RE: Re[2]: [sniffer] Version 2-3.0i8 published.

2004-10-20 Thread Colbeck, Andrew
If I might butt in ... If you fire up Task Manager on a windows machine (or your favourite ps tool elsewhere), and set the View, Update Speed to High, then sort by the name in reverse, you will see multiple sniffer.exe and one with a PID that doesn't change. That's your persistent instance.

RE: Re[2]: [sniffer] Version 2-3.0i8 published.

2004-10-20 Thread Colbeck, Andrew
Whups, I missed out an important NOT in the second-to-last paragraph. Corrected version is below: -Original Message- From: Colbeck, Andrew Sent: Wednesday, October 20, 2004 10:29 AM To: '[EMAIL PROTECTED]' Subject: RE: Re[2]: [sniffer] Version 2-3.0i8 published. If I might butt

RE: [sniffer] Version 2-3.0i8 published.

2004-10-20 Thread Colbeck, Andrew
Exactly, Michiel. And Jorge, it may be stating the obvious, but you may well have to check the tickbox at the bottom of Task Manager to Show processes from all users. I said sniffer.exe merely as an example, the actual executable will be [your licence here].exe or snfrv2r3.exe if you're using

RE: [sniffer] Integrating Sniffer with new Imail Collaboration Suite

2004-10-27 Thread Colbeck, Andrew
Well, to play devil's advocate ... A poor man's way to run IMail and Message Sniffer without Declude could certainly be done without a massive re-write. I'm not going to claim that it would be *reliable* or *flexible* but you could certainly mimic what Declude does and change one registry key to

RE: [sniffer] Rulebase download script

2004-10-30 Thread Colbeck, Andrew
Title: Message Bill, you the man! I was just polishing my own script based on comments made by you and Bonno at the end of the week! My modest efforts are attached as a .txt file. A few comments from my own efforts: The wget compress optionto save me and Pete some bandwidth isn't

RE: [sniffer] LogRotate no longer working?

2004-10-31 Thread Colbeck, Andrew
it for a day, you can slow your mail server down by letting sniffer append new log lines to an ever-growing 800+ MB text file! Andrew ;) -Original Message- From: Colbeck, Andrew Sent: Sunday, October 31, 2004 6:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [sniffer] LogRotate no longer working? Oh

RE: Re[2]: [sniffer] LogRotate no longer working?

2004-10-31 Thread Colbeck, Andrew
the executable from the download archive. I think that covers it. Happy to help! Andrew 8) -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Sent: Sunday, October 31, 2004 8:24 PM To: Colbeck, Andrew Subject: Re[2]: [sniffer] LogRotate no longer working? On Sunday, October 31

RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool

2004-10-31 Thread Colbeck, Andrew
Somewhere at the beginning of this was, I think, Andy's mention of starting the executable in persistent mode. When I was manually playing with that, I also didn't want a COMMAND window cluttering my desktop. So I used: start /B LicenseID.exe authcode persistent and put that in a batch file

RE: Re[6]: [sniffer] New Version 2-3.2 has been officially released.

2004-11-24 Thread Colbeck, Andrew
Two days for Thanksgiving?! American turkeys must have much more tryptophan than Canadian turkeys if you need an extra day to sleep it off. p.s. More favourite acronyms: RGE (Resume Generating Event) TLA (Three Letter Acronym) Andrew 8) -Original Message- From: Pete McNeil

RE: [sniffer] Not Getting Updates

2004-11-29 Thread Colbeck, Andrew
In the online manual, there is a how-to under Help (QA), Automated Updates: http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.htm l And includes various user-submitted scripts, ne of which is triggered by an Imail rule to trigger a .cmd script. Andrew 8) -Original

RE: Re[2]: [sniffer] Recent SPAM

2004-11-30 Thread Colbeck, Andrew
Pete, could you recap for us how to set up a Declude project to forward non-sniffer-detected spam to a custom spamtrap address at SortMonster? Perhaps two versions, one for normal spamtrap, and one for spam that meets our chosen weight yet didn't trigger sniffer? I can piece together snippets

RE: [sniffer] test sender

2004-12-10 Thread Colbeck, Andrew
Title: Message Well, an indirect way to do this is to use the (undocumented?) Declude directive: rsp set off TESTNAME as the first bit of text in your test message. That won't actually trigger sniffer, but it will for the purpose of making your JunkMail think that the test has been

