Re: [sniffer] false positives which catagories?

2005-08-11 Thread Darin Cox
If the test fails, but the message does not hit the hold or delete weight. Not a perfect measurement, as it does not capture all ham (ham that hits the hold or delete weight), and misses some spam (spam that does not hit the hold or delete weight), but it is the most accurate and least subjective

Re: [sniffer] Sniffer Resources

2005-09-06 Thread Darin Cox
What do the logs say? What's the average time to process a message? Darin. - Original Message - From: Richard Farris [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, September 06, 2005 11:07 AM Subject: [sniffer] Sniffer Resources When I turn off sniffer my server acts

Re: [sniffer] Damn viagra spam

2005-09-14 Thread Darin Cox
We just reported one to Sniffer support for analysis as well. Darin. - Original Message - From: Heimir Eidskrem [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Wednesday, September 14, 2005 3:34 PM Subject: [sniffer] Damn viagra spam We are getting tons of spam for viagra and

Re: [sniffer] Damn viagra spam

2005-09-14 Thread Darin Cox
Yeah, and whoever is on this list from Poynerlaw.com needs to stop postmaster replies for messages failing their spam tests. I got a nice little automated reply from them when I replied to Hiemir's message. Since most spam and virus content is forging these days, postmaster replies just add to

Re: [sniffer] Declude Actions

2005-09-15 Thread Darin Cox
Deleting on any one test is not a good idea. However, we do hold on some single tests, and review for false positives. Our hold weight is 100 and delete is 300. We rarely see a false positive above 200 though. Darin. - Original Message - From: Timothy C. Bohen [EMAIL PROTECTED] To:

Re: [sniffer] New virus...

2005-10-06 Thread Darin Cox
That's only in Virus Pro, right? I don't think BANZIPEXTS is available in Standard or Lite. Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Thursday, October 06, 2005 3:01 AM Subject: RE: [sniffer] New virus... No need to block

Re: [sniffer] [Declude.Virus] Possible new virus

2005-10-06 Thread Darin Cox
Another possible variant overnight at 4:30AM ET. Same routing as the new Sober variant from yesterday, but different attachment: screen_photo.zip Darin. - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Wednesday, October 05, 2005 10:33 PM Subject

Re: [sniffer] Spam keeps getting through...

2005-10-11 Thread Darin Cox
I believe Pete is moving to a POP account approach. You would set up a POP account for spam and another for false positives, and send them the login info to it. Then have your users forward messages to the POP accounts as attachments (that's the hardest part, which is why we still have them sent

Re: Re[4]: [sniffer] POP Approach

2005-10-14 Thread Darin Cox
Hi Pete, Do you send out notices to licensees to let them know to renew ahead of time? I think we're getting close to renewal, and want to make sure we don't lapse. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Rick Hogue sniffer@SortMonster.com Cc: [EMAIL

Re: Re[6]: [sniffer] POP Approach

2005-10-14 Thread Darin Cox
Great. Just wanted to make sure we put in a reminder if we needed to remember it. Thanks, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Friday, October 14, 2005 2:13 PM Subject: Re[6]: [sniffer] POP Approach

Re: [sniffer] Message Sniffer is not detecting some really bad email

2005-11-02 Thread Darin Cox
Title: Message Yep... send them to spam (at), from the email that you have on record with them. Sending as an attachment so they get complete headers is usually best, but they can also work with just the body of the message. Darin. - Original Message - From: Gary Schick To:

[sniffer] Rash of false positives

2005-11-08 Thread Darin Cox
Hi Pete, What's going on over there? We had somewhere between 5 and 10 times the usual number of Sniffer false positives this morning. They are across the board, so it's not just one rule that's catching them, or a particular set of senders or receivers. Hopefully you can get it under

Re: [sniffer] Rash of false positives

2005-11-08 Thread Darin Cox
SteinComputer House www.computerhouse.com - Original Message - From: Darin Cox To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 8:45 AM Subject: [sniffer] Rash of false positives Hi Pete, What's going on over there? We had somewhere between 5

