Re: [sniffer] It's worth it

[Pete McNeil]

On Tuesday, November 30, 2004, 1:14:00 AM, Andrew wrote:

CA> So,  I've been using the "free trial edition" of Sniffer for
CA> the better part of 2  years (wow, time flies!) and just purchased
CA> two licences.
CA>  
CA> On a  message volume of 18,000 messages (14,000 spam) I used
CA> to see the "free trial  edition" trigger on 2,000 with very low
CA> false positives.  Now, it's more  like 13,000 with no change in
CA> the false positives.
CA>  
CA> Thanks, SortMonster!

:-)




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] It's worth it

[Colbeck, Andrew]

Title: Message



So, 
I've been using the "free trial edition" of Sniffer for the better part of 2 
years (wow, time flies!) and just purchased two licences.
 
On a 
message volume of 18,000 messages (14,000 spam) I used to see the "free trial 
edition" trigger on 2,000 with very low false positives.  Now, it's more 
like 13,000 with no change in the false positives.
 
Thanks, SortMonster!

Re: [sniffer]

[Pete McNeil]

On Monday, November 29, 2004, 3:43:03 PM, Steinar wrote:

SR> Hi!

SR> I want to try a new rule strength with Sniffer.

SR> Can I change this myself or is this done by SortMonster?

I've responded to this off list.
However, for the benefit of everyone...

We will be offering expanded rulebases as part of a "pro" license at
some point in the future at a higher price. However, in the short term
we are offering the expanded rulebase on a case by case basis.

If you would like to experiment with a more sensitive setting on your
rulebase file, then please send a note to us at support@ and we will
make the adjustment for you. Along the way please consider the
following and remember the above ;-)

The normal rule strength threshold is 1.0. This setting removes rules
from the rulebase file once they become ineffective. The effectiveness
of the rules is measured on a logarithmic scale as "Rule Strength".
This number is derived from the relative number of messages that were
tagged by a given rule over the previous 45 days. You can reference
the current rule strength numbers on this page:



The combined number of messages captured by rules below a strength of
1.0 is currently 0.21% of the total number of messages tagged by
sniffer as reported by systems that send us their log files. This is
the point of diminishing returns.

Below a rule strength number of 1.0, the number of rules included
increases and the size of the rulebase file increase dramatically for
each additional message that can be captured.

Rulebases that have their rule strength threshold set at 0.1 (the most
sensitive setting) may be as much as 5 times the size of a standard
rulebase. This is a significant increase in the bandwidth required to
transmit and process the rulebase file.

The newest Persistent Instance technology (and the coming plugin DLL
for MDaemon) largely mitigate the additional system resources needed
at the client end since the underlying pattern matching engine in
Message Sniffer is extremely efficient. However, the costs of
bandwidth and resources to compile these rulebases increases
significantly (thus the coming price increase for "pro" licenses).

It's a good idea to keep a perspective on how the rule strength number
is related to capturing messages. This relationship is constantly
changing as the system learns and grows, however currently the
following is true based on approximately 130 reported log files
covering a "window" of about 45 days:

A rule with a strength of  5.0 will trap  5,762,592 messages.
A rule with a strength of ~4.5 will trap ~1,190,887 messages.
A rule with a strength of ~4.0 will trap ~  251,257 messages.
A rule with a strength of ~3.5 will trap ~   53,991 messages.
A rule with a strength of ~3.0 will trap ~   11,374 messages.
A rule with a strength of ~2.5 will trap ~2,398 messages.
A rule with a strength of ~2.0 will trap ~  505 messages.
A rule with a strength of ~1.5 will trap ~   97 messages.
A rule with a strength of ~1.0 will trap ~   19 messages.
A rule with a strength of ~0.5 will trap ~4 messages.

At 0.1 (the most sensitive) we reach numbers down to 1 hit in 130
systems over the past 45 days.

Most of the rules in this lower range (below 1.0) are in transition
either into or out of active status. That is, the spammers have either
abandoned the patterns... or they may have started them up again. If
you think about it, when it only takes 19 hits to bring a rule up into
the "normal" range it's not likely that a rule will stay there for
long.

However, spammers now frequently command many thousands of hijacked
sysetms for delivering their content - so when they do have a way
through the filtering system they can make quite an impact before
the hole is closed. For this reason we are continuing to work on ways
to speed up the response time and effectiveness of our system.

