Re: Re[6]: [sniffer] Rash of false positives

[Richard Farris]

All is well now.. Richard Farris Ethixs Online 1.270.247.5555 Office 1.800.548.3877 Tech Support "Crossroads to a Cleaner Internet" ----- Original Message ----- From: Pete McNeil To: John Moore Sent: Wednesday, November 09, 2005 1:45 PM Subject: Re[6]: [sniffer] Rash of false positives This problem with Dr.Watson errors has been covered before on Declude's support list as well as ours. It's actually not SNF itselft that's causing the problem, but rather an undocumented heap in Windows that can run out of space and cause the next item to load to fail with a Dr. Watson error. SNF often is listed due to the way it is called by Declude which is called by IMail. There are some tuning parameters that can often mitigate the problem - I believe they are primarily concerned with the number of threads. Since the "mystery heap" is not documented there is no way to directly address the issue. The problem itself is documented (worth a google on the error code) as a number of programs run into this problem from time to time. Hope this helps, _M PS: If this is a different problem please send me the specific error code so I can research it. That said, since the code for SNF has not changed in some time it is highly unlikely that SNF would suddenly start causing DrWatson errors. The rulebase files are data - not executable code ;-) On Wednesday, November 9, 2005, 12:42:54 PM, John wrote: > We had this same thing happen. It has been happening more frequently recently and we are looking into disabling sniffer as it seems to be the culprit each time. John Moore 305 Spin   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Wednesday, November 09, 2005 11:38 AM To: sniffer@SortMonster.com Subject: Re: Re[4]: [sniffer] Rash of false positives   This morning my server quit sending mail and my tech said the Dr. Watson error on the server was my Sniffer file...I rebooted and thought it was OK but quit again..I had a lot of mail back logged...so I updated a new rule base but it did not seem to help....I reinstalled Imail and things seem OK but slow since there is such a back log of mail....If things don't get back to normal I will be back.. Richard Farris Ethixs Online 1.270.247.5555 Office 1.800.548.3877 Tech Support "Crossroads to a Cleaner Internet" ----- Original Message -----  From: Pete McNeil  To: Darin Cox  Sent: Tuesday, November 08, 2005 3:03 PM Subject: Re[4]: [sniffer] Rash of false positives   On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote:   >  Hi Pete,   There was a consistent stream of false positives over the mentioned time period, not just a blast at a particular time.  They suddenly started at 5pm (shortly after a 4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today (not many legitimate emails came in between 11pm and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am.  There were a number of different rules involved, and over 45 false positives in that time period.   This is highly unusual -- I didn't remove many rules, and normally only one or two would be responsible. If you found that a large number of rules were responsible then something else happend and we need to look at that... I'd need to see your SNF logs from that period since the changes (removals anyway) in the rulebase were very small and unrelated - that just doesn't line up with your description.   One thing does-- in the past if snf2check was not used to check a new download then a corrupted rulebase could cause SNF to produce erratic results... since snf2check has been in place we have not seen this. Is it possible that a bad rulebase file got pressed into service on your system? -- probably a look at the logs would help there too since this kind of failure is accompanied by very specific oddities in the logs.   Hope this helps,   _M   This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html  This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html