[MBF] Re: whitelist for sniffer

[Carl Wagar]

will try.

 

 

J. Carl Wagar

EntreNet Communications Inc
  www.entrenet.com
 www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email:   jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 2:49 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: whitelist for sniffer

 

Yes. You should always send them an email with any FP. Thanks.

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 



 

From: community@mailsbestfriend.com 
[mailto:community@mailsbestfriend.com] On Behalf Of Carl Wagar
Sent: Friday, September 25, 2015 1:47 PM
To: community@mailsbestfriend.com  
Subject: [MBF] Re: whitelist for sniffer

 

this worked. if I did this SNFclient.exe -drop  do I also have to send them
an email as per your first message?

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com    www.thehostingservice.com
  

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com  , skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

From: community@mailsbestfriend.com 
[mailto:community@mailsbestfriend.com] On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 10:37 AM
To: community@mailsbestfriend.com  
Subject: [MBF] Re: whitelist for sniffer

 

Carl, I wanted to add to this. Since your IP is on your local Sniffer
truncate list, you will need to drop it from your list in order to clear
your IP off of the list. Here is an article which explains how to do that:
http://know.mailsbestfriend.com/how_to_drop_an_ip_from_the_gbudbtruncate_lis
t--1143817730.shtml

 

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 



 

From: community@mailsbestfriend.com 
[mailto:community@mailsbestfriend.com] On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 8:18 AM
To: community@mailsbestfriend.com  
Subject: [MBF] Re: whitelist for sniffer

 

Hi Carl. You should report all false-positives to Arm Research so they can
assess the issue. Also, if this is an urgent or critical situation, you can
add a panic rule to Sniffer to stop the problem immediately. The following
articles will explain how to perform both procedures:

http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepo
sitives-1858720502.shtml

http://know.mailsbestfriend.com/message_sniffer_falsepositive_handling_proce
ss--387103309.shtml

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 



 

From: community@mailsbestfriend.com 
[mailto:community@mailsbestfriend.com] On Behalf Of Carl Wagar
Sent: Friday, September 25, 2015 5:52 AM
To: community@mailsbestfriend.com  
Subject: [MBF] whitelist for sniffer

 

Is there a way to add to a whitelist specifically for SNIFFER?

A person with a mailbox named geo...@remaxottawa.com
  decided that a good password would be
georgeremax 

would be a good password and was hacked. The hacker broadcast 3000 spams on
Sep.23.

I don't know how sniffer works but it seems now to dislike all 300 and is
doing SNIFFER and SNIFFER-TRUNCATE 

for users at remaxottawa even though other blacklists don't seem to care.

I would like to delist it from sniffer.

 

Carl

 

 

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com    www.thehostingservice.com
  

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com  , skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

[MBF] Re: whitelist for sniffer

[Linda Pagillo]

Yes. You should always send them an email with any FP. Thanks.

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 

logo-1

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Carl Wagar
Sent: Friday, September 25, 2015 1:47 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: whitelist for sniffer

 

this worked. if I did this SNFclient.exe -drop  do I also have to send them
an email as per your first message?

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com  www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 10:37 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: whitelist for sniffer

 

Carl, I wanted to add to this. Since your IP is on your local Sniffer
truncate list, you will need to drop it from your list in order to clear
your IP off of the list. Here is an article which explains how to do that:
http://know.mailsbestfriend.com/how_to_drop_an_ip_from_the_gbudbtruncate_lis
t--1143817730.shtml

 

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 

logo-1

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 8:18 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: whitelist for sniffer

 

Hi Carl. You should report all false-positives to Arm Research so they can
assess the issue. Also, if this is an urgent or critical situation, you can
add a panic rule to Sniffer to stop the problem immediately. The following
articles will explain how to perform both procedures:

http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepo
sitives-1858720502.shtml

http://know.mailsbestfriend.com/message_sniffer_falsepositive_handling_proce
ss--387103309.shtml

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 

logo-1

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Carl Wagar
Sent: Friday, September 25, 2015 5:52 AM
To: community@mailsbestfriend.com
Subject: [MBF] whitelist for sniffer

 

Is there a way to add to a whitelist specifically for SNIFFER?

A person with a mailbox named geo...@remaxottawa.com decided that a good
password would be georgeremax 

would be a good password and was hacked. The hacker broadcast 3000 spams on
Sep.23.

