RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

[Andy Schmidt]

Hi Pete, 

Other question. 

The SNFIP tests return Caution or Black or Caution.
And the SNF client exit codes also have Truncate/Black.

But your documentation of the reputation system has a graph that shows that
there is yet another category: "WHITE".

I don't see this represented as an SNFIP or SNF rule? Any reason why "WHITE"
was left out?

The SNFIPREP tests does offer the ability to define at what decimal value
(between -1 and +1, in .1 increments) a weight can be subtracted. But the
question is - is that SENSIBLE use of your reputation database? Per example,
could -0.8 be a sensible threshold to give an email "credit" for coming from
a reputable IP source?

Or is it better to let the "good" reputation be considered AFTER the content
scan and then use the "combined" exit code?

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, April 30, 2010 7:07 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs.
Sniffer Truncate

On 4/30/2010 5:16 PM, Andy Schmidt wrote:
> Hi Pete,
>
> I'm look over Decludes recommended Sniffer configuration and trying to
> understand how much overlap there is between these options:
>
> IPREPUTATION  SNFIPREPx   0   10  -5
>
> SNFIPCAUTION  SNFIP   x   4   5   0
> SNFIPBLACKSNFIP   x   5   10
> 0
> SNFIPTRUNCATE SNFIP   x   6   10  0
>
> SNFTRUNCATE   SNF x   20  10
> 0
> SNIFFER-IP-RULES  SNF x   63  10
> 0
>
> Looking at the Sniffer documentation IP test result codes
>
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
> sp
> it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION,
> SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.
>

I am not intimately familiar with Declude's configuration and SNF 
integration --- not like I used to be anyway (s many platforms now).

I _think_ these tests work like this:

The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. It's a subtle nudge in the right direction.

The SNFIP test gives you a hard result code based only on the IP 
reputation when that reputation is within one of the envelopes defined 
for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate 
range then that test will fire.

Presumably all of the IP tests happen before SNF scans the message -- 
because they can -- I don't know that they do, but I know that IP 
reputations can be queried before and separately from a scan. (Scans 
MUST happen in order for GBUdb to build up reputation data however).

Finally the SNF test responds to the normal blended result codes that 
SNFClient would return.
So result code 20 is Truncate- meaning that the IP reputation was so bad 
that SNF stopped the scan and returned the result code.

Result code 63 is Black which could mean that an SNF IP rule fired (rare 
these days) or that no pattern matched but the IP was in the Black range 
in GBUdb so GBUdb took over and forced the result code from 0 (no 
pattern found) to 63 (Black).

Other result codes are also possible:

http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
sp#msgScan

David -- if I got any of this wrong please correct me.
> However, Declude ALSO tests for your Rule Group Result Codes "20" and "63"
> which are documented here:
> http://www.armresearch.com/support/articles/software/snfServer/core.jsp
>
> 1. It seems to me, as if their SNFTRUNCATE is the same as their
> SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK
--
> effectively artificially inflating (doubling) the weights for these tests?
>

Yes -- if you have them configured that way. Some of the results are 
predictable.

If SNFIP is Black or Caution then you are virutally guaranteed to get a 
Black or Caution result from SNF -- Unless SNF matches a pattern in 
which case you will get a pattern result code from the SNF test.

If SNFIP is Truncate then SNF should also return Truncate.

The weights you assign to these should be set accordingly.

> 2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP.
> There, any reputation>  0 (up to 1) is given an extra weight of 10. But
> doesn't SNFIPREP report from the same reputation data as the SNFIP (and
> possibly even group result codes 20 and 63)? In other words, are those IP
> addresses that generate a reputation factor of>  0 ALSO reported as
> Caution/Black or Truncate - if so, we'd now TRIPLE count that score.
>

That's not quite true...

I presume the SNFIPREP test uses a sliding numeric val

RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate

[Andy Schmidt]

Thanks Pete - that confirms what I feared.

Declude's own sample should NOT be used "as is" because it duplicates the IP
results (at minimum)

>> The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. <<

Yes - according to Dave's explanation earlier today, Declude will get a
decimal number between -1 and +1. Their Sample/Default configuration treats
"0" as normal, treats anything negative as "GOOD" (and subtracts 5 points)
and anything positive as "BAD" (and adds 10 points).

So - even though Sniffer returns information on a vary graduated scale,
Declude then returns 3 discrete numbers. In fact, 0 is only returned for 10%
of the range - 90% of the range returns either "-5" or "10".

>> I presume that even when SNFIP does return Caution, Black, or Truncate
that SNFIPREP continues to work and in that case will provide some shading
to those values... so, if you will, more or less Black, etc.<<

Based on Dave's explanation, "Caution", "Black" and "Truncate" would
certainly always return a value > 0. Consequently, "10" would ALWAYS be
added to the weight for those 3 reputations.