RE: [sniffer] Change in coding policies

2004-12-21 Thread Colbeck, Andrew
It sounds good to me, Pete. May I humbly suggest that this be a new result code, e.g. 046? Until now, Message Sniffer has been very parsimonious with the new categories, but this looks like one that will be here for a long time. Andrew 8) -Original Message- From: [EMAIL PROTECTED]

RE: Re[2]: [sniffer] Sniffer and SURBL

2005-01-10 Thread Colbeck, Andrew
, 2005 4:58 PM To: Colbeck, Andrew Subject: Re[2]: [sniffer] Sniffer and SURBL On Monday, January 10, 2005, 7:17:29 PM, Andrew wrote: CA Pete, I thought that you had said at one point that SortMonster CA fetches one or more SURBL zones and incorporates those as spam data CA for Message Sniffer

RE: [sniffer] Spam Storm Alert Follow Up

2005-01-24 Thread Colbeck, Andrew
For what it's worth, I'm definitely seeing an increase in volume over the weekend (double the spam, actually), and I believing it is tapering off already. In addition to the volume of separate messages, the number of recipients is generally up. The messages look generally like the kind of jobs

[sniffer] OT - Microsoft Patch Day - Exchange and SMTP updates

2005-02-10 Thread Colbeck, Andrew
Hello, all. Aside from the usual Internet Explorer and Office patches, this patch cycle also includes an update to the October update MS04-035 which affects a DNS query vulnerability in the SMTP handling in Windows 2000/2003 as well as Exchange 2003.

RE: [sniffer] OT - Microsoft Patch Day - Exchange and SMTP updates

2005-02-10 Thread Colbeck, Andrew
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. Colbeck, Andrew writes: Hello, all. Aside from the usual Internet Explorer and Office

RE: [sniffer] Determine Version

2005-02-19 Thread Colbeck, Andrew
Title: Message Yup, just type the executable's filename in a command window, and the version information is on the last couple of lines in the resulting help. Andrew 8) p.s. My version says build - v2-3.2 Nov 23 2004 01:21:33 -Original Message-From: Keith Johnson

RE: [sniffer] New change rates analysis

2005-02-20 Thread Colbeck, Andrew
http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp Oooh, pretty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Sunday, February 20, 2005 3:52 PM To: sniffer@sortmonster.com Subject: [sniffer] New change rates

[sniffer] Money, drugs, and sex

2005-03-22 Thread Colbeck, Andrew
http://www.sophos.com/spaminfo/articles/spamwords.html Interesting, but a pity they didn't publish a list of, say, their 1,000 most popular obfuscations. Andrew 8) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to

[sniffer] mini-obfuscation

2005-03-22 Thread Colbeck, Andrew
time for my cat since I implemented Sniffer. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, March 22, 2005 4:37 PM To: Colbeck, Andrew Subject: Re: [sniffer] Money, drugs, and sex On Tuesday, March 22, 2005, 4:47:30

RE: [sniffer] MDLP Tests

2005-04-02 Thread Colbeck, Andrew
Jay, here's more web information on the mxrate tests: http://www.mxrate.com/lookup/dns.htm Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Saturday, April 02, 2005 1:43 PM To: Jay Sudowski - Handy Networks LLC Subject: Re:

RE: [sniffer] Latest medication campaign

2005-04-13 Thread Colbeck, Andrew
On the weekend and since, I saw a lot of them get through but Sniffer was dutifully catching them, unfortunately, they also served to highlight Sniffer hyperaccuracy because those messages just weren't reaching my HOLD weight. Check out the Message Sniffer change rates for the last few days:

RE: [sniffer] Rule 353039 - .comcast.net

2005-05-10 Thread Colbeck, Andrew
Thanks for the quick work, Pete. I put in the Rule-panic entry as soon as you sent the email to this list. For what it's worth, I just finished with all my held mail for the last two days, and I had no false positives from messages with a mailfrom that included c o m c a s t. Lots of mail that

RE: [sniffer] Declude Question

2005-05-26 Thread Colbeck, Andrew
PM Spam volumes in general are up quite a bit since the german sober PM incident. In the past few days there have been a few new campaigns PM that have had a very aggressive delivery schedule For what it's worth, I'm seeing this more today, and in particular, from a wide number of IPs, instead of

RE: [sniffer] New Spam/Virus?

