Re: [Declude.JunkMail] sniffer question

[Pete McNeil]

On 12/13/2010 1:09 PM, Harry Vanderzand wrote: For reliable service on Message Sniffer questions, please send your questions to supp...@armresearch.com; or join the sniffer@ list and ask our community of Message Sniffer users.  (I try to keep an eye on this list, but not always ;-) http://www.armresearch.com/support/index.jsp Just checking my sniffer logs.  The following is an excerpt that I have a question o0n: <s u='20101211142509' m='q559a0000524ab283.smd' s='0' r='0'>                 <p s='12' t='15' l='2054' d='69'/>                 <g o='0' i='216.16.233.12' t='u' c='0.968559' p='-0.73764' r='Normal'/>   I=’216.16.233.12” is my mail server.  This mail came from 94.190.11.38 originally and also has an AOL ip in the headers   What is the I= supposed to represent? i = the IP that gbudb believes is the source of the message. See: http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp If SNF identified your mail server as the source then you should check your configuration. Given the _VERY_ high confidence figure I suspect your mail server's IP is regularly identified as the message source and so your mail server's IP should be in your ignore list. SNF uses the Received headers present in the message it scans to determine the source IP for the message. I'm not sure how your mail servers's IP would get in there -- but in any case, you should review the structure of the Received headers in the messages on your system and make the appropriate adjustments to your SNF configuration -- especially your ignore list. You may also want to add some additional training entries such as <drilldown> etc. More on that here: http://www.armresearch.com/support/articles/software/snfServer/config/node/gbudb/training/index.jsp Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.