Their default example basically TRIPLES the "10" weight that is assigned in
many cases (once for SNFIP, once for SNFIPREP, and once for SNF).

Let's see if Dave's chips in - but it certainly seems to me that Declude's
Sniffer sample/default config should NOT be used (because it doesn't do what
an "innocent" user might expect).  It's not at all clear that after all
their Sniffer rules, 30 would be added to the weight in several cases.



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, April 30, 2010 7:07 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs.
Sniffer Truncate

On 4/30/2010 5:16 PM, Andy Schmidt wrote:
> Hi Pete,
>
> I'm look over Decludes recommended Sniffer configuration and trying to
> understand how much overlap there is between these options:
>
> IPREPUTATION  SNFIPREPx   0   10  -5
>
> SNFIPCAUTION  SNFIP   x   4   5   0
> SNFIPBLACKSNFIP   x   5   10
> 0
> SNFIPTRUNCATE SNFIP   x   6   10  0
>
> SNFTRUNCATE   SNF x   20  10
> 0
> SNIFFER-IP-RULES  SNF x   63  10
> 0
>
> Looking at the Sniffer documentation IP test result codes
>
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
> sp
> it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION,
> SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.
>

I am not intimately familiar with Declude's configuration and SNF 
integration --- not like I used to be anyway (s many platforms now).

I _think_ these tests work like this:

The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. It's a subtle nudge in the right direction.

The SNFIP test gives you a hard result code based only on the IP 
reputation when that reputation is within one of the envelopes defined 
for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate 
range then that test will fire.

Presumably all of the IP tests happen before SNF scans the message -- 
because they can -- I don't know that they do, but I know that IP 
reputations can be queried before and separately from a scan. (Scans 
MUST happen in order for GBUdb to build up reputation data however).

Finally the SNF test responds to the normal blended result codes that 
SNFClient would return.
So result code 20 is Truncate- meaning that the IP reputation was so bad 
that SNF stopped the scan and returned the result code.

Result code 63 is Black which could mean that an SNF IP rule fired (rare 
these days) or that no pattern matched but the IP was in the Black range 
in GBUdb so GBUdb took over and forced the result code from 0 (no 
pattern found) to 63 (Black).

Other result codes are also possible:

http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
sp#msgScan

David -- if I got any of this wrong please correct me.
> However, Declude ALSO tests for your Rule Group Result Codes "20" and "63"
> which are documented here:
> http://www.armresearch.com/support/articles/software/snfServer/core.jsp
>
> 1. It seems to me, as if their SNFTRUNCATE is the same as their
> SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK
--
> effectively artificially inflating (doubling) the weights for these tests?
>

Yes -- 

Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate

[Pete McNeil]

On 4/30/2010 5:16 PM, Andy Schmidt wrote:

Hi Pete,

I'm look over Decludes recommended Sniffer configuration and trying to
understand how much overlap there is between these options:

IPREPUTATIONSNFIPREPx   0   10  -5

SNFIPCAUTIONSNFIP   x   4   5   0
SNFIPBLACK  SNFIP   x   5   10
0
SNFIPTRUNCATE   SNFIP   x   6   10  0

SNFTRUNCATE SNF x   20  10
0
SNIFFER-IP-RULESSNF x   63  10
0

Looking at the Sniffer documentation IP test result codes
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
sp
it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION,
SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.
   


I am not intimately familiar with Declude's configuration and SNF 
integration --- not like I used to be anyway (s many platforms now).


I _think_ these tests work like this:

The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. It's a subtle nudge in the right direction.


The SNFIP test gives you a hard result code based only on the IP 
reputation when that reputation is within one of the envelopes defined 
for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate 
range then that test will fire.


Presumably all of the IP tests happen before SNF scans the message -- 
because they can -- I don't know that they do, but I know that IP 
reputations can be queried before and separately from a scan. (Scans 
MUST happen in order for GBUdb to build up reputation data however).


Finally the SNF test responds to the normal blended result codes that 
SNFClient would return.
So result code 20 is Truncate- meaning that the IP reputation was so bad 
that SNF stopped the scan and returned the result code.


Result code 63 is Black which could mean that an SNF IP rule fired (rare 
these days) or that no pattern matched but the IP was in the Black range 
in GBUdb so GBUdb took over and forced the result code from 0 (no 
pattern found) to 63 (Black).


Other result codes are also possible:

http://www.armresearch.com/support/articles/software/snfClient/resultCodes.jsp#msgScan

David -- if I got any of this wrong please correct me.

However, Declude ALSO tests for your Rule Group Result Codes "20" and "63"
which are documented here:
http://www.armresearch.com/support/articles/software/snfServer/core.jsp

1. It seems to me, as if their SNFTRUNCATE is the same as their
SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK --
effectively artificially inflating (doubling) the weights for these tests?
   


Yes -- if you have them configured that way. Some of the results are 
predictable.