Re: [sniffer] Rash of false positives

2005-11-08 Thread Darin Cox
an old rule base from several days again ? If so, try that to see if it temporarily resolves the false positives. -Original Message-From: "Darin Cox" [EMAIL PROTECTED]To: sniffer@SortMonster.comDate: Tue, 8 Nov 2005 08:45:39 -0500Subject: [sniffer] Rash of false positives

Re: [sniffer] Rash of false positives

2005-11-08 Thread Darin Cox
developed a feeling that Message Sniffer has become too tight. - Original Message - From: Darin Cox To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 8:54 AM Subject: Re: [sniffer] Rash of false positives We're seeing a continual stream of false positives. It's

Re: [sniffer] Rash of false positives

2005-11-08 Thread Darin Cox
we can avoid it in the future. Thanks, Darin. - Original Message - From: Darin Cox To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 8:45 AM Subject: [sniffer] Rash of false positives Hi Pete, What's going on over there? We had somewhere between 5 and 10 times the usual

Re: Re[2]: [sniffer] Rash of false positives

2005-11-08 Thread Darin Cox
staff, but the quality of the rules is imperative. Anything you can do to keep that quality high is much appreciated. Thanks, Darin. - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 2:49 PM Subject: Re[2]: [sniffer] Rash of false positives

Re: Re[4]: [sniffer] Rash of false positives

2005-11-08 Thread Darin Cox
too late when we saw the problem this morning. Thanks, Darin. - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 4:03 PM Subject: Re[4]: [sniffer] Rash of false positives On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote

Re: Re[4]: [sniffer] Rash of false positives

2005-11-09 Thread Darin Cox
of mailIf things don't get back to normal I will be back.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support"Crossroads to a Cleaner Internet" - Original Message - From: Pete McNeil To: Darin Cox Sent: Tuesday, Nove

Re: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread Darin Cox
Hi Michael, How about false positive processing? That's our biggest headache, but it would be drastically reduced by faster processing than the 3-5 days we currently see. Darin. - Original Message - From: Michael Murdoch [EMAIL PROTECTED] To: sniffer@SortMonster.com Cc: Pete McNeil

Re: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread Darin Cox
Wow... last minute notice. It's difficult to budgets for these things with so little notice. Please consider a couple month's notice the next time. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Tuesday, December 27, 2005 12:42 PM

Re: Re[2]: [sniffer] Last chance to renew at the old price!

2005-12-27 Thread Darin Cox
McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Tuesday, December 27, 2005 5:08 PM Subject: Re[2]: [sniffer] Last chance to renew at the old price! Part of the purpose for additional staff is to reach a goal of FP processing measured in minutes to hours, never days

Re: [sniffer] False Positives

2006-01-18 Thread Darin Cox
Agreed. We counted 100 false positives yesterday, compared to our normal rate of less than 5. No false positives since 6pm ET yesterday, though. Thank goodness. Darin. - Original Message - From: Frederick Samarelli [EMAIL PROTECTED] To: sniffer@SortMonster.com Cc: [EMAIL PROTECTED]

Re: [sniffer] problems!!!!

2006-02-08 Thread Darin Cox
I have an idea. These problems seem to stem mostly from changes in the methods of handling rulebase updates. We were lucky enough not to be affected with the latest rule issue, but the previous one made for a very long day andsomedisgruntled customers. Would it be feasible to announce in

Re: Re[2]: [sniffer] problems!!!!

2006-02-08 Thread Darin Cox
that, and unfreeze once it was clear that no glut of false positives would result. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 11:13 AM Subject: Re[2]: [sniffer] problems On Wednesday, February 8

Re: Re[4]: [sniffer] problems!!!!

2006-02-08 Thread Darin Cox
. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 11:46 AM Subject: Re[4]: [sniffer] problems On Wednesday, February 8, 2006, 11:26:46 AM, Darin wrote: DC There was no error in my comment. I

Re: [sniffer] False Positive - no reaction?

2006-02-21 Thread Darin Cox
On average it takes 2 or three days to hear back on false positives. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, February 21, 2006 9:40 AM Subject: [sniffer] False Positive - no reaction? Hi, I filed this false positive

Re: Re[2]: [sniffer] False Positive - no reaction?

