attaching 
the .eml file and any log portion as necessary.

Is this correct?


---
[This E-mail was scanned for viruses.]



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives

2006-02-23 Thread Pete McNeil
On Thursday, February 23, 2006, 5:48:55 AM, Kevin wrote:

KR So when I asked how I would send in false positives, someone mentioned
KR that I should look up the appropriate log entry and send that in. That
KR brings up another question.  My log file is 270MB and climbing.  I've 
KR never opened it cause it's too big.  Do you have a reader for your log
KR files?

I recommend you delete your current log - or at least set it aside
until you've completed work on the FPs in question. There are editors
out there (I like slickedit) that will handle files that large.

That said, your log file should never get that large. You should
rotate it out and send it to us once a day or so.

There are some scripts to handle that for you:

http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html

Details about your log file are here:

http://www.sortmonster.com/MessageSniffer/Help/LogsHelp.html

KR I think it would be nice to have a little list of things to do to send
KR in false positives:


KR 1. Have your users send you the false positive.  Save it as an .eml file (?)
KR 2. Look up (somehow) the entry in your log file that corresponds to that
KR .eml file.  Copy and paste that text into a new email.
KR 3. Send an email from your primary Sortmonster email address, attaching
KR the .eml file and any log portion as necessary.

KR Is this correct?

Everything you want to know about false positives (most likely) is on
this page - including step by step instructions:

http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html

_M


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] False Positives

2006-02-15 Thread Jay Sudowski - Handy Networks LLC
Search your sniffer logs and include the log lines for that particular
message.

-Jay

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Wednesday, February 15, 2006 3:55 PM
To: sniffer@SortMonster.com
Subject: [sniffer] False Positives

My users have been getting a lot of FPs by Sniffer lately.  They send me

the email with the FULL HEADERS displayed and I forward this email on to

SortMonster.  The program they use to analyze incoming submissions check

MY email headers, determine that SNIFFER was not at fault and sends me 
back an email saying it didn't find any flags.  How the heck am I 
supposed to submit FPs from my users to SNIFFER?!!  I also save my 
user's email and attach it to my submissions to sortmonster, but these 
too are not flagged.

Very frustrating, esp since SNIFFER FPs are particularly dangerous since

I give it so much weight.

---
[This E-mail was scanned for viruses.]



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives

2006-02-15 Thread Pete McNeil
On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote:

KR My users have been getting a lot of FPs by Sniffer lately.  They send me
KR the email with the FULL HEADERS displayed and I forward this email on to
KR SortMonster.  The program they use to analyze incoming submissions check
KR MY email headers, determine that SNIFFER was not at fault and sends me
KR back an email saying it didn't find any flags.

Just to clarify a bit, here is the standard response you're probably
talking about:

[FPR:0]

The message did not match any active black rules as submitted. The rules
may have been modified or removed. If you provide matching log entries
from your system then we can research this further.

Note that sometimes our false processing system may not identify the
rules that matched this message on your system due to changes in the
submitted content that might occur during the forwarding process.

Please also be sure you are running the latest version, that your
rulebase file is up to date, and that you do not have any unresolved
errors in your Sniffer log file. Bug fixes in newer versions may resolve
false positive issues or reduce the risk of false positives through
enhanced features and new technologies. Certain errors in your log file
may indicate a corrupted rulebase.

---

The software we use to scan false positive submissions is a version of
SNF that includes every rule we have in our system. If the messages
does not match any of these rules, MOST of the time it means that the
rule has been removed already.

If that is not the case, then the next step is to provide matching log
entries. On some systems this is not necessary because the headers may
already contain SNF x-header data that shows the rules involved.

This process is not intended to make things difficult, but to save
time. The majority of the time, our local scanner will identify the
rule or rules in question and we will respond accordingly.

When that is not the case we simply need more data to move forward
with the investigation.

Usually, when a rule is still in the system and it does not match a
false positive submission it is because the original message was
altered during the forwarding process or that some condition of being
attached has prevented the scanner on this end from reproducing the
result you had on your system.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] False Positives

2006-02-15 Thread Robert Grosshandler
The X-SNF header. Sounds like a good idea.  Is there a cheat sheet someplace
for making that happen, if possible, in a Declude / Imail environment?