If SNFIP is Black or Caution then you are virutally guaranteed to get a 
Black or Caution result from SNF -- Unless SNF matches a pattern in 
which case you will get a pattern result code from the SNF test.


If SNFIP is Truncate then SNF should also return Truncate.

The weights you assign to these should be set accordingly.


2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP.
There, any reputation>  0 (up to 1) is given an extra weight of 10. But
doesn't SNFIPREP report from the same reputation data as the SNFIP (and
possibly even group result codes 20 and 63)? In other words, are those IP
addresses that generate a reputation factor of>  0 ALSO reported as
Caution/Black or Truncate - if so, we'd now TRIPLE count that score.
   


That's not quite true...

I presume the SNFIPREP test uses a sliding numeric value that combines 
the probability factor and the confidence factor for the IP. This is not 
the same thing as Caution, Black, and Truncate.


The SNFIPREP result is a sliding value that will work even when the 
reputation is not in the (White) Caution, Black, and Truncate ranges. 
When an IP's reputation is in one of those ranges then the appropriate 
result from SNFIP will either be returned or not (On or Off).


Now-- I presume that even when SNFIP does return Caution, Black, or 
Truncate that SNFIPREP continues to work and in that case will provide 
some shading to those values... so, if you will, more or less Black, etc.


I don't think that I would necessarily use all of these together -- 
though it is possible to do so. It seems to be that it might become very 
complicated since there is some overlap.


That said -- I do think that some of these tests can be combined 
successfully without too much confusion... it's just a matter of knowing 
how they interact. Hopefully my description is helpful (and my 
assumptions are correct).


Best,

_M

--
President
MicroNeil Research Corporation

RE: [Declude.JunkMail] Sniffer Integration -> Multiple Exit Codes

[Andy Schmidt]

Hi Dave,

 

>> Also even though there are multiple entries the test only runs once and
the resulted exit code is the triggered. <<

I know that all 18 "SNF" rule lines only require one invocation of Sniffer -
which are then evaluated 18 different way. Fair enough.

I also know that the 3 "SNFIP" rule lines are only one invocation - which is
evaluated 3 different ways.

And then there is the "SNFIPREP" rule.

 

So I need to clarify this in my head. Will all 22 "SNF." rules (even though
they are using 3 different commands) evaluate ONE invocation of Sniffer
(just different return fields) or is EACH of these 3 command groups (SNF,
SNFIP, SNFIPREPS) a separate entity that requires additional overhead?

Since there is some possible overhead between:

SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the
GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) -
and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking
with the SNF rules (which already has exit codes 20 and 63) will reduce the
Sniffer overhead by 2/3?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, April 30, 2010 10:31 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 

RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate

[Andy Schmidt]

Hi Pete,

I'm look over Decludes recommended Sniffer configuration and trying to
understand how much overlap there is between these options:

IPREPUTATIONSNFIPREPx   0   10  -5

SNFIPCAUTIONSNFIP   x   4   5   0
SNFIPBLACK  SNFIP   x   5   10
0
SNFIPTRUNCATE   SNFIP   x   6   10  0

SNFTRUNCATE SNF x   20  10
0
SNIFFER-IP-RULESSNF x   63  10
0

Looking at the Sniffer documentation IP test result codes
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
sp
it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION,
SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.

However, Declude ALSO tests for your Rule Group Result Codes "20" and "63"
which are documented here:
http://www.armresearch.com/support/articles/software/snfServer/core.jsp

1. It seems to me, as if their SNFTRUNCATE is the same as their
SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK --
effectively artificially inflating (doubling) the weights for these tests?

2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP.
There, any reputation > 0 (up to 1) is given an extra weight of 10. But
doesn't SNFIPREP report from the same reputation data as the SNFIP (and
possibly even group result codes 20 and 63)? In other words, are those IP
addresses that generate a reputation factor of > 0 ALSO reported as
Caution/Black or Truncate - if so, we'd now TRIPLE count that score.

Best Regards,
Andy




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Pete McNeil]

On 4/30/2010 2:10 PM, Colbeck, Andrew wrote:



Pete>  Odd that nobody complained about it before.

I hadn't implemented it yet... And I'm a complainer.


Andrew ;)
   


You go right on complaining!
How else are we going to make things perfect?!

Thanks for the M2B (Minimum Two Brains) !

_M



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

[John Doyle]

While we're at it what is the difference between the two results below

 

SNIFIP4R=WARN[5]

 

SNIFIP4R=IGNORE[5]

 

Thanks 

John

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Colbeck, Andrew]

Matt> There aren't that many RFC hawks around here these days :)

... The wikipedia entry points to an early work, this draft:

http://tools.ietf.org/html/draft-irtf-asrg-dnsbl-08


Pete> Odd that nobody complained about it before.

I hadn't implemented it yet... And I'm a complainer.