2006-02-21 Thread Darin Cox
That queue concept would be wonderful! Hopefully it would have some simple info extracted to show recipient, sender, subject, header info, and info on the rule(s) it failed. One of my ongoing challenges is matching responses to reports and following up to see what additional actions are

[sniffer] False positive processing

2006-02-24 Thread Darin Cox
Pete, Thanks for the quicker turnaround in the last few days for false positive processing. We're seeing abouthalf day now. Much appreciated! Darin.

Re: [sniffer] New Rulebot F001

2006-03-06 Thread Darin Cox
We just reviewed this morning's logs and had a few false positives. Not sure if these are due to the new rulebot, but it's more than we've had for the entire day for the past month. Rules -- 873261 866398 856734 284831 865663 Darin. - Original Message - From: Jay Sudowski -

Re: Re[2]: [sniffer] New Rulebot F001

2006-03-06 Thread Darin Cox
Thanks, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Monday, March 06, 2006 6:17 PM Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's

Re: [sniffer] F001 Rule Bot Change

2006-03-09 Thread Darin Cox
Good job, Pete. Through these changes we saw a minimal increase in false positives on one day, and detection seems to have improved as well. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Thursday, March 09, 2006 3:08 AM Subject:

Re: [sniffer] New RuleBot F002 Online

2006-03-10 Thread Darin Cox
Totally agree. I'd like to see some separation between rules created by newer rulebots and preexisting rules. That way if there becomes an issue with a bot, we can turn off one group quickly and easily. Darin. - Original Message - From: Matt [EMAIL PROTECTED] To:

Re: Re[2]: [sniffer] New RuleBot F002 Online

2006-03-13 Thread Darin Cox
McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Monday, March 13, 2006 10:23 AM Subject: Re[2]: [sniffer] New RuleBot F002 Online On Friday, March 10, 2006, 3:41:00 PM, Darin wrote: DC Totally agree. I'd like to see some separation between rules created by DC newer rulebots

Re: [sniffer] False positive processing

2006-03-21 Thread Darin Cox
- From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Tuesday, March 21, 2006 11:21 AM Subject: Re: [sniffer] False positive processing On Tuesday, March 21, 2006, 9:38:46 AM, Darin wrote: DC DC DC Hi Pete, DC DC DC DC Are you getting behind on false positive processing

Re: [sniffer]Numeric spam

2006-06-06 Thread Darin Cox
They do, but you have to both specify that email for your domains only comes from your mail servers AND use a test in your spam filtering that checks SPF and pushes fails over your hold limit. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community

Re: [sniffer]SPF

2006-06-06 Thread Darin Cox
Sspfpassx-10 Our SPF Record looks like this: computerhouse.com. IN TXT "v=spf1 mx mx:mail.computerhouse.com"mail.computerhouse.com. IN TXT "v=spf1 a -all" Your insight is appreciated. Michael SteinComputer House - Original Message - From: Darin Cox To: Messag

Re: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox
The one issue with this I have is 1) Forward full original source to Sniffer with license code. If we could do it without the license code, it would be much easier to automate on our end. I already have a process in place to copy and reroute false positives by rewriting the Q file. I'm

Re: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox
Hi Pete, Can I interpret this as email address and matching source IP are sufficient if the correct email address is used to submit? If not, do you have any suggestions on how you would like to see us inserting the license ID in the D file? Darin. - Original Message - From: Pete

Re: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox
Oh, I assumed the rule had been removed. Are you saying there was a rule in place, but the FP processing somehow failed to find it? If so, I'd say that is a major failing on the part of the FP processing. There's no way thatwe can find time to go through the Sniffer logs after this bounces

Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox
Awesome. Great job, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, June 07, 2006 6:49 PM Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP suggestions Hello Matt,

Re: [sniffer]Re[2]: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox
Unfortunately, by the time the message gets to us it is sometimes just different enough that the original pattern cannot be found. There are some folks who consistently have success, and some who occasionally have problems, and a few who always have a problem. Different in what way? Is the mail

Re: [sniffer]FP suggestions

2006-06-07 Thread Darin Cox
Of course I'm sending the full message as an attachment. You can do that with Outlook byattaching and item, then browsing your mail folders for the message to attach. And yes, that's how you do it with Outlook Express as well. I don't use Thunderbird or Netscape mail, but I would assume you

[sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]

2006-06-08 Thread Darin Cox
Thunderbird and Netscape just takes the full original source and attaches it as a message/rfc822 attachment. I forwarded this message back to the list by just pressing Forward. Interesting that they include the headers with a simple forward, without specifying forward as attachment. I haven't

[sniffer] Re: New purchase question

2006-06-15 Thread Darin Cox
We zip ours nightly and save for 30 days just to make sure we don't miss anything in reviewing the hold queue. In practice, a week may be enough, but two is probably preferable. Darin. - Original Message - From: Phillip Cohen [EMAIL PROTECTED] To: Message Sniffer Community

[sniffer] Re: Lot of stock spam getting through....

2006-07-07 Thread Darin Cox
Great job, Pete! And thanks for all of your efforts to simultaneously increase the catch rate and decrease the FP rate. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, July 07, 2006 11:11 AM Subject:

[sniffer] Paypal failing SNIFFER-GENERAL

2006-08-23 Thread Darin Cox
FYI... I just reported one of these, so watch out. Darin.

[sniffer] Re: Paypal failing SNIFFER-GENERAL

2006-08-23 Thread Darin Cox
Hi Pete, I'm not sure which column is which, but here are the log lines for the message (minus the authorization code) 20060823163449 D83a20d3001502962.SMD 0 32 Match 1100444 60 1502 1551 98 20060823163449 D83a20d3001502962.SMD 0 32 Final 1100444 60 0 3798 98 The FP was

[sniffer] Re: Sniffer does not catch as much as it used to.

2006-09-20 Thread Darin Cox
Hi Rick, It's a constant battle, with spammers getting more sophisticated, and filtering tools trying to catch up and anticipate the next move. That said, we do not see the kind of leakage you see, probably due to other tests we run on our systems. I would recommend you supplement with BLs and

[sniffer] Significant increase in false positives

2006-10-16 Thread Darin Cox
Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Darin.

[sniffer] Re: Significant increase in false positives

2006-10-16 Thread Darin Cox
We see this occasionallywith Declude 1.82. What version are you running? Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:35 PM Subject: [sniffer] Re: Significant increase in false positives Hi Darin;Not seeing a lot

[sniffer] Re: Declude header not modified correctly

2006-10-16 Thread Darin Cox
Ping them on the Declude list for the lack of response, and CC David Barker for a response. He seem tobe the best means ot getting results these days. What version are you running? Understandably you'll only get a response if you're running the latest 3.x or 4.x, as older versions are no

[sniffer] Re: Significant increase in false positives

2006-10-16 Thread Darin Cox
Ahh... good. The first thing they'll probably tell you is to update to the latest 4.x version, see if the problem persists, then re-report it. Darin. - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Monday, October 16, 2006 5:51 PM Subject: [sniffer]

[sniffer] Re: Significant increase in false positives

2006-10-16 Thread Darin Cox
For us, it doesn't calculate the proper weight when this happens, and only acts on the weight seen in the topmost headers. One of these years I'll finally exercise the right to use our 4.x license, I just don't have time for new problems at this point. Darin. - Original Message -

[sniffer] Re: Significant increase in false positives

2006-10-16 Thread Darin Cox
Hi Pete, I haven't looked at the Sniffer logs, as cross referencing from the Declude logs is a bit of a pain, but many of the FPs did have images, so that probably accounts for most of them if it was an Experimental rule. Darin. - Original Message - From: Pete McNeil To: Message

[sniffer] Re: Significant increase in false positives

2006-10-16 Thread Darin Cox
Hi Matt, I know Pete has requested this in the past, but Declude hasn't been willing to make the change necessary for this to make it in the headers. But I totally agree with you, I'd love to see this in the headers so tracking down the rule isn't such a pain. Darin. - Original

[sniffer] Re: Significant increase in false positives

2006-10-16 Thread Darin Cox
Hi Pete, Can you clarify what this .xhdr option is and how we can enable it? I don't remember anything inthe documentationthat describes it. I think there were references to the config file previously, but there was never anything about it in mine. If you could give an example of how to