I don't know how sniffer works but it seems now to dislike all 300 and is
doing SNIFFER and SNIFFER-TRUNCATE 

for users at remaxottawa even though other blacklists don't seem to care.

I would like to delist it from sniffer.

 

Carl

 

 

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com  www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

[MBF] Re: whitelist for sniffer

[Carl Wagar]

this worked. if I did this SNFclient.exe -drop  do I also have to send them
an email as per your first message?

 

 

J. Carl Wagar

EntreNet Communications Inc
  www.entrenet.com
 www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email:   jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 10:37 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: whitelist for sniffer

 

Carl, I wanted to add to this. Since your IP is on your local Sniffer
truncate list, you will need to drop it from your list in order to clear
your IP off of the list. Here is an article which explains how to do that:
http://know.mailsbestfriend.com/how_to_drop_an_ip_from_the_gbudbtruncate_lis
t--1143817730.shtml

 

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 



 

From: community@mailsbestfriend.com 
[mailto:community@mailsbestfriend.com] On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 8:18 AM
To: community@mailsbestfriend.com  
Subject: [MBF] Re: whitelist for sniffer

 

Hi Carl. You should report all false-positives to Arm Research so they can
assess the issue. Also, if this is an urgent or critical situation, you can
add a panic rule to Sniffer to stop the problem immediately. The following
articles will explain how to perform both procedures:

http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepo
sitives-1858720502.shtml

http://know.mailsbestfriend.com/message_sniffer_falsepositive_handling_proce
ss--387103309.shtml

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 



 

From: community@mailsbestfriend.com 
[mailto:community@mailsbestfriend.com] On Behalf Of Carl Wagar
Sent: Friday, September 25, 2015 5:52 AM
To: community@mailsbestfriend.com  
Subject: [MBF] whitelist for sniffer

 

Is there a way to add to a whitelist specifically for SNIFFER?

A person with a mailbox named geo...@remaxottawa.com
  decided that a good password would be
georgeremax 

would be a good password and was hacked. The hacker broadcast 3000 spams on
Sep.23.

I don't know how sniffer works but it seems now to dislike all 300 and is
doing SNIFFER and SNIFFER-TRUNCATE 

for users at remaxottawa even though other blacklists don't seem to care.

I would like to delist it from sniffer.

 

Carl

 

 

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com    www.thehostingservice.com
  

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com  , skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

[MBF] Re: whitelist for sniffer

[Carl Wagar]

many thanks. will check it out

 

J. Carl Wagar

EntreNet Communications Inc
  www.entrenet.com
 www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email:   jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 9:18 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: whitelist for sniffer

 

Hi Carl. You should report all false-positives to Arm Research so they can
assess the issue. Also, if this is an urgent or critical situation, you can
add a panic rule to Sniffer to stop the problem immediately. The following
articles will explain how to perform both procedures:

http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepo
sitives-1858720502.shtml

http://know.mailsbestfriend.com/message_sniffer_falsepositive_handling_proce
ss--387103309.shtml

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 



 

From: community@mailsbestfriend.com 
[mailto:community@mailsbestfriend.com] On Behalf Of Carl Wagar
Sent: Friday, September 25, 2015 5:52 AM
To: community@mailsbestfriend.com  
Subject: [MBF] whitelist for sniffer

 

Is there a way to add to a whitelist specifically for SNIFFER?

A person with a mailbox named geo...@remaxottawa.com
  decided that a good password would be
georgeremax 

would be a good password and was hacked. The hacker broadcast 3000 spams on
Sep.23.

I don't know how sniffer works but it seems now to dislike all 300 and is
doing SNIFFER and SNIFFER-TRUNCATE 

for users at remaxottawa even though other blacklists don't seem to care.

I would like to delist it from sniffer.

 

Carl

 

 

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com    www.thehostingservice.com
  

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com  , skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

[MBF] Re: PRE-TESTED question

[Tina Cline]

Thanks - I will create a local.txt and test it out.