Andrew ;)
 

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, April 30, 2010 11:02 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net


There aren't that many RFC hawks around here these days :)

Matt



On 4/30/2010 1:48 PM, Pete McNeil wrote:
> So it is by convention that the result code would be 127.0.0.2 -- not 
> a rule.
> I have no problem with this... I will make the change... better to do 
> it now than later.
> Odd that nobody complained about it before.
>
> I will post another note when the change is made.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Colbeck, Andrew]

I'm replying here so as not to clutter the announcement thread.
 
The rationale for not using 127.0.0.1 is that the DNSBL is reflexive,
and 127.0.0.1 is conventionally resolved as "localhost" and querying for
"localhost" in a DNSBL is wrong, wrong, wrong.
 
Expanding on that, the 127.0.0/8 network for the results is used because
it is non-routable.
 
Also, the test point should exist (and it does!)
 
dig @8.8.8.8 2.0.0.127.truncate.gbudb.net.
 
Which provides a neat example of my first point. The test point couldn't
be 127.0.0.1 because it would be wrong to query a DNSBL for your own
localhost address.
 
 
Andrew 8)



From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, April 30, 2010 10:48 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net


On 4/30/2010 1:17 PM, Andy Schmidt wrote: 

It is - and I agree with you!



From: supp...@declude.com [mailto:supp...@declude.com] On Behalf
Of Matt
Sent: Friday, April 30, 2010 12:53 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] We have opened up
truncate.gbudb.net



Is the result code really 127.0.0.1?  That is totally
non-standard.  It should be 127.0.0.2 or higher.



Per RFC5782 I see:


The A record contents conventionally have the value 127.0.0.2, but MAY
have other values as described below in...

So it is by convention that the result code would be 127.0.0.2 -- not a
rule.
I have no problem with this... I will make the change... better to do it
now than later.
Odd that nobody complained about it before.

I will post another note when the change is made.

_M




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Matt]

There aren't that many RFC hawks around here these days :)

Matt



On 4/30/2010 1:48 PM, Pete McNeil wrote:
So it is by convention that the result code would be 127.0.0.2 -- not 
a rule.
I have no problem with this... I will make the change... better to do 
it now than later.

Odd that nobody complained about it before.

I will post another note when the change is made.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Changing result code for truncate.gbudb.net to 127.0.0.2 effective immediately.

[Pete McNeil]

Hello Declude Folks,

RFC 5782 states:

"IPv4-based DNSxLs MUST NOT contain an entry for 127.0.0.1."

and also states:

"The A record contents conventionally have the  value 127.0.0.2"

So we will be changing the result code for truncate.gbudb.net to 
127.0.0.2 effective immediately.


Thanks!

_M

--
President
MicroNeil Research Corporation
www.microneil.com



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Pete McNeil]

On 4/30/2010 1:17 PM, Andy Schmidt wrote:

  
  

  
  
  It
is – and I agree with you!
   
  
  
  From:
supp...@declude.com
[mailto:supp...@declude.com] On Behalf Of Matt
  Sent: Friday, April 30, 2010 12:53 PM
  To: declude.junkmail@declude.com
  Subject: Re: [Declude.JunkMail] We have opened up
truncate.gbudb.net
  
  
   
  Is the result code really 127.0.0.1?  That is
totally
non-standard.  It should be 127.0.0.2 or higher.
  
  


Per RFC5782 I see:

The A record contents conventionally have the value 127.0.0.2, but MAY have other values as described below in...


So it is by convention that the result code would be 127.0.0.2 -- not a
rule.
I have no problem with this... I will make the change... better to do
it now than later.
Odd that nobody complained about it before.

I will post another note when the change is made.

_M






---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.

Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Pete McNeil]

I wasn't aware 127.0.0.1 would cause trouble (does it?)
It's easy enough to change, but everyone will need to know about the
change and will need to change their setup.
Please point me to "the standard" so I can understand where the problem
is.

Thanks!

_M


On 4/30/2010 1:17 PM, Andy Schmidt wrote:

  
  

  
  
  It
is – and I agree with you!
   
  
  
  From:
supp...@declude.com
[mailto:supp...@declude.com] On Behalf Of Matt
  Sent: Friday, April 30, 2010 12:53 PM
  To: declude.junkmail@declude.com
  Subject: Re: [Declude.JunkMail] We have opened up
truncate.gbudb.net
  
  
   
  Is the result code really 127.0.0.1?  That is
totally
non-standard.  It should be 127.0.0.2 or higher.
  
  





---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.

Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Matt]

Pete,

Now would be the best time to change this one as there are clearly only 
a handful using it.  I'm not sure that I am aware of any other 
blacklist, and certainly no blacklist that I use, which employs the 
127.0.0.1 result code.  I'm not 100% sure of the reason for stepping up 
to 127.0.0.2, but I'm sure it has something to do with localhost, and 
maybe there would be compatibility issues somewhere.