There are a number of complex effects associated with how the Message
Sniffer system is tuned. Due to recent changes in the techniques used
by spammers I am going to re-calibrate the default rulebase settings
over the next few weeks.

In the mean time, if anyone wants to use a more sensitive rule
strength setting then we will probably not go below 0.5 except in a
few rare cases where systems see a lot of traffic.

Systems which have very high traffic levels and the most sensitive
rule strength settings will act has a kind of "advanced guard" for the
rest of us by quickly increasing the rule strength on rules that are
"becoming active". This will ensure that the other systems quickly see
these rules become activated, without having all systems carry the
burden of the entire active rulebase.

This tuning is complex... and everyone is busy, so I've tried not to
get too technical in this note, but I do hope that I've shed some
light on the subject. It has become quite popular lately ;-)

Thanks to everyone for all of your help.

Best,
_M

[sniffer]

[Steinar Rasch]

Hi!

I want to try a new rule strength with Sniffer.

Can I change this myself or is this done by SortMonster?


Regards,
Steinar


Denne eposten er skannet og funnet fri for virus
av Epost.no med Declude og FRISK F-Prot Software.


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] New user of Sniffer with Imail/Declude

[Scott Fisher]

If you've got some CPU to spare, you can lower 
your rule strengths. This will put more rules in your personal sniffer rulebase 
(less effective rules) and possibly allow you to catch more 
spam.
 
http://www.sortmonster.com/MessageSniffer/Help/TechnicalDetailsHelp.html#RuleStrengthTuning

  - Original Message - 
  From: 
  Jeff 
  Pereira 
  To: [EMAIL PROTECTED] 
  Sent: Monday, November 29, 2004 11:35 
  AM
  Subject: [sniffer] New user of Sniffer 
  with Imail/Declude
  
  Hi 
  -After testing the demo version and getting ggod results I have just 
  went ahead and purchased the full version.Does anyone have any tips 
  that would help a new user that may not be apparent from reading the 
  documentation 
??TIAjeff

[sniffer] New user of Sniffer with Imail/Declude

[Jeff Pereira]

Hi 
-After testing the demo version and getting ggod results I have just 
went ahead and purchased the full version.Does anyone have any tips that 
would help a new user that may not be apparent from reading the documentation 
??TIAjeff

Re: [sniffer] Not Getting Updates

[Josh Piche]

Thanks, I missed that.
Josh
Colbeck, Andrew wrote:
In the online manual, there is a how-to under Help (Q&A), Automated
Updates:
http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.htm
l
And includes various user-submitted scripts, ne of which is triggered by
an Imail rule to trigger a .cmd script.
Andrew 8)
-Original Message-
From: Josh Piche [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 29, 2004 5:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Not Getting Updates

How do you get the email to trigger an update?
Josh Piche
Systems Administrator
CAUT
Scott Fosseen wrote:
 

Pete,
I forward all my messages from '[EMAIL PROTECTED]' to trigger my
   

update.  If my renewal notice is sent from the same address I will not
receive it.  Can you send me a update notification email or let me know
what else to create the rule on.  
 

I could turn off the rule for a little while but then I will miss an
   

update.  
 

Thanks.
-- Original Message --
From: Pete McNeil <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Sun, 28 Nov 2004 18:08:46 -0500

   

On Sunday, November 28, 2004, 6:01:39 PM, Richard wrote:
RF> I just noticed that I am no longer getting updated emails for the
 

sniffer to
 

RF> trigger the automatic update.. The last one was on Nov
 

11...Customers had
 

RF> told me they were getting more spam but I just thought we were
 

getting
 

RF> hammered with more..
Hi Richard,
According to our records your license expired on 2004-11-01.
You should have received an renewal notice by email about a month
before that.
Last License Compile:   11/11/2004 22:37:00 (GMT)
I will launch a compile of your rulebase.
Please complete a renewal as soon as possible. I am on duty through
the evening. I will be sure to re-enable your account as soon as the
renewal comes through.
Hope this helps,
_M

This E-Mail came from the Message Sniffer mailing list. For
 

information and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

---
[This E-mail scanned for viruses by Declude Virus on the server
 

aea8.k12.ia.us]
 

  

 

This E-Mail came from the Message Sniffer mailing list. For information
   

and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
 

---
[This E-mail scanned for viruses]

   

---
[This E-mail scanned for viruses]
This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[This E-mail scanned for viruses]
 

---
[This E-mail scanned for viruses]
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Not Getting Updates

[Colbeck, Andrew]

In the online manual, there is a how-to under Help (Q&A), Automated
Updates:

http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.htm
l

And includes various user-submitted scripts, ne of which is triggered by
an Imail rule to trigger a .cmd script.