REVDNS  15  PCRE(?i:\.in\.net$)
MAILFROM15  PCRE(?i:\.in\.net$)
HELO15  PCRE(?i:\.in\.net$)
BODY10  PCRE
(?i:https?:\/\/([-A-Z0-9.])+\.in\.net[\/n\s])

Tina Cline 
270net Technologies 
IT Support Specialist
Phone: 301.663.6000 x200



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of David Barker
Sent: Friday, September 25, 2015 10:39 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

Correction (?i:\.in.net$) should read (?i:\.in\.net$)

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of David Barker
Sent: Friday, September 25, 2015 10:29 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

I assume you are seeing a lot of .in.net as spam. My suggestion would be to put 
it in a filter that is on your server as the PRE-TESTED affects everyone. If 
you have a LOCAL.txt filter use that if not create one. The entry/s would be:

REVDNS  15  PCRE(?i:\.in.net$)
MAILFROM15  PCRE(?i:\.in.net$)
HELO15  PCRE(?i:\.in.net$)
BODY10  PCRE
(?i:https?:\/\/([-A-Z0-9.])+\.in\.net[\/n\s])

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Tina Cline
Sent: Friday, September 25, 2015 9:56 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

In the PRE-TESTED file, are we able to include TLDs such as ".in.net"  I don't 
want to put weight on .net domains, but I do on domains ending with ".in.net"

Tina Cline
270net Technologies
IT Support Specialist
Phone: 301.663.6000 x200


-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of David Barker
Sent: Wednesday, November 12, 2014 8:42 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

The sub-domain, is a key identifier for pre-tested spam.  If this is a 
false positive I would suggest to whitelist the email.   I am surpirsed 
it only triggered this test What date is you PRE-TESTED file?

David

On 11/12/2014 6:57 PM, Scott Jibben wrote:
> Hello,
>
> I've noticed that some mail is getting routed to junk mail using the 
> newer PRE-TESTED filter.
>
> MAILFROM20PCRE 
> (?i:@([a-z0-9-_]{5,25}\.[a-z0-9]+(?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?
> :[a-z0-9-]*[a-z0-9])?)
>
> From: "WhenToWork.com" 
>
> X-Declude-Fail: SPFPASS [-1], PRE-TESTED [20], WEIGHT5 [5], WEIGHT7 
> [7], WEIGHT10 [10], WEIGHT14 [14], WEIGHT15 [15]
>
> This is legitimate email.
>
> I'm not a RegEx expert.  Is it failing because the mail is coming in 
> from a sub-domain in the email address?  Is it failing because of the 
> uppercase letters in the from email address?  Some other reason?
>
> Thanks,
> Scott Jibben
>
>
>
> #
> This message is sent to you because you are subscribed to  the mailing 
> list .
> To unsubscribe, E-mail to: 
> To switch to the DIGEST mode, E-mail to 
> 
> To switch to the INDEX mode, E-mail to 
> 
> Send administrative queries to 
>

--
David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  :  www.mailsbestfriend.com
Office:  866.919.2075
Mobile  :  978.518.6461


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


 
#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


 
##

[MBF] Re: PRE-TESTED question

[David Barker]

Correction (?i:\.in.net$) should read (?i:\.in\.net$)

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of David Barker
Sent: Friday, September 25, 2015 10:29 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

I assume you are seeing a lot of .in.net as spam. My suggestion would be to put 
it in a filter that is on your server as the PRE-TESTED affects everyone. If 
you have a LOCAL.txt filter use that if not create one. The entry/s would be:

REVDNS  15  PCRE(?i:\.in.net$)
MAILFROM15  PCRE(?i:\.in.net$)
HELO15  PCRE(?i:\.in.net$)
BODY10  PCRE
(?i:https?:\/\/([-A-Z0-9.])+\.in\.net[\/n\s])

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Tina Cline
Sent: Friday, September 25, 2015 9:56 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

In the PRE-TESTED file, are we able to include TLDs such as ".in.net"  I don't 
want to put weight on .net domains, but I do on domains ending with ".in.net"

Tina Cline
270net Technologies
IT Support Specialist
Phone: 301.663.6000 x200


-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of David Barker
Sent: Wednesday, November 12, 2014 8:42 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

The sub-domain, is a key identifier for pre-tested spam.  If this is a 
false positive I would suggest to whitelist the email.   I am surpirsed 
it only triggered this test What date is you PRE-TESTED file?