[sniffer] Re: Significant increase in false positives

2006-10-17 Thread Darin Cox
Hi Pete, You're exactly right, but we often get spoiled by the high quality of your detection rate. It's easy to expect perfection when it means less work for us g. Thanks for all you do to keep the quality so high. Darin. - Original Message - From: Pete McNeil To: Message

[sniffer] Re: Significant increase in false positives

2006-10-17 Thread Darin Cox
Subject: [sniffer] Re: Significant increase in false positives On Oct 16, 2006, at 5:17 PM, Darin Cox wrote: Anyone else seeing a sudden increase in FPs? We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. What particular group, if any, are you

[sniffer] Re: Increase in spam

2006-10-18 Thread Darin Cox
We saw a sudden ~50% increase on July 16th, but only fluctuations and moderate growth since then. On weekdays we're now at 80% spam, 95% or better on weekends. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent:

[sniffer] Re: Declude header not modified correctly

2006-10-25 Thread Darin Cox
I have an active SA. I've sent support requests twice in the past few months to support@ and have gotten no response. Darin. - Original Message - From: Computer House Support [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, October 25, 2006 9:11

[sniffer] Re: Declude header not modified correctly

2006-10-25 Thread Darin Cox
David Barkerhas also been good about responding, but that's not the issue. We should be able to go through standard support channels instead of having to remember to redirect support requests to alternative personnel. Darin. - Original Message - From: Computer House Support To:

[sniffer] Re: Declude List

2006-11-03 Thread Darin Cox
Nope... list is still active. If you're having trouble, I would suggest calling Declude Darin. - Original Message - From: Steve Oren [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, November 03, 2006 1:48 PM Subject: [sniffer] Re: Declude List

[sniffer] Re: FTP server / firewall issues - Resolved.

2007-01-05 Thread Darin Cox
Hi Pete, Why the change? FTP is more efficient for transferring files than HTTP. Can we request longer support for FTP to allow adequate time for everyone to schedule, test, and make the change? I remember trying dHTTP initially when this was set up, but it wasn't working reliably, plus FTP is

[sniffer] Re: FTP server / firewall issues - Resolved.

2007-01-05 Thread Darin Cox
, nothing gained, nothing lost (measurably). Matt Darin Cox wrote: Thanks, Pete. Appreciate you taking the time to explain what's happening in more detail. I'm curious as to why FTP is more difficult than HTTP to debug, deploy, secure, and scale, though. I tend to think of them on equal footing

[sniffer] Re: Spam

2007-05-30 Thread Darin Cox
Fortunately with Outlook Express we have the Ctrl-W function to initiate the forwarding process. Then we can just type in the first few characters of the address and hit Alt-S to send. Not as quick as a single button, but much quicker than Outlook without this toolbar. Takes me about 4

[sniffer] Re: July 18

2007-07-18 Thread Darin Cox
There have been a lot reported today. It started for us about 8:30am. We use Declude and added a filter to catch messages with subjects starting with Emailing:, ending with .pdf and having a body containing The message is ready to be sent with the following file or link. This combination may

[sniffer] Re: New campaign not caught

2007-08-07 Thread Darin Cox
Just got one a short while ago. Look at these headers: Received: from p4248-ipbfp02matuyama.ehime.ocn.ne.jp [124.96.113.248] by mail.4cweb.com with ESMTP (SMTPD-8.22) id A0D001A0; Tue, 07 Aug 2007 12:41:52 -0400 Received: from [126.147.120.198] by p4248-ipbfp02matuyama.ehime.ocn.ne.jp with

[sniffer] FPs on 1573590

2007-09-21 Thread Darin Cox
Hi Pete, We're getting a number of FPs on SNIFFER-PORN rule 1573590. The emails are clean, NOT porn-related, and no obvious pattern was in the emails that we could see that Sniffer might be FPing on.. Darin.

[sniffer] Re: Address

2007-09-25 Thread Darin Cox
Probably not, but if you have the finder service exposed outside of your firewall (not recommended), then yes, this will help. It has nothing to do with SPF. Darin. - Original Message - From: [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday,

[sniffer] Re: Backscatter Spam

2008-06-29 Thread Darin Cox
SPF does help, and we've used it for about three years here, but only when the domain being forged has an SPF policy. So, it's most useful when the recipient domain is being forged as the sender as well. We've seen some joe job attacks with bounces around 25k to a single address. We filtered

[sniffer] Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Darin Cox
Pete, There appears to be a problem with rule 1984485 this morning. I'm getting a number of FP hits on it from AOL users. Darin.