2005-06-06 Thread Colbeck, Andrew
Title: Message I'm seeing what Scott sees, but the payload is an encrypted zip. VirusTotal.com says: This is a report processed by VirusTotal on 06/06/2005 at 23:40:17 (CET) after scanning the file "DBB05F6330082B871.SMD" file. Antivirus Version Update Result

RE: [sniffer] New Spam/Virus?

2005-06-06 Thread Colbeck, Andrew
Title: Message http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDV http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] This is the virus that I was seeing. The one that Jim and others are seeing may be this MyTob, whose description was

RE: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Title: Message I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm

RE: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Title: Message Also, thedomains in the body textare not hitting on SURBL tests. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34 PMTo: sniffer@SortMonster.comSubject: RE:

RE: Re[2]: [sniffer] Spam blocks loading me up with spam

2005-06-16 Thread Colbeck, Andrew
Today I saw hits from this campaign on another IP block as well, and plugging that into SenderBase.org gives me: http://www.senderbase.org/search?searchString=200.49.37.130 Note in the top right that they list: 200.49.36.0/22 belonging to Network Access Point S.R.L., and following that link

RE: [sniffer] Spam blocks loading me up with spam

2005-06-17 Thread Colbeck, Andrew
Title: Message Gotta catch 'em all (not Pokemon, spam)... Sniffer caught all of them today: gawk "$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log temp.txt fgrep -ftemp.txt dec0617.log | fgrep "Total weight" If your volume is quite high, that second line, instead of

[sniffer] Phishers Jump On MasterCard Breach

2005-06-21 Thread Colbeck, Andrew
FYI http://www.securitypipeline.com/news/164901324 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] New, but broken worm?

2005-07-22 Thread Colbeck, Andrew
My email server has received about 200 of a certain message since 8:30 AM PDT. The Subject line is merely 1, the forged mailfrom is approximately the first 8 characters of the target address plus a forged domain. There is an attachment called 1.txt and a message text body that begins on a new

RE: [sniffer] New, but broken worm?

2005-07-22 Thread Colbeck, Andrew
I'm on updates this evening. I'll watch for this. It sounds like something that requires an abstract rule --- probably not enough content for the other coders to try it safely... I am surprized I didn't hear about it though... Please send me another note with a few of these as

RE: [sniffer] FireDaemon

2005-07-31 Thread Colbeck, Andrew
FireDaemon is dirt cheap. Yes, you can have one service for free if you find an older version. If you want free and will settle forno interface, then check out the free SrvAny.exe that is downloadable from Microsoft as part of their Windows Server Resource Kit. Andrew 8) From:

RE: Re[2]: [sniffer] Sniffer taking a long time?

2005-08-03 Thread Colbeck, Andrew
So basically, what you are saying is that my volume is really too low to take advantage of the persistent sniffer (and such may actually decrease my performance), and I should stick with the non-service version. Is that right? That is about what I thought (without the details of how

RE: [sniffer] Test

2005-08-04 Thread Colbeck, Andrew
Ping? Pong. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert MathiasSent: Thursday, August 04, 2005 3:59 PMTo: sniffer@SortMonster.comSubject: [sniffer] Test Apologies, but need to test. Robert

RE: [sniffer] Sniffer Resources

2005-09-06 Thread Colbeck, Andrew
Richard, are you rotating your sniffer logs daily? I had the same experience a very log time ago, and found that without rotating the logs, appending to a monster text file was soaking up a lot of cpu and disk on my server. Bill Landry worked with a lot of people here to make his download script

RE: [sniffer] Integration with today's new ORF version:

2005-09-15 Thread Colbeck, Andrew
I just thought I'd revive this thread and say that on a tiny organization for whom I also administer the mail, this was welcome news. They have ORF plus Exchange 2000. I added the free eval version of sniffer to their mix with the new ORF External Agent feature. Despite the delay in patterns,

RE: [sniffer] YAhoo mails failing sniffer?

2005-09-22 Thread Colbeck, Andrew
Inversely, I just had a 419 scam come from a legitimate hotmail account, with a Yahoo! Email address as payload, and for the record, that email address (nor anything else) trigger a Sniffer detection. I've just submitted it to the spam@ address. Andrew 8) -Original Message- From:

RE: [sniffer] New virus...

