[sniffer] Re: Significant increase in false positives

[Colbeck, Andrew]

I'm attaching an old message to this list which may come in handy.  It's from my perspective, which is using Declude and IMail, with the spam messages in d:\imail\spool\spam and needing to be moved to d:\imail\spool to be re-scanned.  Now that I use a newer version of Declude, my paths are d:\imail\spool\spam for the source and d:\imail\spool\proc for the destination. Replace "828931" with "1174356" in the gawk line.   Replace the date embedded in the sniffer log file name wildcard with today's date.  I went through the 15th, 16th and 17th to be safe.   If you're archiving your logs, you'll of course have to unpack them first.  And if you don't rotate your logs often, you may not need the wildcard on the log filename at all.   I think I had 267 hits in my msgids.txt file.   Andrew 8)      From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Monday, October 16, 2006 8:09 PM To: Message Sniffer Community Subject: [sniffer] Re: Significant increase in false positives Dear Pete,   Sniffer blocked 35,000 messages today, and roughly 7200 of them were blocked by the 1174356 rule.   Do you think many of these were false positives?   Do you know a way of searching through 35,000 Imail messages to find the FP's ?   What would you suggest in this situation.     Thank you,   Michael Stein Computer House         ----- Original Message ----- From: Pete McNeil To: Message Sniffer Community Sent: Monday, October 16, 2006 8:46 PM Subject: [sniffer] Re: Significant increase in false positives Hello Darin, Monday, October 16, 2006, 5:17:26 PM, you wrote: > Anyone else seeing a sudden increase in FPs?  We normally report a few each day, but we're seeing a 10x increase in FPs for the past three days. Not sure if this is it, but there was an image segment rule that went in over the weekend and resulted in an unusual number of false positives today. The rule was removed. IIRC the rule id was: 1174356 Hope this helps, _M --  Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>

--- Begin Message ---

Goran, this is pretty much what I did to get to re-queuing:

gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}"  gxamq2kt.log.20060207* >msgids.txt

The file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.

I then used a batch file I had previously created called qm.cmd (for queue and move).  Note that the folders I specify are for Declude 1.x, which has an overflow folder.  I use the overflow folder so that Declude will re-analyze the message:

Rem this is the qm.cmd file listing
move d:\imail\spool\spam\d%1.smd u:\imail\spool\ >nul
move d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ >nul

I then issued from the command line:

for /F %i in (msgids.txt) do @qm.cmd %i

That takes of re-queuing all the held messages.  I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder.  If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.

After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).

I hope that helps,

Andrew 8)

p.s. Another re-posting in HTML so as to preserve the line breaks.  Sorry for the duplication, folks.

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic
> Sent: Tuesday, February 07, 2006 5:39 PM
> To: sniffer@SortMonster.com
> Subject: RE: Re[4]: [sniffer] Bad Rule - 828931
>
> I just ran the grep command on my log and I got 850 hits.
>
> Now is there a way to take the output of the grep command and
> use it pull out the total weight of corresponding message
> from the declude log file, or maybe the subject?
>
> Goran Jovanovic
> Omega Network Solutions
>
> 
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> > On Behalf Of David Sullivan
> > Sent: Tuesday, February 07, 2006 7:47 PM
> > To: Landry, William (MED US)
> > Subject: Re[4]: [sniffer] Bad Rule - 828931
> >
> > Hello William,
> >
> > Tuesday, February 7, 2006, 7:39:05 PM, you wrote:
> >
> > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log
> >
> > That's what I tried. Just figured out I forgot to
> capitalize the "F".
> > It works.
> >
> > Confirmed - 22,055
> >
> > I'm writing a program now to parse the sniffer log file,
> extract the
> > file ID, lookup the id in sql server, determine quarantine
> location,
> > extract q/d pair from quarantine and send to user.
> >
> > --
> > Best regards,
> >  David                            mailto:[EMAIL PROTECTED]
> >
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For
> information
> > and (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
>
> This E-Mail came from the Message Sniffer mailing list. For
> information and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
>

--- End Message ---

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>