Thanks ahead of time,

Rob 

---
[This E-mail scanned for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] False Positives

2006-02-15 Thread Jim Matuska Jr.
Pete,
Is there anyway to get an automatic response similar to the one listed below
for the FP address, but for submissions to your spam@ address?  It would be
nice to get some feedback when submitting spam.  

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]

 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Wednesday, February 15, 2006 1:28 PM
To: Kevin Rogers
Subject: Re: [sniffer] False Positives

On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote:

KR My users have been getting a lot of FPs by Sniffer lately.  They send me
KR the email with the FULL HEADERS displayed and I forward this email on to
KR SortMonster.  The program they use to analyze incoming submissions check
KR MY email headers, determine that SNIFFER was not at fault and sends me
KR back an email saying it didn't find any flags.

Just to clarify a bit, here is the standard response you're probably
talking about:

[FPR:0]

The message did not match any active black rules as submitted. The rules
may have been modified or removed. If you provide matching log entries
from your system then we can research this further.

Note that sometimes our false processing system may not identify the
rules that matched this message on your system due to changes in the
submitted content that might occur during the forwarding process.

Please also be sure you are running the latest version, that your
rulebase file is up to date, and that you do not have any unresolved
errors in your Sniffer log file. Bug fixes in newer versions may resolve
false positive issues or reduce the risk of false positives through
enhanced features and new technologies. Certain errors in your log file
may indicate a corrupted rulebase.

---

The software we use to scan false positive submissions is a version of
SNF that includes every rule we have in our system. If the messages
does not match any of these rules, MOST of the time it means that the
rule has been removed already.

If that is not the case, then the next step is to provide matching log
entries. On some systems this is not necessary because the headers may
already contain SNF x-header data that shows the rules involved.

This process is not intended to make things difficult, but to save
time. The majority of the time, our local scanner will identify the
rule or rules in question and we will respond accordingly.

When that is not the case we simply need more data to move forward
with the investigation.

Usually, when a rule is still in the system and it does not match a
false positive submission it is because the original message was
altered during the forwarding process or that some condition of being
attached has prevented the scanner on this end from reproducing the
result you had on your system.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html






This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives

2006-02-15 Thread Computer House Support
I second the motion.  We have been submitting spam for over a year and I 
don't know if a single one was received.

Thank you Jim, for the suggestion.


Michael Stein
Computer House
www.computerhouse.com


- Original Message - 
From: Jim Matuska Jr. [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Wednesday, February 15, 2006 4:40 PM
Subject: RE: [sniffer] False Positives


Pete,
Is there anyway to get an automatic response similar to the one listed below
for the FP address, but for submissions to your spam@ address?  It would be
nice to get some feedback when submitting spam.

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Wednesday, February 15, 2006 1:28 PM
To: Kevin Rogers
Subject: Re: [sniffer] False Positives

On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote:

KR My users have been getting a lot of FPs by Sniffer lately.  They send me
KR the email with the FULL HEADERS displayed and I forward this email on to
KR SortMonster.  The program they use to analyze incoming submissions check
KR MY email headers, determine that SNIFFER was not at fault and sends me
KR back an email saying it didn't find any flags.

Just to clarify a bit, here is the standard response you're probably
talking about:

[FPR:0]

The message did not match any active black rules as submitted. The rules
may have been modified or removed. If you provide matching log entries
from your system then we can research this further.

Note that sometimes our false processing system may not identify the
rules that matched this message on your system due to changes in the
submitted content that might occur during the forwarding process.

Please also be sure you are running the latest version, that your
rulebase file is up to date, and that you do not have any unresolved
errors in your Sniffer log file. Bug fixes in newer versions may resolve
false positive issues or reduce the risk of false positives through
enhanced features and new technologies. Certain errors in your log file
may indicate a corrupted rulebase.

---

The software we use to scan false positive submissions is a version of
SNF that includes every rule we have in our system. If the messages
does not match any of these rules, MOST of the time it means that the
rule has been removed already.

