RE: [sniffer] problems!!!!

[Markus Gufler]

Harry,

 

(please don't post your entire license code to a public list.)

 

regarding the reliability of sniffer we should know that errors sometimes can happen, even at sniffer-side after they've worked for years now very relaible. I don't expect that such errors will happen now more often.

 

What you can do is trying to configure your declude spamfilter in order to hold only if multiple or at least more then one test failed. For doing this the first step is to set the maximum weight of each test (at least slightly) below your hold weight.

 

I've configured different weights for different sniffer exit codes depending how reliable they seem to me but as a maximum weight for sniffer I've set 95% of the mark-subjectline-weight and around 63% of the hold-weight. So the problematic sniffer-rule from yesterday was not a real problem on our server. There was some single messages who has had a final weight above the the hold weight because we use combinations of the most reliable tests. From several thousand processed messages only around 20 messages has had a false-positive combination caused by sniffer-rule82893 and another spam test.

 

Thanks to Andrew and Goran for their info's and scripts. Saved a lot of time here.

 

Pete: Any info if and if yes when you can adapt MDLP for the declude v3 logfile? I realy miss this data. Once accustomized to the hourly results of MDLP e sometimes feel now like a blind chicken :-)

 

Markus

 

 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand
Sent: Wednesday, February 08, 2006 4:02 PM
To: sniffer@SortMonster.com
Subject: [sniffer] problems!!!!

With the recent issues at sniffer it has caused tremendous problems with the entire client base here.

 

Sniffer has been so reliable for so lond and al of a sudden recently I cannot rely on it any more

 

What is going on with sniffer

 

Will these issues get resolved or is it going to be more unstable than what we have come to rely on?

 

I need my spam trap software to work without spend hours everyday  and without getting a large group of my customers questioning the reliability of what I am doing.

 

Hope there will be some indication of improvement.

 

The following is my sniffer code

 

SNIFFER  external nonzero "D:\IMail\Declude\sniffer\ sniffer .exe  xxxxxxxxxxxxx " 10 0

 

Should I be doing something different?

 

This has worked very well for a year now.

Harry Vanderzand
inTown Internet & Computer Services
519-741-1222

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, February 07, 2006 9:42 PM
To: sniffer@SortMonster.com
Subject: RE: Re[4]: [sniffer] Bad Rule - 828931

Goran, this is pretty much what I did to get to re-queuing:

gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}"  gxamq2kt.log.20060207* >msgids.txt

The file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.

I then used a batch file I had previously created called qm.cmd (for queue and move).  Note that the folders I specify are for Declude 1.x, which has an overflow folder.  I use the overflow folder so that Declude will re-analyze the message:

Rem this is the qm.cmd file listing
move d:\imail\spool\spam\d%1.smd u:\imail\spool\ >nul
move d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ >nul

I then issued from the command line:

for /F %i in (msgids.txt) do @qm.cmd %i

That takes of re-queuing all the held messages.  I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder.  If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.

After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).

I hope that helps,

Andrew 8)

p.s. Another re-posting in HTML so as to preserve the line breaks.  Sorry for the duplication, folks.

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic
> Sent: Tuesday, February 07, 2006 5:39 PM
> To: sniffer@SortMonster.com
> Subject: RE: Re[4]: [sniffer] Bad Rule - 828931
>
> I just ran the grep command on my log and I got 850 hits.
>
> Now is there a way to take the output of the grep command and
> use it pull out the total weight of corresponding message
> from the declude log file, or maybe the subject?
>
> Goran Jovanovic
> Omega Network Solutions
>
> 
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> > On Behalf Of David Sullivan
> > Sent: Tuesday, February 07, 2006 7:47 PM
> > To: Landry, William (MED US)
> > Subject: Re[4]: [sniffer] Bad Rule - 828931
> >
> > Hello William,
> >
> > Tuesday, February 7, 2006, 7:39:05 PM, you wrote:
> >
> > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log
> >
> > That's what I tried. Just figured out I forgot to
> capitalize the "F".
> > It works.
> >
> > Confirmed - 22,055
> >
> > I'm writing a program now to parse the sniffer log file,
> extract the
> > file ID, lookup the id in sql server, determine quarantine
> location,
> > extract q/d pair from quarantine and send to user.
> >
> > --
> > Best regards,
> >  David                            mailto:[EMAIL PROTECTED]
> >
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For
> information
> > and (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
>
> This E-Mail came from the Message Sniffer mailing list. For
> information and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
>