David

On 11/12/2014 6:57 PM, Scott Jibben wrote:
> Hello,
>
> I've noticed that some mail is getting routed to junk mail using the 
> newer PRE-TESTED filter.
>
> MAILFROM20PCRE 
> (?i:@([a-z0-9-_]{5,25}\.[a-z0-9]+(?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?
> :[a-z0-9-]*[a-z0-9])?)
>
> From: "WhenToWork.com" 
>
> X-Declude-Fail: SPFPASS [-1], PRE-TESTED [20], WEIGHT5 [5], WEIGHT7 
> [7], WEIGHT10 [10], WEIGHT14 [14], WEIGHT15 [15]
>
> This is legitimate email.
>
> I'm not a RegEx expert.  Is it failing because the mail is coming in 
> from a sub-domain in the email address?  Is it failing because of the 
> uppercase letters in the from email address?  Some other reason?
>
> Thanks,
> Scott Jibben
>
>
>
> #
> This message is sent to you because you are subscribed to  the mailing 
> list .
> To unsubscribe, E-mail to: 
> To switch to the DIGEST mode, E-mail to 
> 
> To switch to the INDEX mode, E-mail to 
> 
> Send administrative queries to 
>

--
David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  :  www.mailsbestfriend.com
Office:  866.919.2075
Mobile  :  978.518.6461


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


 
#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: whitelist for sniffer

[Linda Pagillo]

Carl, I wanted to add to this. Since your IP is on your local Sniffer
truncate list, you will need to drop it from your list in order to clear
your IP off of the list. Here is an article which explains how to do that:
http://know.mailsbestfriend.com/how_to_drop_an_ip_from_the_gbudbtruncate_lis
t--1143817730.shtml

 

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 

logo-1

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Linda Pagillo
Sent: Friday, September 25, 2015 8:18 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: whitelist for sniffer

 

Hi Carl. You should report all false-positives to Arm Research so they can
assess the issue. Also, if this is an urgent or critical situation, you can
add a panic rule to Sniffer to stop the problem immediately. The following
articles will explain how to perform both procedures:

http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepo
sitives-1858720502.shtml

http://know.mailsbestfriend.com/message_sniffer_falsepositive_handling_proce
ss--387103309.shtml

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 

logo-1

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Carl Wagar
Sent: Friday, September 25, 2015 5:52 AM
To: community@mailsbestfriend.com
Subject: [MBF] whitelist for sniffer

 

Is there a way to add to a whitelist specifically for SNIFFER?

A person with a mailbox named geo...@remaxottawa.com decided that a good
password would be georgeremax 

would be a good password and was hacked. The hacker broadcast 3000 spams on
Sep.23.

I don't know how sniffer works but it seems now to dislike all 300 and is
doing SNIFFER and SNIFFER-TRUNCATE 

for users at remaxottawa even though other blacklists don't seem to care.

I would like to delist it from sniffer.

 

Carl

 

 

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com  www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

[MBF] Re: PRE-TESTED question

[David Barker]

I assume you are seeing a lot of .in.net as spam. My suggestion would be to put 
it in a filter that is on your server as the PRE-TESTED affects everyone. If 
you have a LOCAL.txt filter use that if not create one. The entry/s would be:

REVDNS  15  PCRE(?i:\.in.net$)
MAILFROM15  PCRE(?i:\.in.net$)
HELO15  PCRE(?i:\.in.net$)
BODY10  PCRE
(?i:https?:\/\/([-A-Z0-9.])+\.in\.net[\/n\s])

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Tina Cline
Sent: Friday, September 25, 2015 9:56 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

In the PRE-TESTED file, are we able to include TLDs such as ".in.net"  I don't 
want to put weight on .net domains, but I do on domains ending with ".in.net"

Tina Cline
270net Technologies
IT Support Specialist
Phone: 301.663.6000 x200


-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of David Barker
Sent: Wednesday, November 12, 2014 8:42 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

The sub-domain, is a key identifier for pre-tested spam.  If this is a 
false positive I would suggest to whitelist the email.   I am surpirsed 
it only triggered this test What date is you PRE-TESTED file?

David

On 11/12/2014 6:57 PM, Scott Jibben wrote:
> Hello,
>
> I've noticed that some mail is getting routed to junk mail using the 
> newer PRE-TESTED filter.
>
> MAILFROM20PCRE 
> (?i:@([a-z0-9-_]{5,25}\.[a-z0-9]+(?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?
> :[a-z0-9-]*[a-z0-9])?)
>
> From: "WhenToWork.com" 
>
> X-Declude-Fail: SPFPASS [-1], PRE-TESTED [20], WEIGHT5 [5], WEIGHT7 
> [7], WEIGHT10 [10], WEIGHT14 [14], WEIGHT15 [15]
>
> This is legitimate email.
>
> I'm not a RegEx expert.  Is it failing because the mail is coming in 
> from a sub-domain in the email address?  Is it failing because of the 
> uppercase letters in the from email address?  Some other reason?
>
> Thanks,
> Scott Jibben
>
>
>
> #
> This message is sent to you because you are subscribed to  the mailing 
> list .
> To unsubscribe, E-mail to: 
> To switch to the DIGEST mode, E-mail to 
> 
> To switch to the INDEX mode, E-mail to 
> 
> Send administrative queries to 
>