If that is not the case, then the next step is to provide matching log
entries. On some systems this is not necessary because the headers may
already contain SNF x-header data that shows the rules involved.

This process is not intended to make things difficult, but to save
time. The majority of the time, our local scanner will identify the
rule or rules in question and we will respond accordingly.

When that is not the case we simply need more data to move forward
with the investigation.

Usually, when a rule is still in the system and it does not match a
false positive submission it is because the original message was
altered during the forwarding process or that some condition of being
attached has prevented the scanner on this end from reproducing the
result you had on your system.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html






This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives

2006-01-18 Thread Frederick Samarelli

Same with me. Last night there was a rules update and it fixed the problem.

Check the date of your rules update.


- Original Message - 
From: Ali Resting [EMAIL PROTECTED]

To: sniffer@sortmonster.com
Cc: [EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 8:57 AM
Subject: [sniffer] False Positives



Hi,

Over the last 2 days I have seen a major increase in false positives.
Literally all hotmail and yahoo address are being caught by sniffer
inclusive of other legit domains.

Please confirm what may be causing this and what I can do to resolve the
issue.

Regards,

Ali

---
This message was scanned for viruses by the Real Image Anti-virus filters



This E-Mail came from the Message Sniffer mailing list. For information 
and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html








This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives

2006-01-18 Thread Darin Cox
Agreed.  We counted 100 false positives yesterday, compared to our normal
rate of less than 5.

No false positives since 6pm ET yesterday, though.  Thank goodness.

Darin.


- Original Message - 
From: Frederick Samarelli [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Cc: [EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 8:42 AM
Subject: Re: [sniffer] False Positives


Same with me. Last night there was a rules update and it fixed the problem.

Check the date of your rules update.


- Original Message - 
From: Ali Resting [EMAIL PROTECTED]
To: sniffer@sortmonster.com
Cc: [EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 8:57 AM
Subject: [sniffer] False Positives


 Hi,

 Over the last 2 days I have seen a major increase in false positives.
 Literally all hotmail and yahoo address are being caught by sniffer
 inclusive of other legit domains.

 Please confirm what may be causing this and what I can do to resolve the
 issue.

 Regards,

 Ali

 ---
 This message was scanned for viruses by the Real Image Anti-virus filters



 This E-Mail came from the Message Sniffer mailing list. For information
 and (un)subscription instructions go to
 http://www.sortmonster.com/MessageSniffer/Help/Help.html






This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives

2006-01-18 Thread Pete McNeil
On Wednesday, January 18, 2006, 8:57:56 AM, Ali wrote:

AR Hi,

AR Over the last 2 days I have seen a major increase in false positives.
AR Literally all hotmail and yahoo address are being caught by sniffer
AR inclusive of other legit domains.

AR Please confirm what may be causing this and what I can do to resolve the
AR issue.

Please visit:

http://www.mail-archive.com/sniffer@sortmonster.com/msg02346.html

and

http://www.mail-archive.com/sniffer@sortmonster.com/msg02348.html

Thanks,

_M


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] false positives which catagories?

2005-08-11 Thread Keith Johnson
Scott,
 
HS = Test says ham, final result was spam. This is an inaccurate ham result. 
'False negative' 

How are you auto determining that an email that was ham was really spam?  Are 
you keying in this info into your stats based on your viewing of the email or 
by user complaint?  Obviously, if Declude triggers and email to have action on 
it based on spam settings it was spam and if it didn't take action on it and it 
went through to your users it was ham.  Thanks again for the aid.
 
Keith 



From: [EMAIL PROTECTED] on behalf of Scott Fisher
Sent: Thu 8/4/2005 10:02 AM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] false positives which catagories?


I have my sniffer result histories by category posted at:
http://it.farmprogress.com/declude/Testsbymonth.html
Look about 90% down the page.

- Original Message - 
From: Bonno Bloksma mailto:[EMAIL PROTECTED]  
To: sniffer@SortMonster.com 
Sent: Thursday, August 04, 2005 1:40 AM
Subject: [sniffer] false positives which catagories?

