[sniffer] Re: [Alligate]Alligate and Sniffer again (NL)
Hi, Ok, downloaded Alligate trial, installed in on a 2012 R2 server. Made a local dns "server" (resolver) on the machine but I am not sure if I need it now that we can use the Google dns server by default. How do I hook up Sniffer? I used to have Declude (and IMail) and had Sniffer connected that way, I now need to connect sniffer into Alligate. I cannot find anything in the Alligate Docs I downloaded. p.s. It seems there is still some support for Alligate, I noticed a recent update in the "Alligate V3 updates" zip file. But everything else seems to point to 2014 as the last time something was actively done. Even the documentation lists nothing after 2014 and still talks about special settings for the (local) dns server on a Windows 2013 server. With kind regards, Bonno Bloksma system manager tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands t +31 (0)74-255 06 10 b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/> Follow us on Twitter<https://twitter.com/hogeschooltio> / Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610> / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / YouTube<http://www.youtube.com/user/hogeschooltio> Van: discussion-ow...@alligate.com [mailto:discussion-ow...@alligate.com] Namens Bonno Bloksma Verzonden: zondag 17 januari 2016 22:54 Aan: discuss...@alligate.com; sniffer@sortmonster.com Onderwerp: [Alligate]Alligate and Sniffer again (NL) Hi, I need to setup a spam filter server again so once again I will probably go with Alligate plus sniffer. Is that still a viable combination? I have not been following the new these past 3-4 years when we had another solution in place. On the Alligate site I still see Windows 2008 server as the highest recommended version, but we are up to Windows 2012 R2 now, it is my recommended OS for a new Windows server. Alligate still lists Windows 2000 and XP as a possible platform, I would not want to run anything on that today. Is Alligate still being supported as a basis platform for Sniffer? If not, what would be a good platform for a sniffer spam filter server? Although I have some experience with (Debian) Linux servers I rather not use that as I am the only one here with enough experience to know what I am doing, and not even that with Linux mailservers. So I would rather run Sniffer on a Windows platform. With kind regards, Bonno Bloksma system manager tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands t +31 (0)74-255 06 10 b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/> Follow us on Twitter<https://twitter.com/hogeschooltio> / Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610> / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / YouTube<http://www.youtube.com/user/hogeschooltio>
[sniffer] Alligate and Sniffer again
Hi, I need to setup a spam filter server again so once again I will probably go with Alligate plus sniffer. Is that still a viable combination? I have not been following the new these past 3-4 years when we had another solution in place. On the Alligate site I still see Windows 2008 server as the highest recommended version, but we are up to Windows 2012 R2 now, it is my recommended OS for a new Windows server. Alligate still lists Windows 2000 and XP as a possible platform, I would not want to run anything on that today. Is Alligate still being supported as a basis platform for Sniffer? If not, what would be a good platform for a sniffer spam filter server? Although I have some experience with (Debian) Linux servers I rather not use that as I am the only one here with enough experience to know what I am doing, and not even that with Linux mailservers. So I would rather run Sniffer on a Windows platform. With kind regards, Bonno Bloksma system manager tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands t +31 (0)74-255 06 10 b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/> Follow us on Twitter<https://twitter.com/hogeschooltio> / Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#%21/pages/Hogeschool-Tio/417375345610> / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / YouTube<http://www.youtube.com/user/hogeschooltio>
[sniffer] Re: What is your oldest production CPU?