2005-10-06 Thread Colbeck, Andrew
I suppose it depends on just deep the sniffer signature goes... Previous viruses including Sober.* have come in waves, with variants that skirt all but the most intrusive antivirus blocking schemes. I submitted a sample to the Norman Sandbox, which turned up different information than the

[sniffer] OT: MDaemon HELO greeting

2005-10-26 Thread Colbeck, Andrew
Can anybody give me the short and sweet "how-to" change the HELO in MDaemon withoutchanging the hostname of the mail server? I don't use MDaemon, I'm trying to help someone else. Thanks, Andrew 8)

RE: [sniffer] OT: MDaemon HELO greeting

2005-10-28 Thread Colbeck, Andrew
Thanks, Dave! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave KoontzSent: Thursday, October 27, 2005 8:39 AMTo: sniffer@SortMonster.comSubject: RE: [sniffer] OT: MDaemon HELO greeting Find or add the following Section to your MDaemon.ini file,

RE: [sniffer] POP3 Account Question

2005-12-05 Thread Colbeck, Andrew
(nuts, to fast on the "Send" button). ... plus, future hits on spam that is already detected can accumulate hits on, say, SNIFFEREXPIP that weren't already hitting. Therefore, trying to save bandwidth and processing power over at sortmonster.com by submitting less spam is not helpful.

RE: [sniffer] Rollback of bot rules..

2006-01-17 Thread Colbeck, Andrew
Thank you, Pete. In my spelunking, I've found too many rules to put in as panic entries my .cfg file, and this morning I dropped the weight for my experimental class tests to low values, and heavily edited my combo tests that build on Sniffer hits. I'm attaching a report showing the number of

[sniffer] Rulebots gone wild

2006-01-19 Thread Colbeck, Andrew
By the way, Pete, thank you very much for publicly posting the URL where we could download FPSigIDs.csv so that we could work on recovering our own false positives. I was able to use this information to selectively re-test all of the messages detected by those rules. That was 2,449 messages.

RE: [sniffer] Bad Rule - 828931

2006-02-07 Thread Colbeck, Andrew
Thanks for the update, Pete. I also appreciate that you expanded on how that rule went wild. I can see that the intent was good but the unintended consequences were not so good. Here's how it played out on my server: How many messages hit the FP rules: 2,042 How many messages Declude decided

RE: [sniffer] Bad Rule - 828931

2006-02-07 Thread Colbeck, Andrew
Thanks for the update, Pete.I also appreciate that you expanded on how that rule went wild. I can see that the intent was good but the unintended consequences were not so good.Here's how it played out on my server:How many messages hit the FP rules: 2,042How many messages Declude decided

RE: [sniffer] When to go persistent

2006-02-23 Thread Colbeck, Andrew
Goran, I'd be interested in Pete's technical answer, too. The practical answer is that you should always go with the persistent instance of Message Sniffer. From reading Pete's previous screeds and monitoring the list here in the last year and from having my own troubles, it's pretty clear to me

RE: Re[4]: [sniffer] When to go persistent

2006-02-24 Thread Colbeck, Andrew
Goran, When you issue a reload you can tell that the new rulebase is being used because the *.svr file's date and time will change to the current time. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday,

RE: [sniffer] Sniffer, MDLP, and invURIBL?

2006-02-25 Thread Colbeck, Andrew
Joe, Are you using MDLP to autotune your weights in Declude? If so, you can exclude invURIBL and other tests which you don't want to change, whether because you think the weight is perfect, or because their randomness doesn't fit MDLP's idea of a weighting system. Check out this snippet

RE: Re[2]: [sniffer] New Rulebot F001

2006-03-06 Thread Colbeck, Andrew
Pete, One of these was EarthLink [207.217.120.227], and one of these was Google Mail [64.233.166.182]. SpamBag lists the EarthLink address as a source of bogus bounces, and I posit that this would be the source of the mail to the spamtraps that would trigger the F001 bot. I would like to state

Re: [sniffer]Ebay Phishing Emails getting through

2006-05-17 Thread Colbeck, Andrew
Certainly, submitting samples to spam@ (or preferably your local spam submission point polled by our bots) will put these messages in front of us if we have not already created rules for them. I've just manually submitted the ~35 messages that my filters triggered on for phishing that

Re: [sniffer]Possible Paypal Phishing

2006-05-24 Thread Colbeck, Andrew
? John T eServices For You Seek, and ye shall find! -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 24, 2006 9:38 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal

Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through

2006-06-06 Thread Colbeck, Andrew
David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. I've seen the free version

Re: [sniffer]A design question - how many DNS based tests?