Matt




On 4/30/2010 1:17 PM, Andy Schmidt wrote:


It is -- and I agree with you!

*From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of 
*Matt

*Sent:* Friday, April 30, 2010 12:53 PM
*To:* declude.junkmail@declude.com
*Subject:* Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

Is the result code really 127.0.0.1?  That is totally non-standard.  
It should be 127.0.0.2 or higher.


Matt


On 4/30/2010 11:31 AM, Nick Hayer wrote:

you can test the bl directly with nslookup, to see what Declude is 
doing turn on debug log level.


*MadRiverAccess.com**|**Skywaves.com Tech Support*
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net 


General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm



*From*: "Michael Cummins"  


*Sent*: Friday, April 30, 2010 11:20 AM
*To*: declude.junkmail@declude.com 
*Subject*: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

That's odd.  This is what I already configured it for on my first guess:

TRUNCATE-GBUDB  IP4Rtruncate.gbudb.net
127.0.0.120


But I haven't gotten any hits yet.

Is there any way to test this from a command prompt, like you can with 
the invaluement RBLs and nslookup?


- Michael Cummins

*From:* supp...@declude.com  
[mailto:supp...@declude.com] *On Behalf Of *Nick Hayer

*Sent:* Friday, April 30, 2010 11:00 AM
*To:* declude.junkmail@declude.com 
*Subject:* RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

here ya go

IP4R.GBUBD   ip4r   truncate.gbudb.net   127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick

*MadRiverAccess.com**|**Skywaves.com Tech Support*
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net 


General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm



*From*: "Michael Cummins"  


*Sent*: Friday, April 30, 2010 9:36 AM
*To*: declude.junkmail@declude.com 
*Subject*: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net


I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com  
[mailto:supp...@declude.com] On Behalf Of Pete

McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com 
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate
range -- That is: truncate.gbudb.net is designed to be
ultra-conservative so that it should be safe to reject connections based
on the test in most cases. This also means that it won't block
everything -- only the worst of the worst. That said, the folks who have
been testing it have reported that it did drop a significant amount of
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com 
, and

type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com 
, and

type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com 
, and

type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came fro

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Andy Schmidt]

It is - and I agree with you!

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, April 30, 2010 12:53 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

Is the result code really 127.0.0.1?  That is totally non-standard.  It
should be 127.0.0.2 or higher.

Matt


On 4/30/2010 11:31 AM, Nick Hayer wrote: 

you can test the bl directly with nslookup, to see what Declude is doing
turn on debug log level.

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Michael Cummins"  

Sent: Friday, April 30, 2010 11:20 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

That's odd.  This is what I already configured it for on my first guess:

 

TRUNCATE-GBUDB  IP4Rtruncate.gbudb.net
127.0.0.120

 

But I haven't gotten any hits yet.

 

Is there any way to test this from a command prompt, like you can with the
invaluement RBLs and nslookup?

 

- Michael Cummins

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Friday, April 30, 2010 11:00 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

here ya go

IP4R.GBUBD   ip4r   truncate.gbudb.net   127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Michael Cummins"  

Sent: Friday, April 30, 2010 9:36 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net


I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Matt]

Is the result code really 127.0.0.1?  That is totally non-standard.  It 
should be 127.0.0.2 or higher.


Matt


On 4/30/2010 11:31 AM, Nick Hayer wrote:
you can test the bl directly with nslookup, to see what Declude is 
doing turn on debug log level.


**

*MadRiverAccess.com**|**Skywaves.com Tech Support*
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm




*From*: "Michael Cummins" 
*Sent*: Friday, April 30, 2010 11:20 AM
*To*: declude.junkmail@declude.com
*Subject*: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

That's odd.  This is what I already configured it for on my first guess:

TRUNCATE-GBUDB  IP4Rtruncate.gbudb.net
127.0.0.120


But I haven't gotten any hits yet.

Is there any way to test this from a command prompt, like you can with 
the invaluement RBLs and nslookup?


- Michael Cummins

*From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of 
*Nick Hayer

*Sent:* Friday, April 30, 2010 11:00 AM
*To:* declude.junkmail@declude.com
*Subject:* RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

here ya go

IP4R.GBUBD   ip4r   truncate.gbudb.net   127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick

*MadRiverAccess.com**|**Skywaves.com Tech Support*
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm



*From*: "Michael Cummins" 
*Sent*: Friday, April 30, 2010 9:36 AM
*To*: declude.junkmail@declude.com
*Subject*: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net


I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate
range -- That is: truncate.gbudb.net is designed to be
ultra-conservative so that it should be safe to reject connections based
on the test in most cases. This also means that it won't block
everything -- only the worst of the worst. That said, the folks who have
been testing it have reported that it did drop a significant amount of
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[Andy Schmidt]

Speed (and stability) and additional test options.

