Re: [sniffer] Test ordering/precedence

Fri, 03 Dec 2004 05:54:53 -0800

OK, I'm confused. First I admit I don't spend much time on Sniffer or Declude settings, and I haven't learned the programs very well.

I used the default Sniffer config files. If I changed as indicated below will it catch more SPAM?

Sorry if this is a dumb question, just need some advice.

Thanks,
Joe
----- Original Message ----- From: "Landry William" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 02, 2004 10:05 PM
Subject: RE: [sniffer] Test ordering/precedence



Here's what my Sniffer global.cfg entries for look like:

SNIFFER-TRAVEL      external 047 "M:\Sniffer\LicenseID.exe AuthCode" 07 0
SNIFFER-INSURANCE   external 048 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-AV-PUSH     external 049 "M:\Sniffer\LicenseID.exe AuthCode" 10 0
SNIFFER-WAREZ       external 050 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-SPAMWARE    external 051 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-SNAKEOIL    external 052 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-SCAMS       external 053 "M:\Sniffer\LicenseID.exe AuthCode" 17 0
SNIFFER-PORN        external 054 "M:\Sniffer\LicenseID.exe AuthCode" 17 0
SNIFFER-MALWARE     external 055 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-ADVERTISING external 056 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-SCHEMES     external 057 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-CREDIT      external 058 "M:\Sniffer\LicenseID.exe AuthCode" 10 0
SNIFFER-GAMBLING    external 059 "M:\Sniffer\LicenseID.exe AuthCode" 10 0
SNIFFER-GENERAL     external 060 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-SPAM        external 061 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-OBFUSCATION external 062 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-IP-RULES    external 063 "M:\Sniffer\LicenseID.exe AuthCode" 12 0

You will need to use your LicenseID and AuthCode, and want to adjust the
weights to meet your own needs and requirements.

Bill
-----Original Message-----
From: Serge [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 02, 2004 6:41 PM
To: [EMAIL PROTECTED]
Subject: Re:[sniffer] Test ordering/precedence


Where can i find examples of using "exit codes" to assign different weights
depending on groupes, when using sniffer with declude/imail ? TIA




----- Original Message ----- From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Jim Matuska" <[EMAIL PROTECTED]>
Sent: Thursday, December 02, 2004 9:59 PM
Subject: Re[2]: [sniffer] Test ordering/precedence


On Thursday, December 2, 2004, 4:15:43 PM, Jim wrote:

JM> Pete,
JM> We have rules setup in declude based upon sniffer return codes 60
JM> and
62 to
JM> mark all messages with those tests as spam, however we do not have
JM> any
61 or
JM> 62 return codes setup.  Can you briefly explain what each of these
groups
JM> includes and a false positive rate for each.

The false positive rates for all of these rule groups have fallen
dramatically over the past 8 months and at this point they are all
comparable. Different systems see different rates, but all rates are
low.

Group 63 - Experimental Received [IP] - contains rules that match
Receive headers by IP. These are now largely generated by robots which
monitor inbound spamtrap and usertrap data and then test those
sources. This group used to provide the second largest rate of false
positives. The rate now is roughly the same as any other group.

Group 62 - Obfuscation - contains rules built to detect obfuscation
techniques. Internally this group breaks down into a number of
sub-groups which detect unnecessary URL encoding, HEX encoding, and
HTML obfuscation patterns.

Group 61 - Experimental Abstract - contains rules that are designed to
recognize data patterns and structures found in spam. For example
errors in headers combined with message structures,  misspellings,
unusual uses for table and HTML structures or message segments, and
other abstract patterns that result from the use of scripting engines
to generate polymorphic spam.

Note: Group 60 was Gray-Hosting many months ago. That group was
retired and then reused. Now it is being renumbered again.

Group 60 - General (Ungrouped) - contains many of the same kinds of
rules found in other groups, but particularly those which cannot be
accurately categorized there. For example, fake diploma spam. These
rules are largely text segments, domains, URI/URL segments, and
structures (much like those found in group 61).

Hope this helps,
_M



This E-Mail came from the Message Sniffer mailing list. For
information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

-------------------------------------------------------------------------------
This message and any included attachments are from Siemens Medical Solutions
USA, Inc. and are intended only for the addressee(s).
The information contained herein may include trade secrets or privileged or
otherwise confidential information. Unauthorized review, forwarding, printing,
copying, distributing, or using such information is strictly prohibited and may
be unlawful. If you received this message in error, or have reason to believe
you are not authorized to receive it, please promptly delete this message and
notify the sender by e-mail with a copy to [EMAIL PROTECTED]

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Reply via email to