RE: Re[2]: [sniffer] New Rulebot F001
I also have got a lot of false positives with code 063 which are HOLD now. Ik know it's not very nice to set email on HOLD when failing sniffer but I've got a major problem with spam and until a few days ago this was going well, at least a few false positives in a week. 03/07/2006 20:12:44.628 qdb2402d03b56.smd Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. l6l0ow6m20060307191244 Ddb2402d03b56.smd 31 31 Match 672578 63 142 176 65 l6l0ow6m20060307191244 Ddb2402d03b56.smd 31 31 Final 672578 63 0 281965 Could this please stop, sniffer was pretty reliable for us, but not at the moment. Regards, Marcel Sangers Traction IT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: dinsdag 7 maart 2006 0:18 To: Darin Cox Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC> We just reviewed this morning's logs and had a few false positives. DC> Not sure if these are due to the new rulebot, but it's more than DC> we've had for the entire day for the past month. DC> Rules DC> -- DC> 873261 DC> 866398 DC> 856734 DC> 284831 DC> 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] New Rulebot F001
Thanks, Pete. Darin. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Darin Cox" Sent: Monday, March 06, 2006 6:17 PM Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC> We just reviewed this morning's logs and had a few false positives. Not DC> sure if these are due to the new rulebot, but it's more than we've had for DC> the entire day for the past month. DC> Rules DC> -- DC> 873261 DC> 866398 DC> 856734 DC> 284831 DC> 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] New Rulebot F001
Pete, One of these was EarthLink [207.217.120.227], and one of these was Google Mail [64.233.166.182]. SpamBag lists the EarthLink address as a source of bogus bounces, and I posit that this would be the source of the mail to the spamtraps that would trigger the F001 bot. I would like to state that I don't need Message Sniffer to identify servers that send bogus postmaster notifications. This would be entirely due to false positives such as the three examples above. Given that spammers clearly recycle their email database as a fake-mailfrom database, any spamtrap address will get bogus bounces and therefore, the spamtraps will flag legitimate senders' IP addresses in Rule 63. I don't expect nor want you to discuss the details of the spamtraps as the point of one class of your spamtraps is that their methods are secret. However, Matt has described a subset of the filters various Decluders have used to filter out postmaster bounces and other reflected noise, and I can certainly chip in on that conversation offline. Andrew. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil > Sent: Monday, March 06, 2006 3:18 PM > To: Darin Cox > Subject: Re[2]: [sniffer] New Rulebot F001 > > On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: > > DC> We just reviewed this morning's logs and had a few false > positives. > DC> Not sure if these are due to the new rulebot, but it's more than > DC> we've had for the entire day for the past month. > > DC> Rules > DC> -- > DC> 873261 > DC> 866398 > DC> 856734 > DC> 284831 > DC> 865663 > > Three of these are from F001 and have been removed. > > 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 > http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 > > 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 > http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 > > 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 > http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 > > > I haven't yet processed the fps, only looked up the rules. > > There are currently 32820 rules authored by the F001 bot. > > Hope this helps, > > _M > > > > > > This E-Mail came from the Message Sniffer mailing list. For > information and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Rulebot F001
On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC> We just reviewed this morning's logs and had a few false positives. Not DC> sure if these are due to the new rulebot, but it's more than we've had for DC> the entire day for the past month. DC> Rules DC> -- DC> 873261 DC> 866398 DC> 856734 DC> 284831 DC> 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Rulebot F001
On Monday, March 6, 2006, 3:13:53 PM, Jay wrote: JSHNL> There's been at least one FP ;) JSHNL> -- JSHNL> Rule - 861038 JSHNL> NameF001 for Message 2888327: [216.239.56.131] JSHNL> Created 2006-03-02 JSHNL> Source 216.239.56.131 JSHNL> Hidden false JSHNL> Blocked false JSHNL> Origin Automated-SpamTrap JSHNL> TypeReceivedIP JSHNL> Created By [EMAIL PROTECTED] JSHNL> Owner [EMAIL PROTECTED] JSHNL> Strength2.08287379496965 JSHNL> False Reports 0 Yes, sorry about the confusion. The original announcement happened about 3 days before that FP. The note was a resend this afternoon so that Karen (Tink) could update the web site with recent news. In fact, both of those notes were resends... The originals didn't make it because I transposed the s and n near the t in sortmonster. Sorry again for the confusion. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html