 

The external test runs as a command line, each email is a new instance that
needs an environment to be instantiated and later broken down. On top of
that, it burns up some of that not-well documented heap memory for command
line programs - which CAN cause stability problems in some problems if one
runs several command line tools in Declude (although there are some registry
settings in Windows to allocate "some" extra heap).

 

The internal test offers additional tests (such as the reputation test) and
other IP based tests that the external test does not - and it runs as "part"
of Declude (not by starting another  command line session for each email).

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Jim
Comerford
Sent: Friday, April 30, 2010 12:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

So what's the difference between the SNIFFER test as Internal vs External?
Is one faster than the other?  Assuming you did not want to check the
individual tests (ie SNIFFER-TRAVEL) is there an advantage to using one over
the other?

 

Internal:

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

External 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"12   0

 

-Jim

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, April 30, 2010 10:31 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negativ

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[Jim Comerford]

So what's the difference between the SNIFFER test as Internal vs External?
Is one faster than the other?  Assuming you did not want to check the
individual tests (ie SNIFFER-TRAVEL) is there an advantage to using one over
the other?

 

Internal:

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

External 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"12   0

 

-Jim

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, April 30, 2010 10:31 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

, April 30, 2010 1:26 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

Hi,

 

1.   I'm confused about the Sniffer integration sample:

 

SNFIPBLACK  SNFIP   x   5   10  0

IPREPUTATIONSNFIP   x   5   10  -5


It seems to me as if BOTH lines test the SAME Sniffer return code of "5" -
but one line assigns adds

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Robert Grosshandler]

Hi

 

If we're running Sniffer, and we set this up as a Declude test (we're not
able to reject connections based on the info), isn't it being double counted
(once from SNF, once on its own?)

 

Thanks,

 

Rob

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Friday, April 30, 2010 10:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

That's odd.  This is what I already configured it for on my first guess:

 

TRUNCATE-GBUDB  IP4Rtruncate.gbudb.net
127.0.0.120

 

But I haven't gotten any hits yet.

 

Is there any way to test this from a command prompt, like you can with the
invaluement RBLs and nslookup?

 

- Michael Cummins

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Friday, April 30, 2010 11:00 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

here ya go

IP4R.GBUBD   ip4r   truncate.gbudb.net   127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Michael Cummins" 
Sent: Friday, April 30, 2010 9:36 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net


I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[David Barker]

I have already added it to the dev list as an idea.

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, April 30, 2010 11:52 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

Thanks for clearing up that it doesn't work for the 2nd variable (I'm aware
that it is an internal and not and external test, and that it is the SECOND
variable, and that it only executes once, etc.)

 

As a suggestion, you might consider enabling the "nonzero" option for the
second variable as well. The reasons for preferring one "nonzero" exit code
of (currently 18) individual exit codes are

 

a)  The config file will be more compact,

b)  Fewer lines mean few chances of errors/omissions

c)   No need to keep worrying about missing the announcement for a new
"exit code" whenever Peter decides to extend the list 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[Andy Schmidt]

Thanks for clearing up that it doesn't work for the 2nd variable (I'm aware
that it is an internal and not and external test, and that it is the SECOND
variable, and that it only executes once, etc.)

 

As a suggestion, you might consider enabling the "nonzero" option for the
second variable as well. The reasons for preferring one "nonzero" exit code
of (currently 18) individual exit codes are

 

a)  The config file will be more compact,

b)  Fewer lines mean few chances of errors/omissions

c)   No need to keep worrying about missing the announcement for a new
"exit code" whenever Peter decides to extend the list 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Nick Hayer]

you can test the bl directly with nslookup, to see what Declude is doing turn 
on debug log level.

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm







From: "Michael Cummins" 
Sent: Friday, April 30, 2010 11:20 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net



That's odd.  This is what I already configured it for on my
first guess:
 
TRUNCATE-GBUDB  IP4R   
truncate.gbudb.net127.0.0.120
 
But I haven't gotten any hits yet.
 
Is there any way to test this from a command prompt, like you
can with the invaluement RBLs and nslookup?
 
- Michael Cummins
 
 

From: supp...@declude.com
[mailto:supp...@declude.com] On Behalf Of Nick Hayer
Sent: Friday, April 30, 2010 11:00 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

 
here
ya go

IP4R.GBUBD  
ip4r   truncate.gbudb.net 
 127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick




MadRiverAccess.com|Skywaves.com
Tech Support

US/Canada
877-873-6482 or International +1-802-229-6574 
Emergency
Support 24/7: supp...@skywaves.net 
General
and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm


 





From: "Michael
Cummins" 
Sent:
Friday, April 30, 2010 9:36 AM
To:
declude.junkmail@declude.com
Subject:
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[David Barker]

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.