Hi Pete, > Hello Sniffer Folks, > > We would like to know what your oldest production CPU is. Oldest production (mail) server is a HP Proliant DL380 G6 with a Xeon E5530 quad cpu With kind regards, Bonno Bloksma Senior system engineer tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: IPv6
Hi, I remember reading somewhere research was being done about ipv6 block lists using the fact that the same /64 net would probably be the same machine or very near it. Prety much what we now Block when we list an ipv4 NATted gateway to a private network which houses an infected PC. Unfortunately I cannot find the reference to that article anymore, I thought I had it bookmarked. :-( Yours sincerely, Bonno Bloksma senior systeembeheerder tio university of applied sciences for hospitality and tourism julianalaan 9 / 7553 ab hengelo netherlands t +31-74-255 06 10 / f +31-74-255 06 11 b.blok...@tio.nl / www.tio.nl -Oorspronkelijk bericht- Van: Message Sniffer Community [mailto:sniffer@sortmonster.com] Namens Peer-to-Peer (Support) Verzonden: vrijdag 11 maart 2011 14:25 Aan: Message Sniffer Community Onderwerp: [sniffer] IPv6 Hi everyone, I've been thinking about the potential risk of IPv6 will have on filtering spam. I suspect RBL's (real time blacklists) may become obsolete once IPv6 arrives.?. >From what I've learned, IPv6 has 340 undecillion (1 followed by 36 zeros) IP addresses. And devices can refresh every 24 hours. IPv4 only has 4.3 billion IP addresses. Pete: Grab a cup of coffee. The botNet's are coming... --Paul # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Bad Rule Event
Hi Pete, > Hello Sniffer Folks, > > We have had a bad rule event. > The bad rules were created near 0830E, and removed by 1030E. [...] Regarding this event A while ago we talked about sniffer installations exchanging rule-panic info via the GUBdb sync info as that is happening every (few) minute(s) in stead of every few hours. Any idea when a new version of Sniffer with that feature will be launched? Yours sincerely, Bonno Bloksma senior systemadministrator tio university of applied sciences for hospitality and tourism julianalaan 9 / 7553 ab hengelo netherlands t +31-74-255 06 10 / f +31-74-255 06 11 b.blok...@tio.nl / www.tio.nl
[sniffer] Re: how to handle on rule panick?
Hi Pete, Maybe you need to do something about the default sortmonster pages as well. When I go to http://www.sortmonster.com/MessageSniffer/ the Wiki link points to Sniffer v2 documentation. You probably need to make two links there one to the new documentation aand explicitly starte that the Wiki is the v2 documentation. That was my second attempt when at first a google search for sniffer and rule panic brought me to the v2 wiki docs. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Monday, November 23, 2009 4:30 PM Subject: [sniffer] Re: how to handle on rule panick? Bonno Bloksma wrote: > > It seems the Wiki is out of date, it probably describes a older > Sniffer version. I should either describe the "current" version of > report the differences for each version. Very sorry for your frustration. You are correct the page is out of date. I have posted a note at the top of the page indicating this and providing a link to the correct current page. Best, _M # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] how to handle on rule panick?
Hi, It seems the documentation on how to handle a rule panick in the Wiki is not complete, to put it mildly. :-( In my opinion It gives just enough information to frustrate the user into finding PROBABLY the right place to enter the information but then leaves him/her haning. I had several mails caught these past few days (I am not a full time postmaster) and reported the FP mails to sniffer. But I want to disable a rule until I hear back from them. So I went to the wiki and... Sniffer site, rule panick http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives#RulePanic [] 2. Create a rule-panic entry in your .cfg file - this will temporarily deactivate the rule. But how??? In my Sniffer directory there is no .CFG file. Clicking on the .cfg file link also is misleading it seems. I have no .cfg file. I do have an identity.xml file with my license in it. Should I edit my snf_engine.xml file? Probably. What should I edit/enter? At this point there is no documentation I was able to find which would help me solve this problem. Grepping some more (grep panic *.xml) I finally found I indeed had to enter a line in the snf_server.xml file, and Oh yeah, don't add a line to the sample lines as they are in a comment box. ;-) All in all I did find it I think but. mostly without using the documentation. It seems the Wiki is out of date, it probably describes a older Sniffer version. I should either describe the "current" version of report the differences for each version. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl
[sniffer] panic rule information
Hi Pete/community, If I understand things correctly then the detection of a panick rule is local to the system. So a few systems may have enough traffic to see that a rule is acting wrong and assume a panick for that rule. According to the WiKi that information is sent automatically to the folks at armresearch, but... As far as I know there is yet no mechanism to get that information automatically to the Sniffer comunity. Might it be a good idea to propagate rule panic info via tha GRUdb mechanism? As far as I understand information gets updated and transmitted a lot faster then rulebase updates. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl
[sniffer] how did I run as service?