2006-06-06 Thread Colbeck, Andrew
I use just shy of 60 DNS based tests against the sender, both IP4R and RHSBL. Perhaps 10-12 matter. Due to false positives, I rate most of them relatively low and have built up their weights as a balancing act. That act is greatly assisted by using a weighting system and not reject on first

Re: [sniffer]Numeric spam

2006-06-06 Thread Colbeck, Andrew
So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Colbeck, Andrew
(sniff) Aw, cut it out, Matt. You're making me all weepy. p.s. Pete, that's pretty darned amazing! From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Re[2]:

[sniffer] Numeric spam source has been revealed

2006-06-09 Thread Colbeck, Andrew
It was broken code in the latest Bagel/Beagle: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.ht ml Andrew 8) # This message is sent to you because you are subscribed to the mailing list

[sniffer] Re: Weight Gate Success? Failure?

2006-06-13 Thread Colbeck, Andrew
Pete, I plan to use it or something similar in non-production once I set up a new test system. A quick test with a batch file worked fine. Although I'm no programmer, I have reviewed the source and saw no obvious logical problems or coding flaws. Rigorous testing on the command line showed that

[sniffer] Re: AW: [sniffer] Re: Update pacing...

2006-06-22 Thread Colbeck, Andrew
FWIW I take the belt and suspenders approach. The rulebase notification by email does trigger a Message Sniffer update script on my system, but I don't rely on it solely. In addition, I also use an "at" schedule every four hours. As in Markus' (and Bill's) sample, I use the -N parameter

[sniffer] Re: Lots of drug spam getting through

2006-08-21 Thread Colbeck, Andrew
Would that be the Laugh in the subject line pharmaceutical spam campaign? That was mentioned by Dave Doherty on the Declude.JunkMail mailing list, and when I checked my logs I found many hundreds with clear variations on the keywords in the text, e.g. there is a joke about lawyers and they are

[sniffer] Re: Paypal failing SNIFFER-GENERAL

2006-08-23 Thread Colbeck, Andrew
Column 7 is the one that contains the rule that was hit. In this case, it was 1100444. Column 8 is the one that contains the group. In this case, it was 60 Ungrouped Black Rules (Sniffer General). Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL

[sniffer] Re: Significant increase in false positives

2006-10-17 Thread Colbeck, Andrew
I'm attaching an old message to this list which may come in handy. It's from my perspective, which is using Declude and IMail, with the spam messages in d:\imail\spool\spam and needing to be moved to d:\imail\spool to be re-scanned. Now that I use a newer version of Declude, my

[sniffer] Re: yahoo mail problems

2006-10-17 Thread Colbeck, Andrew
I had a similar problem with Hotmail once upon a time; the details were different, but the remedy was the same. I run a caching DNS server on my outbound DNS host, so I simply addeda DNS zone forYahoo.com on it, and populated only enough MX record information so that I could reliably get

[sniffer] Re: Version 2-3.5 Release -- Faster Engine

2006-10-23 Thread Colbeck, Andrew
That's good news, Pete. And with the WeightGate executable and source thrown in at no extra charge! Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 23, 2006 9:26 AM To: Message Sniffer

[sniffer] Re: Increase in spam

2006-10-25 Thread Colbeck, Andrew
For another organization's graph of spam trends as received by them, check out the updated graphs at TQM cubed: http://tqmcube.com/tide.php Their graph shows a sharp uptick at the end of June 2006. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL

[sniffer] Re: Yahoo! Is Retarded

2006-10-26 Thread Colbeck, Andrew
I like your new sig, John. How's this for an addendum? "Experience is that which you acquire, just after you needed it." Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Thursday, October 26, 2006 8:13 AMTo: Message

[sniffer] Zombie message volume

2006-11-07 Thread Colbeck, Andrew
This diary entry over at the Internet Storm Center points to an increased volume of traffic from probable zombies, and they posit that the increase in this traffic would coincide with the spam increase that people are seeing. http://isc.sans.org/diary.php?storyid=1828 Their graph shows a sharp

[sniffer] Re: Configuring Sniffer in declude....

2006-11-30 Thread Colbeck, Andrew
If you don't mind, does WeightGate add any noticeable CPU cycles to run on top of running Sniffer? Thanks for the aid. On a 100,000 emails per day on a 2.8 GHz Xeon, no, it doesn't. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On

[sniffer] Re: Sniffer White List

2006-12-12 Thread Colbeck, Andrew
Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result.