Andrew 8)

-Original Message-
From: Josh Piche [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 29, 2004 5:40 AM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Not Getting Updates


How do you get the email to trigger an update?

Josh Piche
Systems Administrator
CAUT


Scott Fosseen wrote:

>Pete,
>
>I forward all my messages from '[EMAIL PROTECTED]' to trigger my
update.  If my renewal notice is sent from the same address I will not
receive it.  Can you send me a update notification email or let me know
what else to create the rule on.  
>
>I could turn off the rule for a little while but then I will miss an
update.  
>
>Thanks.
>-- Original Message --
>From: Pete McNeil <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>Date:  Sun, 28 Nov 2004 18:08:46 -0500
>
>  
>
>>On Sunday, November 28, 2004, 6:01:39 PM, Richard wrote:
>>
>>RF> I just noticed that I am no longer getting updated emails for the
sniffer to
>>RF> trigger the automatic update.. The last one was on Nov
11...Customers had
>>RF> told me they were getting more spam but I just thought we were
getting
>>RF> hammered with more..
>>
>>Hi Richard,
>>
>>According to our records your license expired on 2004-11-01.
>>You should have received an renewal notice by email about a month
>>before that.
>>
>>Last License Compile:   11/11/2004 22:37:00 (GMT)
>>
>>I will launch a compile of your rulebase.
>>
>>Please complete a renewal as soon as possible. I am on duty through
>>the evening. I will be sure to re-enable your account as soon as the
>>renewal comes through.
>>
>>Hope this helps,
>>_M
>>
>>
>>
>>
>>This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
>>---
>>[This E-mail scanned for viruses by Declude Virus on the server
aea8.k12.ia.us]
>>
>>
>>
>>
>
>This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
>---
>[This E-mail scanned for viruses]
>
>  
>

---
[This E-mail scanned for viruses]


This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] Not Getting Updates

[SniffMe]

If memory serves (I haven't seen an update message in awhile), the Sniffer 
update messages all share a common subject segment of "licenseid.snf update" 
(without the ""'s).  We set a rule that forwards those matches to our 
autoupdate script.  That way, we get all the normal correspondence from 
support@, our rulebase gets updated on notifiations, and we don't have to 
manage another mailbox do to the same job.

Hope it helps,
John Weiner
- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Scott Fosseen" <[EMAIL PROTECTED]>
Sent: Sunday, November 28, 2004 8:42 PM
Subject: Re[2]: [sniffer] Not Getting Updates


On Sunday, November 28, 2004, 7:55:31 PM, Scott wrote:
SF> Pete,
SF> I forward all my messages from '[EMAIL PROTECTED]' to
SF> trigger my update.  If my renewal notice is sent from the same
SF> address I will not receive it.  Can you send me a update
SF> notification email or let me know what else to create the rule on.
You can have update notifications sent TO any address you like. They
will come from support@ however and it is likely your renewal notice
would also come from that address.
SF> I could turn off the rule for a little while but then I will miss an 
update.

I recommend strongly that you turn off this rule and then give us an
alternative address where we can send your automated update
notifications. This way you won't miss any updates and you also won't
miss any of our responses. We frequently respond to messages from our
support@ address.
I'm standing by to make the change for you.
I recommend that you send this information off list so that it won't
be exposed.
Thanks,
_M


This E-Mail came from the Message Sniffer mailing list. For information 
and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[2]: [sniffer] Not Getting Updates

[Scott Fosseen]

_
Scott Fosseen - Systems Engineer -Prairie Lakes AEA
http://fosseen.us/scott
_
Not everything that can be counted counts, and not everything that
counts can be counted.  - Albert Einstein
_
- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Scott Fosseen" <[EMAIL PROTECTED]>
Sent: Sunday, November 28, 2004 7:42 PM
Subject: Re[2]: [sniffer] Not Getting Updates


On Sunday, November 28, 2004, 7:55:31 PM, Scott wrote:
SF> Pete,
SF> I forward all my messages from '[EMAIL PROTECTED]' to
SF> trigger my update.  If my renewal notice is sent from the same
SF> address I will not receive it.  Can you send me a update
SF> notification email or let me know what else to create the rule on.
You can have update notifications sent TO any address you like. They
will come from support@ however and it is likely your renewal notice
would also come from that address.
SF> I could turn off the rule for a little while but then I will miss an 
update.