Hi, Using IMail 9.23 and Declude 4.x on a Windows 2003 server with Sniffer. A little while after version 3 was released I upgraded and followed the instrunctions on the site to get the sniffer service running as a service. After that upgraded to the version that used curl in stead of wget to get the rulebase. Now I want to upgrade to the latest version but Does the installer detect how I'm running sniffer as a service? I cannot find the instructions I once followed to get it up and running. So I have no idea which tool I used to get the service running. :-( Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl
[sniffer] Re: New IMPROVED getRulebase.cmd script
Hi Pete, In your first mail about this problem you wrote: There has long been a bug in the getRulebase script using wget which causes the rulebase file that is downloaded to have the local system's timestamp. Under normal circumstances this does not cause a problem because most system clocks are synchronized and the local timestamp is generally newer than the timestamp of the rulebase file on our servers. What I was getting at: If the rulebase with the old wget software were to get a local timestamp on my server when downloaded, mine would always be "far" into the future from your original as my server is at GMT+1 or +2 during DST. So if your server is at GMT-5 my rulebase would get a timestamp of the original +6 hours. So it would then NOT download another rulebase for the next 6 hours as every new rulebase would still be in it's past. Or should wget have compensated for timezones as should curl? Because my rulebase files on my server seem to have a local timestamp. However, this is where we probably get beond my techlevel. Does Windows allways use UTC internally and then calculate the local time when displaying the timestamp for a file? Is that what I'm missing? Because I think I've read that somewhere about problems with timestamps on FAT and NTFS. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Thursday, March 12, 2009 3:33 PM Subject: [sniffer] Re: New IMPROVED getRulebase.cmd script Bonno Bloksma wrote: Hi Pete, I get what you said. But: I'm nowhere near your timezone, I'm at GMT+1 or +2. So should there not have been a problem long before where my system would see older files at your system several times a day when in fact there would be a newer one? Does that mean my system has been getting only two or three updates a day where it should have gotten over a dozen? If two systems agree on the time, and then only one of them advances their clock by an hour the two clocks will still be different. Anyway - we've learned more since then (below) I've switched curl so everything should work ok by now. According to my logs I'm getting a new rulebase about every hour. Once per hour is just about right. Pacing is currently set to 55 minutes. --- More that has been learned (technical stuff) and a story (skip if you like, but some might find this interesting): Yesterday while working on this problem and testing on one of our inbound spamtrap processors I noticed that things still weren't quite right. This discovery led me to break a paradigm in my thinking and begin to see another problem (perhaps the key problem). Paradigm: I had been very focused on the one hour time difference, DST, and the obvious coincidence with the "DST storm" -- Our countermeasures at the server and deployment of the new getRulebase script had essentially mitigated the problem... so I was expecting everything to work fine. Having loaded the new getRulebase script on the system I was monitoring it didn't make sense that there was still a problem. Even worse, the telemetry was showing timestamps that were close, but off by a few minutes -- as if the server had picked up the time shifted file instead of the original posting... but that didn't make sense. I wondered if something else was going on and so I loaded up the UTC as a reference: http://www.worldtimeserver.com/current_time_in_UTC.aspx To my wonder and amazement the telemetry I was looking at showed the UTC reference for the ruelbase on the server in the future by one hour! "That can't be right", I said to myself, and then I checked the timestamp again on the delivery server. I rechecked the math and sure enough the timestamp on the delivery server was correct! I hate a mystery. I went to the main SYNC server to see if something had happened to it -- Why would it report the file's timestamp in the future when the timestamp on the file system is correct? We hadn't made any changes to the software. The only thing that had happened was DST. I made my priority getting the reported timestamp correct, and I made the assumption that there might be some obscure DST bug in this version of RedHat or one of the libraries that I would solve later. I began looking for a way to tweak the SYNC server code to adjust the time stamp before reporting it when these conditions were detected... A way to work around the bug. I would fix the bug later. Of course, to do this tweak I would need to find a way to detect the condition so I started to look for ways to do that reliably. I know it's a funny notion -- looking for a