--
David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  :  www.mailsbestfriend.com
Office:  866.919.2075
Mobile  :  978.518.6461


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


 
#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: PRE-TESTED question

[Tina Cline]

In the PRE-TESTED file, are we able to include TLDs such as ".in.net"  I don't 
want to put weight on .net domains, but I do on domains ending with ".in.net"

Tina Cline 
270net Technologies 
IT Support Specialist
Phone: 301.663.6000 x200


-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of David Barker
Sent: Wednesday, November 12, 2014 8:42 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: PRE-TESTED question

The sub-domain, is a key identifier for pre-tested spam.  If this is a 
false positive I would suggest to whitelist the email.   I am surpirsed 
it only triggered this test What date is you PRE-TESTED file?

David

On 11/12/2014 6:57 PM, Scott Jibben wrote:
> Hello,
>
> I've noticed that some mail is getting routed to junk mail using the 
> newer PRE-TESTED filter.
>
> MAILFROM20PCRE 
> (?i:@([a-z0-9-_]{5,25}\.[a-z0-9]+(?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?
> :[a-z0-9-]*[a-z0-9])?)
>
> From: "WhenToWork.com" 
>
> X-Declude-Fail: SPFPASS [-1], PRE-TESTED [20], WEIGHT5 [5], WEIGHT7 
> [7], WEIGHT10 [10], WEIGHT14 [14], WEIGHT15 [15]
>
> This is legitimate email.
>
> I'm not a RegEx expert.  Is it failing because the mail is coming in 
> from a sub-domain in the email address?  Is it failing because of the 
> uppercase letters in the from email address?  Some other reason?
>
> Thanks,
> Scott Jibben
>
>
>
> #
> This message is sent to you because you are subscribed to  the mailing 
> list .
> To unsubscribe, E-mail to: 
> To switch to the DIGEST mode, E-mail to 
> 
> To switch to the INDEX mode, E-mail to 
> 
> Send administrative queries to 
>

--
David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  :  www.mailsbestfriend.com
Office:  866.919.2075
Mobile  :  978.518.6461


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


 
#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: whitelist for sniffer

[Linda Pagillo]

Hi Carl. You should report all false-positives to Arm Research so they can
assess the issue. Also, if this is an urgent or critical situation, you can
add a panic rule to Sniffer to stop the problem immediately. The following
articles will explain how to perform both procedures:

http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepo
sitives-1858720502.shtml

http://know.mailsbestfriend.com/message_sniffer_falsepositive_handling_proce
ss--387103309.shtml

 

Linda Pagillo
Mail's Best Friend
Email:  
linda.pagi...@mailsbestfriend.com
Web:   www.mailsbestfriend.com
Office: 703.988.3606

 

logo-1

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Carl Wagar
Sent: Friday, September 25, 2015 5:52 AM
To: community@mailsbestfriend.com
Subject: [MBF] whitelist for sniffer

 

Is there a way to add to a whitelist specifically for SNIFFER?

A person with a mailbox named geo...@remaxottawa.com decided that a good
password would be georgeremax 

would be a good password and was hacked. The hacker broadcast 3000 spams on
Sep.23.

I don't know how sniffer works but it seems now to dislike all 300 and is
doing SNIFFER and SNIFFER-TRUNCATE 

for users at remaxottawa even though other blacklists don't seem to care.

I would like to delist it from sniffer.

 

Carl

 

 

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com  www.thehostingservice.com 

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com, skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 

[MBF] whitelist for sniffer

[Carl Wagar]

Is there a way to add to a whitelist specifically for SNIFFER?

A person with a mailbox named geo...@remaxottawa.com
  decided that a good password would be
georgeremax 

would be a good password and was hacked. The hacker broadcast 3000 spams on
Sep.23.

I don't know how sniffer works but it seems now to dislike all 300 and is
doing SNIFFER and SNIFFER-TRUNCATE 

for users at remaxottawa even though other blacklists don't seem to care.

I would like to delist it from sniffer.

 

Carl

 

 

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com    www.thehostingservice.com
  

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com  , skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898