[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Darin Cox
Any word on this? Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Friday, July 18, 2008 9:37 AM Subject: [sniffer] Problem with Sniffer-Porn rule this morning Pete, There appears to be a problem with rule 1984485 this morning. I'm getting a number

[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Darin Cox
Subject: [sniffer] Re: Problem with Sniffer-Porn rule this morning I also have hit this. A single hit, also from AOL. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox

[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Darin Cox
Yes. The rule is inert. However, according to the logs the rule would have been hit 27 more times had we not added the rule panic. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Friday, July 18, 2008 12:16 PM Subject: [sniffer] Re: Problem with

[sniffer] Re: Problem with Sniffer-Porn rule this morning

2008-07-18 Thread Darin Cox
Hmmm... I don't think the rule was already pulled. We update our rulebase upon receipt of the notification of a new rulebase being available, and according to our logs the rule was in until at least 11:24am EDT. Darin. - Original Message - From: Pete McNeil To: Message Sniffer

[sniffer] Re: RulePanic on 2654821

2009-09-08 Thread Darin Cox
...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, September 08, 2009 1:49 PM To: Message Sniffer Community Subject: [sniffer] Re: RulePanic on 2654821 Neglected to mention it is a Sniffer-Porn rule. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent

[sniffer] Re: Testing a black-list,.. want to help?

2010-01-22 Thread Darin Cox
Hi Pete, We would be interested in testing the DNSBL. Darin. - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, January 22, 2010 12:48 PM Subject: [sniffer] Testing a black-list,.. want to help?

[sniffer] RulePanic on 2908567

2010-02-03 Thread Darin Cox
We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? Darin.

[sniffer] Re: RulePanic on 2908567

2010-02-03 Thread Darin Cox
in place. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Wednesday, February 03, 2010 9:02 AM Subject: [sniffer] RulePanic on 2908567 We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? Darin.

[sniffer] Re: RulePanic on 2908567

2010-02-03 Thread Darin Cox
Community sniffer@sortmonster.com Sent: Wednesday, February 03, 2010 9:41 AM Subject: [sniffer] Re: RulePanic on 2908567 Darin Cox wrote: We're noticing a lot of FPs on this rule, and have added a RulePanic entry. Pete, is there a problem with it? The rule was for passport.com -- it has

[sniffer] Re: RulePanic on 3059196

2010-04-06 Thread Darin Cox
Hi Pete, We've put a RulePanic in for 3059196, as we're getting a lot of FPs on it. Can you look at this rule, and/or let me know what it is? Thanks, Darin. # This message is sent to you because you are subscribed to the mailing

[sniffer] Re: Volume spike Mon 9AM EST

2010-05-10 Thread Darin Cox
I'm seeing it, too. Darin. - Original Message - From: Peer-to-Peer (Support) suppor...@peertopeer.net To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 9:21 AM Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a

[sniffer] Re: Volume spike Mon 9AM EST

2010-05-10 Thread Darin Cox
Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. Darin. - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com

[sniffer] Re: Rule Panic on 3364665

2010-08-17 Thread Darin Cox
. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Tuesday, August 17, 2010 12:11 PM To: Message Sniffer Community Subject: [sniffer] Rule Panic on 3364665 Hi, We've had a lot of FPs on this rule, and wanted

[sniffer] Re: Rule Panic on 3364665

2010-08-17 Thread Darin Cox
Thanks, Pete. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Tuesday, August 17, 2010 3:37 PM Subject: [sniffer] Re: Rule Panic on 3364665 On 8/17/2010 3:10 PM, Darin Cox wrote: Hi, We've had a lot of FPs on this rule, and wanted to alert

[sniffer] RulePanic on 3741490

2011-01-07 Thread Darin Cox
Hi guys, We're seeing a lot of FPs on 3741490 this morning. I've added a RulePanic for it in our systems. Roughly 150 FPs from 6:55am until a few minutes ago... Darin.

