Darin,
Thunderbird and Netscape just takes the full original source and
attaches it as a message/rfc822 attachment. I forwarded this message
back to the list by just pressing "Forward". I'm pretty sure that
Outlook Express works simply by just pressing Forward As Attachment, or
at least it gives me enough of the original, including the full headers,
to determine how to block the spam. I have been telling Outlook users
to copy and paste the headers into a forwarded message.
Please excuse me for wanting more detail about the Outlook attachment
trick, but would you mind attaching this message to a response so that I
could look at the headers and such?
There was a discussion about Outlook's behavior with Scott some time
ago. Apparently Microsoft was pressured by customers to remove headers
when forwarding because they felt that they were a security/privacy
risk. No one told them that Outlook was a security/privacy risk on it's
own :) ...but that's another story. I would probably feel different if
I had the need for groupware though, but digs at Microsoft are
irresistible sometimes.
Matt
--- Begin Message ---
Of course I'm sending the full message as an
attachment. You can do that with Outlook by attaching and item, then
browsing your mail folders for the message to attach. And yes, that's how
you do it with Outlook Express as well. I don't use Thunderbird or
Netscape mail, but I would assume you still need to attach the original message
to avoid the headers being lost.
What I was referring to was a little more involved
than that... namely the possibility of it not matching a rule because the
attachment was encoded differently. For example, I've seen mail go
through that baes64 encoded an attached email that was not originally
base64 encoded.
From Pete's responses, it sounded like "no rule
found" really did mean no rule was matched. Especially since he has a
separate code for "rule already removed". FPs we send are always from same
day, or, at the very least, within 24 hours.
Darin.
----- Original Message -----
Sent: Wednesday, June 07, 2006 11:46 PM
Subject: Re: [sniffer]FP suggestions
Darin,
Outlook will strip many of the headers when
forwarding. Outlook Express needs to forward the messages using "Forward
As Attachment" in order to insert the full original headers.
Thunderbird/Netscape Mail will work just by forwarding. If you paste the
full source in a message, you should send as plain text.
I have many FP's
that come back as having no rules found, but these are more likely to be from
rules that were already removed. So I wouldn't jump to a conclusion that
the rule was not found because of formatting unless you are not sending the full
unadulterated original message source. I would imagine that it would
mostly be IP rules that aren't found when not forwarding the full original
source.
Matt
Darin Cox wrote:
It is unclear - we receive FPs that have traveled through all sorts of
clients, quarantine systems, changed hands various numbers of times,
or not (to all of those)... Right now I don't want to make that
research project a high priority.
Understood.
That's true it wouldn't change, but submitting the message directly
would not be correct - the dialogue is with you, and in any case,
additional trips through the mail server also modify parts of the
header and sometimes parts of the message (tag lines, disclaimers,
etc)...
Hmmm... with attaching the original message, I guess it still makes more
sense to deliver to us first for now. Just looking for an alternative that
gets you the message as close as possible to the original form as possible.
Maybe we'll write a script to copy and forward the D*.SMD file as an
attachment to you for FPs at some point in the future.
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
|
--- End Message ---
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>