[sniffer] Re: New IMPROVED getRulebase.cmd script
Hi Pete, I get what you said. But: I'm nowhere near your timezone, I'm at GMT+1 or +2. So should there not have been a problem long before where my system would see older files at your system several times a day when in fact there would be a newer one? Does that mean my system has been getting only two or three updates a day where it should have gotten over a dozen? I've switched curl so everything should work ok by now. According to my logs I'm getting a new rulebase about every hour. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Wednesday, March 11, 2009 1:57 PM Subject: [sniffer] Re: New IMPROVED getRulebase.cmd script Bonno Bloksma wrote: Why does this problem start just now with a DST shift somewhere? I'n nowhere near your timezone (GMT+1 or +2) so should there not have been a problem long before where my system would see older files at your system several times a day when in fact there would be a newer one? Does that mean my system has been getting only two or three updates a day where it should have gotten over a dozen? Unfortunately I disabled logging a while ago when everything seemed to run smoothly. :-( Someone to your west would have seen a new rulebase every time they checked no matter what DST. Or is it just that you finally noticed it due to the DST shift? The reason DST is an issue is because the previous wget based script stamps the downloaded rulebase with the local clock instead of the timestamp that came with the file from the delivery server. As a result the timestamps might not agree. The recent change in the start of DST in the US is not reflected everywhere AND some locations use different DST start dates. The result of this is that when using the old script the local timestamp created using the local clock is likely to be behind the delivery server's timestamp by an hour. The new update-script mechanism in SNFServer compares the local file's timestamp to the timestamp reported by the delivery server once every minute. When the local timestamp is used and the local time is behind the clock on the delivery server then the freshly downloaded rulebase file _appears_ to be an hour old and this does not change no matter how many times the file is downloaded. Before DST the local clock and the delivery server's clock would generally agree and so there was no problem. Hope this helps, _M
[sniffer] Re: New IMPROVED getRulebase.cmd script
Hi, First one comment about the script. Just before the CLEANUP label the lck file is deleted. Right after that it is deleted again in the CLEANUP section. The first can savely be removed. Second, Why does this problem start just now with a DST shift somewhere? I'n nowhere near your timezone (GMT+1 or +2) so should there not have been a problem long before where my system would see older files at your system several times a day when in fact there would be a newer one? Does that mean my system has been getting only two or three updates a day where it should have gotten over a dozen? Unfortunately I disabled logging a while ago when everything seemed to run smoothly. :-( Someone to your west would have seen a new rulebase every time they checked no matter what DST. Or is it just that you finally noticed it due to the DST shift? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Tuesday, March 10, 2009 2:40 PM Subject: [sniffer] New IMPROVED getRulebase.cmd script Hello Sniffer Folks, At the following link you will find a zip file containing the open source CURL utility and an updated version of the new getRulebase.cmd script. The old getRulebase.zip file has been replaced with the new one in the same location (you may want to clear your browser cache if you downloaded the previous version): http://www.armresearch.com/message-sniffer/download/CURL-getRulebase.zip The new getRulebase.cmd script produces a getRulebase.txt file each time it is run so that you can see what happened. No errors are reported to the screen. If there are errors they will show up in the getRulebase.txt file. There is a comment at the bottom of the script where you can add a line to email the getRulebase.txt file to yourself if you want to have the script inform you each time it runs. _M # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] files in the Sniffer dir