I recommend strongly that you turn off this rule and then give us an
alternative address where we can send your automated update
notifications. This way you won't miss any updates and you also won't
miss any of our responses. We frequently respond to messages from our
support@ address.
I'm standing by to make the change for you.
I recommend that you send this information off list so that it won't
be exposed.
Thanks,
_M


This E-Mail came from the Message Sniffer mailing list. For information 
and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[This E-mail scanned for viruses by Declude Virus on the server 
aea8.k12.ia.us]


---
[This E-mail scanned for viruses by Declude Virus on the server aea8.k12.ia.us]
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Not Getting Updates

[Josh Piche]

How do you get the email to trigger an update?
Josh Piche
Systems Administrator
CAUT
Scott Fosseen wrote:
Pete,
I forward all my messages from '[EMAIL PROTECTED]' to trigger my update.  If my renewal notice is sent from the same address I will not receive it.  Can you send me a update notification email or let me know what else to create the rule on.  

I could turn off the rule for a little while but then I will miss an update.  

Thanks.
-- Original Message --
From: Pete McNeil <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Sun, 28 Nov 2004 18:08:46 -0500
 

On Sunday, November 28, 2004, 6:01:39 PM, Richard wrote:
RF> I just noticed that I am no longer getting updated emails for the sniffer to
RF> trigger the automatic update.. The last one was on Nov 11...Customers had
RF> told me they were getting more spam but I just thought we were getting
RF> hammered with more..
Hi Richard,
According to our records your license expired on 2004-11-01.
You should have received an renewal notice by email about a month
before that.
Last License Compile:   11/11/2004 22:37:00 (GMT)
I will launch a compile of your rulebase.
Please complete a renewal as soon as possible. I am on duty through
the evening. I will be sure to re-enable your account as soon as the
renewal comes through.
Hope this helps,
_M

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[This E-mail scanned for viruses by Declude Virus on the server aea8.k12.ia.us]
   

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[This E-mail scanned for viruses]
 

---
[This E-mail scanned for viruses]
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Not Getting Updates

[John Tolmachoff (Lists)]

What you should be doing is forwarding but leaving a copy.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Scott Fosseen
> Sent: Sunday, November 28, 2004 4:56 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [sniffer] Not Getting Updates
> 
> Pete,
> 
> I forward all my messages from '[EMAIL PROTECTED]' to trigger my
update.  If
> my renewal notice is sent from the same address I will not receive it.
Can you send
> me a update notification email or let me know what else to create the rule
on.
> 
> I could turn off the rule for a little while but then I will miss an
update.
> 
> Thanks.
> -- Original Message --
> From: Pete McNeil <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Date:  Sun, 28 Nov 2004 18:08:46 -0500
> 
> >On Sunday, November 28, 2004, 6:01:39 PM, Richard wrote:
> >
> >RF> I just noticed that I am no longer getting updated emails for the
sniffer to
> >RF> trigger the automatic update.. The last one was on Nov 11...Customers
had
> >RF> told me they were getting more spam but I just thought we were
getting
> >RF> hammered with more..
> >
> >Hi Richard,
> >
> >According to our records your license expired on 2004-11-01.
> >You should have received an renewal notice by email about a month
> >before that.
> >
> >Last License Compile:   11/11/2004 22:37:00 (GMT)
> >
> >I will launch a compile of your rulebase.
> >
> >Please complete a renewal as soon as possible. I am on duty through
> >the evening. I will be sure to re-enable your account as soon as the
> >renewal comes through.
> >
> >Hope this helps,
> >_M
> >
> >
> >
> >
> >This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >---
> >[This E-mail scanned for viruses by Declude Virus on the server
aea8.k12.ia.us]
> >
> >
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html