[sniffer] Re: RulePanic on 3741490

2011-01-07 Thread Darin Cox
- From: Pete McNeil To: Message Sniffer Community Sent: Friday, January 07, 2011 11:27 AM Subject: [sniffer] Re: RulePanic on 3741490 On 1/7/2011 10:19 AM, Darin Cox wrote: Hi guys, We're seeing a lot of FPs on 3741490 this morning. I've added a RulePanic for it in our systems

[sniffer] Re: RulePanic on 3741490

2011-01-07 Thread Darin Cox
, 2011 1:43 PM Subject: [sniffer] Re: RulePanic on 3741490 On 1/7/2011 12:33 PM, Darin Cox wrote: Hmmm... so 70 minutes after the rule was released we were notified of the rule update for auto-update of rulebase, but at 10:11ET we still hadn't gotten the update for the 8:53am removal. Anything

[sniffer] FPs on Sniffer-Schemes

2012-03-12 Thread Darin Cox
Hi Pete, We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784. Darin.

[sniffer] Re: FPs on Sniffer-Schemes

2012-03-12 Thread Darin Cox
expect at least 30% were FPs for us. Most were referencing PO #s or orders for various customers. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Monday, March 12, 2012 5:17 PM Subject: [sniffer] FPs on Sniffer-Schemes Hi Pete, We're seeing a ton

[sniffer] Re: FPs on Sniffer-Schemes

2012-03-13 Thread Darin Cox
- From: Pete McNeil To: Message Sniffer Community Sent: Monday, March 12, 2012 6:22 PM Subject: [sniffer] Re: FPs on Sniffer-Schemes On 3/12/2012 5:41 PM, Darin Cox wrote: Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). I think I can see part of the problem (possibly

[sniffer] Re: GBUdb Tool

2012-11-27 Thread Darin Cox
Hi Pete, Would you mind sharing your calculations of confidence and probability? I'm looking at the stats for p=1.0 and curious about the low confidence values. I would have expected high confidence where there were no good samples and a lot of bad... or do I have something backwards?

[sniffer] Re: IP Change on rulebase delivery system

2013-03-27 Thread Darin Cox
Probably unrelated... and due to a significant increase in spam over the past few days. Darin. From: Richard Stupek Sent: Wednesday, March 27, 2013 2:18 PM To: Message Sniffer Community Subject: [sniffer] Re: IP Change on rulebase delivery system Not sure if its related but since yesterday

[sniffer] Re: IP Change on rulebase delivery system

2013-03-28 Thread Darin Cox
Richard, Do you have any directories with a large number of files (4k)? We had a similar problem a few months back with sniffer scans taking much longer to complete and sniffer temporary files being left over. We finally traced the performance issues to a frequently accessed directory with

[sniffer] Re: How fast is *my* MessageSniffer? (was: IP Change on rulebase delivery system)

2013-03-28 Thread Darin Cox
Nice stats, Andrew! And Pete, thanks for spending so much time and effort to make it work so well, despite us beating on you because it doesn’t catch every spam campaign from the very first message! Sniffer has always been our number one tool in this battle. Darin. From: Colbeck, Andrew

[sniffer] Re: Slow processing times, errors

2013-06-27 Thread Darin Cox
When we had sluggish performance similar that yours, resulting in numerous sniffer .tmp files in the spool, the cause was eventually traced to a proliferation of files in the sniffer directory. Clearing them out brought performance back up to normal. Darin. From: e...@protologic.com Sent:

[sniffer] Re: Slow processing times, errors

2013-06-27 Thread Darin Cox
be different on our systems. Matt On 6/27/2013 5:25 PM, Darin Cox wrote: When we had sluggish performance similar that yours, resulting in numerous sniffer .tmp files in the spool, the cause was eventually traced to a proliferation of files in the sniffer directory. Clearing them out

[sniffer] Re: What is your oldest production CPU?

2013-12-27 Thread Darin Cox
Hi Pete, Our oldest production servers still have 1.1 - 1.4 GHz P3's in them. However, for mail our oldest are quad core 3Ghz Xeons. Darin. -Original Message- From: Pete McNeil Sent: Friday, December 27, 2013 9:43 AM To: Message Sniffer Community Subject: [sniffer] What is your