[sniffer] Re: Pictures worth a few words...

2007-01-16 Thread Colbeck, Andrew
Postini posts some statistics here, but their conclusions can lag by months: http://www.postini.com/stats/index.php global spam traffic is a big concept... Postini did however process over 650 million messages in the last 24 hours. Andrew. -Original Message- From: Message Sniffer

[sniffer] Re: Files in Sniffer Directory

2007-03-08 Thread Colbeck, Andrew
Would it be a good idea in a future version to delete files that are older than a certain date automatically? I disagree. Having MessageSniffer delete the old files would hide the problem. With the messages left behind, you have a valuable symptom that something is wrong with your

[sniffer] Re: SPAM Storm?

2007-03-19 Thread Colbeck, Andrew
... Not in my neck of the network. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Monday, March 19, 2007 3:19 PM To: Message Sniffer Community Subject: [sniffer] Re: SPAM Storm? Is it me, or is

[sniffer] Re: Downloads are not working....

2007-05-17 Thread Colbeck, Andrew
My last upload averaged a lame 6 KB/s. My last download varied widely in the speed obtained: 0K .. .. .. .. .. 17.85 KB/s 50K .. .. .. .. ..9.58 KB/s 100K .. .. .. ..

[sniffer] Re: Downloads are not working....

2007-05-17 Thread Colbeck, Andrew
Thanks for the update, Pete. Over on the Declude JunkMail support mailing list, it's like déjà vu all over again. Andrew 8) p.s. For the many of us here that don't subscribe to that list... The small number of recently active messages have been re-queued to the list several times.

[sniffer] Spammers turning to PDF attachments?

2007-06-21 Thread Colbeck, Andrew
See this article at the Internet Storm Center: http://isc.sans.org/diary.html?storyid=3012 Pump and dump scams now in PDF Published: 2007-06-20, Last Updated: 2007-06-20 21:33:39 UTC by Maarten Van Horenbeeck (Version: 1) Apparently the groups behind what we know as pump and dump spam have

[sniffer] Re: Bad Rule: 1604021

2007-10-16 Thread Colbeck, Andrew
Thanks for reporting this, Pete! My numbers were more extreme than Pi-Web's. That bad rule triggered on 18,023 messages yesterday. Due to the rest of my spam software, two-thirds were either passed (as presumed ham) or deleted (as very spammy). So the one-third that was held, I re-scanned

[sniffer] Re: Beta

2007-10-17 Thread Colbeck, Andrew
Pete, one of the questions I had right away when I looked at the documentation accompanying the software package was about the communication channel. The documentation clearly pointed out that ports 25 is the default and that 80 is selectable, but didn't go further. I just answered my own

[sniffer] Re: Sniffer codes

2007-11-09 Thread Colbeck, Andrew
The Ugly value returned by the beta Message Sniffer you're using with the Good, Bad and Ugly database has a result code of 40, and this code is missing from your list. (The White value overlaps with result code 0, which internally to Message Sniffer will mask any other spam result code on your

[sniffer] Re: No email updates.

2007-11-21 Thread Colbeck, Andrew
For what it's worth, it is working for my two licences. I received email update notifications at: 90 minutes ago 3 18 minutes ago 4 38 minutes ago 6 hours 13 minutes ago Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Frederick

[sniffer] Re: Rule Database copy question

2008-01-16 Thread Colbeck, Andrew
It appears that both the reload and the rotate options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. Andrew.

[sniffer] Re: Rule Database copy question

2008-01-16 Thread Colbeck, Andrew
Thanks for the response, Pete! I was using both parameters in my scheduled pattern download script, which would tell Sniffer that there was a new pattern, and would rotate the logs before uploading them back to you. With the new (beta) version, both extras have become redundant, so I've

[sniffer] Re: Ideal config for scaleable solution?

2008-02-22 Thread Colbeck, Andrew
Paul, since you're working in a Windows world, check out Alligate from alligate.com as a Windows platform based email gateway. I've put Alligate in front of my Declude setup and it drastically reduced the number of emails I had scan for content and sender in Declude, and gained back a lot of disk

[sniffer] Re: XYNTService -- Any Problems?