David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, April 30, 2010 10:31 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

, April 30, 2010 1:26 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

Hi,

 

1.   I'm confused about the Sniffer integration sample:

 

SNFIPBLACK  SNFIP   x   5   10  0

IPREPUTATIONSNFIP   x   5   10  -5


It seems to me as if BOTH lines test the SAME Sniffer return code of "5" -
but one line assigns adds a weight of 10 when found, the other also adds a
weight of 10, but subtracts 5 when NOT found?

 

So will this add "20" when found? Why use TWO lines to accomplish that?

 

2.   In the past I could simply configure:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

if I didn't want to duplicate 18 lines - and risk that at some point a
return code will be added that I will miss unless I add another line to the
config file.

 

So, does the "SNF" test have some way to configure ONE line for "nonzero" to
create a baseline weight, and then just add "SNF" tests for specific return
code if I want those specific ones treated with a higher weight?

 

Best Regards,

Andy


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to i

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Michael Cummins]

That's odd.  This is what I already configured it for on my first guess:

 

TRUNCATE-GBUDB  IP4Rtruncate.gbudb.net
127.0.0.120

 

But I haven't gotten any hits yet.

 

Is there any way to test this from a command prompt, like you can with the
invaluement RBLs and nslookup?

 

- Michael Cummins

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Friday, April 30, 2010 11:00 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

here ya go

IP4R.GBUBD   ip4r   truncate.gbudb.net   127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Michael Cummins" 
Sent: Friday, April 30, 2010 9:36 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net


I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Nick Hayer]

here ya go

IP4R.GBUBD   ip4r   truncate.gbudb.net   127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm







From: "Michael Cummins" 
Sent: Friday, April 30, 2010 9:36 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[Andy Schmidt]

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

, April 30, 2010 1:26 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

Hi,

 

1.   I'm confused about the Sniffer integration sample:

 

SNFIPBLACK  SNFIP   x   5   10  0

IPREPUTATIONSNFIP   x   5   10  -5


It seems to me as if BOTH lines test the SAME Sniffer return code of "5" -
but one line assigns adds a weight of 10 when found, the other also adds a
weight of 10, but subtracts 5 when NOT found?

 

So will this add "20" when found? Why use TWO lines to accomplish that?

 

2.   In the past I could simply configure:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

if I didn't want to duplicate 18 lines - and risk that at some point a
return code will be added that I will miss unless I add another line to the
config file.

 

So, does the "SNF" test have some way to configure ONE line for "nonzero" to
create a baseline weight, and then just add "SNF" tests for specific return
code if I want those specific ones treated with a higher weight?

 

Best Regards,

Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration

[David Barker]

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

, April 30, 2010 1:26 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

Hi,

 

1.   I'm confused about the Sniffer integration sample:

 

SNFIPBLACK  SNFIP   x   5   10  0

IPREPUTATIONSNFIP   x   5   10  -5


It seems to me as if BOTH lines test the SAME Sniffer return code of "5" -
but one line assigns adds a weight of 10 when found, the other also adds a
weight of 10, but subtracts 5 when NOT found?

 

So will this add "20" when found? Why use TWO lines to accomplish that?

 

2.   In the past I could simply configure:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

if I didn't want to duplicate 18 lines - and risk that at some point a
return code will be added that I will miss unless I add another line to the
config file.

 

So, does the "SNF" test have some way to configure ONE line for "nonzero" to
create a baseline weight, and then just add "SNF" tests for specific return
code if I want those specific ones treated with a higher weight?

 

Best Regards,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, January 04, 2010 9:54 AM
To: declude.vi...@declude.com; declude.junkmail@declude.com;
declude.relea...@declude.com
Subject: [Declude.JunkMail] Release 4.10.42

 

Declude 4.10.42

JM  ADD Add IMail support for SQL Database. Declude can check the
SQL DB for Autowhitelist

JM  ADD IPNOSCAN for IMail

JM  ADD Add a new directive POSTINIFIX uses either ON or OFF in the
declude.cfg file. Postini is a large managed email service which amends the
header structure. The   Postini fix helps Declude correctly identify
Postini headers. To configure use POSTINIFIX  ON

JM  ADD Add the Recipient, mailfrom and subject information to the
blklst.txt file. The format blklst.txt file is

 
Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa
iled

JM  ADD IPBYPASS can be configured with CIDR

JM  ADD New Header directive XWHITELIST ON in the global.cfg
will give the reason for why the email was WHITELISTED in the header of the
email.

JM  ADD Integrated Message Sniffer with Declude. Will use Declude
rulebase. (If you are a current Message Sniffer user this does not apply to
you unless you want toswitch and use the Declude rulebase) To
configure the SNF files need to be edit by the user, where the [PATH] needs
to be the actual path on your server.

getRulebase.cmd

SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\

Snf_engine.xml file









Global.cfg

SNFIPCAUTIONSNFIP   x   4  

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Michael Cummins]

I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Andy Schmidt]

It's looking very promising!

