Hi Pete
Durring your last reports I haven't seen such a storm on my systems but now
this one I can notice it one some of my servers.
BTW: One of this servers has an usual spam/ham rate of 50/50%
In the last 24 hours it was 90/10%
>From the 90% spam 79% was blocked with SBL-XBL durring SMTP-Envelo
Mabe people at Sniffer are already aware of this new type of spam. Not the
malformed mailfrom one but this with the short number and nothing else in
subject and body)
Attached are some examples from the last 8 hours. All has failed some other
tests and all has reached a final weight in order to be
> I only see Sniffer catching about 30% of SPAM and that's the
> highest it's ever been.
30% of spam or 30% of all processed messages?
Sniffer is still one of the best tests in my arsenal.
Markus
#
This message is sent to you because
all SPAM identified SNIFFER is finding about 30%. We see
> an awful lot of junk email not being caught by SNIFFER, it's
> being processed by Declude and failing some technical tests
> but not by SNIFFER.
>
> -Original Message-
> From: Message Sniffer Community
Sorry in the table below the column header SH and HS must be switched.
Markus
> -Ursprüngliche Nachricht-
> Von: Message Sniffer Community
> [mailto:[EMAIL PROTECTED] Im Auftrag von Markus Gufler
> Gesendet: Dienstag, 6. Juni 2006 12:17
> An: Message Sniffer Comm
I use around 80 tests on one system in order to watch them and how theri
performance is going up and down. On other (high traffic) servers I use only
the best one.
I can confirm what others has mentoined as reliable blacklists (expect
fiveten for european systems: fiveteen has a FP-Rate of around 1
sniffer]AW:
> [sniffer]Concerned about amount of spam going through
>
> Are you sure? That would mean you only nees sniffer, coz none
> of sniffer's ham is spam in the final result...
>
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL PROTECTE
Today I've noticed that there is a relation between
the recipient adresses that was used in the past 36 hours in the numeric spam
messages and the following wave of stock-spam messages containing this
png-graphic. After checking around 10 Mailboxes there is a correspondence of
100%. Or they
Yes I can remember those days. At this time it was
fascinating to contribute the own time and brain with the goal to improve the
filters.
Now the only communiaction from Declude I receive is from
Declude Sales "... be advised that your Declude Service Agreement
will expire on ..."
Has an
> Please excuse me for wanting more detail about the Outlook
> attachment trick, but would you mind attaching this message
> to a response so that I could look at the headers and such?
The full headers are a usefull thing if a customer ask me why he has
received a certain message that he doesn'
So now we know too that stock spam is send out by beagly infected zombies.
Markus
> -Ursprüngliche Nachricht-
> Von: Message Sniffer Community
> [mailto:[EMAIL PROTECTED] Im Auftrag von Colbeck, Andrew
> Gesendet: Freitag, 9. Juni 2006 17:36
> An: Message Sniffer Community
> Betreff:
Instead of sending a mail
for each update I've disabled the email-notifcation (REM) and changed the
wget-line as followswget -N -nv http://www.sortmonster.net/Sniffer/Updates/%LicenseID%.snf -O %LicenseID%.new.gz --header=Accept-Encoding:gzip
--http-user=sniffer --http-passwd=ki11sp8m -a snfu
ouch I forgot in my previous message: Great script Andrew
- thank you!
Markus
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
AndrewSent: Thursday, June 22, 2006 6:01 PMTo: Message
Sniffer CommunitySubject: [sniffer] Re: AW: [sniffer] Re:
> The good news is that SNF:Experimental/Abstract has a very
> low false positive rate.
>
> It may be time to alter our philosophy w/ regard to the
> experimental/abstract rules group and recommend that wherever
> practical, messages should probably be held (not deleted)
> based on a hit in th
Ciao Filippo
Can you see any pattern of mailfrom, mailto or IP-Address what causes all
this messages in your spool folder?
Telneting to your MX show that you're using Imail 8.05 and I assume in
conjunction with Declude and Sniffer.
It turn's also out that both logos.net and logos.it are not open
Hi Bonno
tin.it is one of Italians largest ISP's and the (not new) problem is that
many blacklists does catch a RELATIVE high number of spam messages COMPARED
to the number of legit messages simply because the traps measuring this
traffic are located elsewhere then Italy or Europe.
There are cer
Harry,
(please don't post your entire license code to a public
list.)
regarding the reliability of sniffer we should know that
errors sometimes can happen, even at sniffer-side after they've worked for years
now very relaible. I don't expect that such errors will happen now more
often.
If I understand right you mean that if "experimental" rules
are introduced you want to know about and so temporaly disable ruelbase updates
on you server.
As I know Sniffer has a much smarter way for doing this.
They introduce experimental rules in a separate category (sniffer-exp) and look
Heimir,
It's not a Sniffer-related answer but I personaly use a combination of a
text filter file (looking for known geocities-links) and the IP-blacklist
SORBS-DUHL (who contains dialup ip-ranges). As all my customers are
connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So
> would you share your filters?
> I assume Declude filters.
Yes.
Attached is the original message from Scott Fisher regarding the
geocities-filter file. (I call it GEOCITIESLINKS)
I've replaced each weight (100 and 75 points) with 0. So this test will add
no weight to the final result.
In add
20 matches
Mail list logo