2008-05-09 Thread Colbeck, Andrew
I've never used it, Pete. My first reaction was... don't go to a third party (XYNTService, SrvAny, FireDaemon) just make the executable a full fledged Windows Service. I do realize that you'd be reluctant to do that given the additional complexity of the code, none of which is portable to the

[sniffer] Re: Test

2008-05-26 Thread Colbeck, Andrew
pong ... From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T Sent: Monday, May 26, 2008 9:08 AM To: Message Sniffer Community Subject: [sniffer] Test Ping Testing as I have not received any list messages for a while. John T

[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Pete, if we have a significant number of hits, they'll be from all kinds of IP sources. Should we dump the GBUdb? If so, how? The documentation is perfectly clear on how to tweak an IP or dump an IP in the GBUdb, but doesn't mention a wholesale clearing of it. Andrew. -Original

[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Thanks, Pete. I had very few actual hits; I have lots of lines that indicate the rule panic in place, but the number of actual hits is quite small. How I found my hits: cd /d C:\MessageSniffer gawk ($6 == \Final\) ($7 == 1940812) *.20080617.log Andrew. -Original Message- From:

[sniffer] Re: Bad rule alert: 1940812

2008-06-17 Thread Colbeck, Andrew
Thanks, Pete. I had four actual false positives on one server, versus 324 unique hits for the bad rule. So yes, I'd say that the autopanic feature worked quite well. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent:

[sniffer] Re: It's official. SNF Version 3.0 is Ready!

2008-06-26 Thread Colbeck, Andrew
Congratulations on shipping, Pete! Andrew 8) p.s. Hey, I love the new mascot. Much cuter than the old SortMonster... -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, June 26, 2008 12:24 PM To: Message Sniffer

[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Colbeck, Andrew
I also have hit this. A single hit, also from AOL. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, July 18, 2008 6:37 AM To: Message Sniffer Community Subject: [sniffer] Problem with Sniffer-Porn rule

[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Colbeck, Andrew
. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 18, 2008 8:31 AM To: Message Sniffer Community Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning I also have hit this. A single hit, also from AOL. Andrew

[sniffer] Re: Message Sniffer question

2009-04-30 Thread Colbeck, Andrew
It works for me. Thanks, Pete! I used the documentation here: http://www.armresearch.com/support/articles/software/snfServer/config/au toUpdates.jsp I wanted a simplified system that more closely reflected what the vendor ships, so I've stopped using my home-grown wget based script which was

[sniffer] overriding the GBUdb

2009-04-30 Thread Colbeck, Andrew
I recently used snfclient.exe to whitelist the IP address (actually a whole /24) of a mailing list manager that my users deem to be trustworthy. snfclient.exe -set 64.62.197.53 good - - You might argue the merits of this IP address, but that's not why I'm writing... I deliberately left alone

[sniffer] Re: overriding the GBUdb

2009-04-30 Thread Colbeck, Andrew
. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 30, 2009 1:14 PM To: Message Sniffer Community Subject: [sniffer] Re: overriding the GBUdb Colbeck, Andrew wrote: I recently used snfclient.exe

[sniffer] Re: Bad rule: 2524136

2009-06-18 Thread Colbeck, Andrew
Thanks for the heads-up, Pete. For what it's worth, I had a hit on only one message on each of my gateways, from different senders. The Sniffer General result code wasn't weighted high enough on my Declude system to hold either message because they came from senders with clean implementations.

[sniffer] Re: SNFMilter released and a few other updates...

2009-07-29 Thread Colbeck, Andrew
Niiice, Pete. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Wednesday, July 29, 2009 2:51 PM To: Message Sniffer Community Subject: [sniffer] SNFMilter released and a few other updates... Hello

[sniffer] Re: RulePanic on 2654821

2009-09-08 Thread Colbeck, Andrew
The scores over here for the messages that trigger on rule 2654821 today: spam that hit the rule: 4 ... and were porn: 0 ham that was held by my weight system: 5 ham that was allowed by my weight system: 3 subsequent panic log lines: 139 Thanks for the heads up, Darin. I was able to re-queue

[sniffer] Re: Bad rule alert: 2784910

2009-11-26 Thread Colbeck, Andrew
All clear here, Pete. Thanks for both of the notices, Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, November 26, 2009 8:45 AM To: Message Sniffer Community Subject: [sniffer] Bad rule alert:

[sniffer] Re: RulePanic on 3059196

2010-04-06 Thread Colbeck, Andrew
For what it is worth, there are zero hits on my two servers for this Rule. I looked back through the last 7 days. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, April 06, 2010 9:48 AM To: Message

  1   2   >