 

1.   So far, it detects about 10% as SPAM in emails that SORBS, SPAMCOP,
SpamHaus Zen and BRBL have let through.

 

2.   In that, it does 20 times better than the total of these AHBL
tests:

 

DNS A RR 127.0.0.2: Open Relay

DNS A RR 127.0.0.3: Open Proxy

DNS A RR 127.0.0.4: Spam Source

DNS A RR 127.0.0.5: Provisional Spam Source Listing block (will be removed
if spam stops)

DNS A RR 127.0.0.6: Formmail Spam

DNS A RR 127.0.0.9: End User (non mail system)

DNS A RR 127.0.0.14: Compromised System: DDoS

DNS A RR 127.0.0.15: Compromised System: Relay

DNS A RR 127.0.0.16: Compromised System: Autorooter/Scanner

DNS A RR 127.0.0.17: Compromised System: Worm or mass mailing virus

DNS A RR 127.0.0.18: Compromised System: Other virus

DNS A RR 127.0.0.127: Other

 

and 12 times better than the total of these NJABL tests:

 

NJABL: DNS A RR 127.0.0.2. Open relays and known spam sources.

NJABLDUL: DNS A RR 127.0.0.3. Dial-up/dynamic IP ranges.

NJABLSOURCES: DNS A RR 127.0.0.4. Lists spam sources. Will include
commercial spammers, direct-to-MX, and proxies. IP ranges will be added only
if they can be identified with the spammer. 

NJABLMULTI: DNS A RR 127.0.0.5. Lists multi-stage open relays. Will notify
the appropriate NIC one week in advance of listing, to allow them to correct
the problem.

NJABLFORMMAIL: DNS A RR 127.0.0.8. Lists servers with insecure formmail
scripts.

NJABLPROXIES: DNS A RR 127.0.0.9. Lists open proxy servers.

 

3.   I don't have a big enough sample, but an EARLY trend is indicating
that it possible significantly cuts the amounts of email that Sniffer still
has to scan.

 

4.   >> all of the TXT records say "GBUdb Cloud Truncate c > 0.2, p >
0.9" <<

 

Thanks - so there ARE TXT records. This way I can configure to pick those up
(even if they are generic right now)

 

5.   >> When we bring the gbudb.com site online we will explain how the
IPs are listed. We may develop a link mechanism to look up specific data on
each IP after a time.<<

 

Thanks, specially the first part (a static page explaining the listing
method/policy - and that de-listing is automatic once spam stops) will be
important so that we can include that link in 5.7.1 rejection string. Don't
want to have to start answering individual inquiries.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, April 30, 2010 4:49 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

On 4/29/2010 10:06 PM, Andy Schmidt wrote: 

Thanks - I activated it in my gateway and will report back after a day or
so.

Question:

Does it have TXT records that holds additional info that can be returned in
the 5.7.1 message to the sender?


Right now all of the TXT records say "GBUdb Cloud Truncate c > 0.2, p > 0.9"
As we continue to develop this that may change to provide other (better?)
information.




Is there a lookup URL that can be included in the 5.7.1 message that people
can use to learn about your service, learn about the listing/de-listing
policy (and determine the status of their IP address in case of a false
positive)?


When we bring the gbudb.com site online we will explain how the IPs are
listed. We may develop a link mechanism to look up specific data on each IP
after a time.

As for listing and de-listing -- that is automatic and is generally
described in the Message Sniffer documentation about GBUdb. If the general
population of Message Sniffer nodes are reporting that a message source
produces virtually nothing but spam then it will be listed. If those reports
go away or their character changes then the listing will change also - and
fairly quickly: days if traffic for the IP disappears; hours or perhaps
minutes if the character of the traffic from the source changes.

Best,

_M


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Pete McNeil]

On 4/29/2010 10:06 PM, Andy Schmidt wrote:

  
  

  
  
  
  
  Thanks
–
I activated it in my gateway and will report back after a day or so.
  Question:
  a) 
  Does
it have TXT records that holds additional info that can be returned
in the 5.7.1 message to the sender?
  
  
  


Right now all of the TXT records say "GBUdb Cloud Truncate c > 0.2,
p > 0.9"
As we continue to develop this that may change to provide other
(better?) information.


  
  
  
  
  b) 
  Is
there a lookup URL that can be included in the 5.7.1 message
that people can use to learn about your service, learn about the
listing/de-listing policy (and determine the status of their IP address
in case
of a false positive)?
  
  
  


When we bring the gbudb.com site online we will explain how the IPs are
listed. We may develop a link mechanism to look up specific data on
each IP after a time.

As for listing and de-listing -- that is automatic and is generally
described in the Message Sniffer documentation about GBUdb. If the
general population of Message Sniffer nodes are reporting that a
message source produces virtually nothing but spam then it will be
listed. If those reports go away or their character changes then the
listing will change also - and fairly quickly: days if traffic for the
IP disappears; hours or perhaps minutes if the character of the traffic
from the source changes.

Best,

_M




---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.