Hi,
 
I'd like to make a difference in the ways I score the varions sniffer 
catagories in Declude.
I hold at 20 and have had the several sniffer catagories all at 19.
As we are a school for tourism I score sniffer travel lower but I would 
like to score some catagories higher, at 20.
If we have a false positive it's mostly in the general, exp-abstract, 
ip-rules catagorie is my feeling.
 
Someone must have made a comparison of false positives against sniffer 
and in which catagories those fp's are mostly. Right?
Which catagories have virtually no FPs and which should I keep (well) 
below my hold level?
Of course all held mail gets reviewed by be, unless it scrores enough 
other points te get deleted (at 27 points).


Groetjes,
 

Bonno Bloksma


winmail.dat

Re: [sniffer] false positives which catagories?

2005-08-11 Thread Darin Cox
If the test fails, but the message does not hit the hold or delete weight.

Not a perfect measurement, as it does not capture all ham (ham that hits the
hold or delete weight), and misses some spam (spam that does not hit the
hold or delete weight), but it is the most accurate and least subjective
measurement.

Darin.


- Original Message - 
From: Keith Johnson [EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Thursday, August 11, 2005 8:13 AM
Subject: RE: [sniffer] false positives which catagories?


Scott,

HS = Test says ham, final result was spam. This is an inaccurate ham result.
'False negative'

How are you auto determining that an email that was ham was really spam?
Are you keying in this info into your stats based on your viewing of the
email or by user complaint?  Obviously, if Declude triggers and email to
have action on it based on spam settings it was spam and if it didn't take
action on it and it went through to your users it was ham.  Thanks again for
the aid.

Keith



From: [EMAIL PROTECTED] on behalf of Scott Fisher
Sent: Thu 8/4/2005 10:02 AM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] false positives which catagories?


I have my sniffer result histories by category posted at:
http://it.farmprogress.com/declude/Testsbymonth.html
Look about 90% down the page.

- Original Message - 
From: Bonno Bloksma mailto:[EMAIL PROTECTED]
To: sniffer@SortMonster.com
Sent: Thursday, August 04, 2005 1:40 AM
Subject: [sniffer] false positives which catagories?

Hi,

I'd like to make a difference in the ways I score the varions sniffer
catagories in Declude.
I hold at 20 and have had the several sniffer catagories all at 19.
As we are a school for tourism I score sniffer travel lower but I would like
to score some catagories higher, at 20.
If we have a false positive it's mostly in the general, exp-abstract,
ip-rules catagorie is my feeling.

Someone must have made a comparison of false positives against sniffer and
in which catagories those fp's are mostly. Right?
Which catagories have virtually no FPs and which should I keep (well) below
my hold level?
Of course all held mail gets reviewed by be, unless it scrores enough other
points te get deleted (at 27 points).


Groetjes,


Bonno Bloksma




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


RE: [sniffer] False Positives.

2005-05-10 Thread Judy Burnett
Pete,

Can you send these kinds of emails to Hamed instead of me please.
thanks

Judy Burnett
Everyones Internet, Ltd.
835 Greens Parkway, Suite 150
Houston, TX 77067
713-579-2802
Fax: 713-942-8621

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Monday, May 09, 2005 6:49 PM
To: Chuck Schick
Subject: Re: [sniffer] False Positives.

On Monday, May 9, 2005, 7:40:00 PM, Chuck wrote:

CS I am all of a sudden having all of the mail from one of our hosted
domains
CS fail the sniffer-phishing.  The domain is srinternational.com -
could you
CS please check on this.  All of the emails are different - just from
the same
CS domain. 

Responding off list with rule details.

_M




This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


Re: [sniffer] False Positives.

2005-05-09 Thread Pete McNeil
On Monday, May 9, 2005, 7:40:00 PM, Chuck wrote:

CS I am all of a sudden having all of the mail from one of our hosted domains
CS fail the sniffer-phishing.  The domain is srinternational.com - could you
CS please check on this.  All of the emails are different - just from the same
CS domain. 

Responding off list with rule details.

_M




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html