Hi, I was wondering about something and could not find info about it on the Sniffer documentation page. I have several files in my sniffer directory with a date of today. Logfiles, rulesbases etc. The next most recent files are my GBUdbIgnoreList.txt getrulebase.cmd, etc. which I have made changes to. But there are at least three strange files file no filename part: .handshake, .state, and .tmp of which the .handshake has a dat of today but the other two are of july 2008 (aroung my installation date for sniffer 3) What are those three files for and should those dates indeed be that old? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl
[sniffer] upgraded to 3.0
Hi, Well I did it, upgraded to 3.0 as well. The automatic rule panic feature and all the other stuff seemed a good idea. :-) Setting it up turned out to be straight forward, just follow the instructions. Ran into just 2 things and one question. 1) Forgot to set correct path to identity file, was set to a nonexisting path. Started server. --- C:\IMail\declude\Sniffer3>c:\IMail\declude\Sniffer3\SNFServer3.0.exe c:\IMail\declude\Sniffer3\snf_engine.xml SNF Server Version 3.0 Build: Jun 26 2008 13:25:19 SNFMulti Engine Version 3.0 Build: Jun 26 2008 13:25:06 Launching with c:\IMail\declude\Sniffer3\snf_engine.xml Unhandled Exception: snf_LoadNewRulebase() Zero length SecurityKey Thrown! --- Should have said something like "error in path to identity file" 2) On page http://www.armresearch.com/support/articles/software/snfServer/core.jsp resultcode 63 is still listed as "Received IPs from spamtraps & research." in stead of "Black.." Question: Is there still a log file for me to ZIP every night or is all logging now at ARM research? p.s. Aren't we at version 3.01? This one I just downloaded still reports 3.0 as it's version. Ot was that just the *nix version? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] medical spam
Hi, Are these medecine spams getting more agressive? The past few weeks I've more than my share of those image spams getting taggen by virtually no spam filter at all or maybe just a few to tag it but not hold it. Any one of those the sniffer does not catch I forward to [EMAIL PROTECTED] but as they are all mixed with some random noice I assume the're pretty much all unique. Any change sniffer can get them in a more generic way or does sniffer indeed have to wait until the next variation comes along in order to code rules for it? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] Re: Spam
Hi, > I recommend "SpamSource", if you are an Outlook user. It's a little > toolbar applet that you can configure any recipient of the forwarded spam > and it will include all the original mail headers - just the way Sniffer, [] It is a wonderful tools! Thanks Andy Nobody pays us for our work of reporting not cached messages. The Sniffer staff should offer for free to our community this tools ;-) Hmmm, if they do I would love to have it for Outlook Express as well. It seems a great tool, especialy now that we see a lot of missed spam. It would be great if I had a tool to deploy on all staf PC's where we use Outlook Express mostly (ca. 90%). One other thing that would be nice if IMail webinterface had a way to forward spam with all information intact. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] Fw: lot's of legit mailservsr in spamdatabases
Hi, I just posted this in the Declude.Junkmail list: -- How do you guys deal with it, LOTS of legit mailservers are listed in what used to be reliable spamsender databases. X-RBL-Warning: SPAMBAG: 109.176.216.212.blacklist.spambag.org. X-RBL-Warning: SPAMCANNIBAL: "blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=212.216.176.109"; X-RBL-Warning: UCEPROTECT-1: "Sorry 212.216.176.109 is Level 1 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109"; X-RBL-Warning: UCEPROTECT-2: "Sorry 212.216.176.109 is Level 2 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109"; But 212.216.176.109 is a normal mailserver vsmtp21.tin.it and is trying to deliver mail from a "customer" to us. Have spammers won this race, can we no longer trust these databases? Is there a ip list with "all" legitimate mailservers for most ISP that I can use to reduce points? For the hotmail mailservers it was easy to reduce the points, it's a lot harder to do for all the other "real" mailservers. -- Pete, Is this something the new Sniffer can help us with, identifying legit mailservers? Will hits have a separate exit code we can use to identify legit mailservers and reduce points accumulated in Declude via other tests and have the mail go through? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] Re: Integration with Mailenable -> Domain Keys
Hi, ErrorLevel is a variable as of Windows 2000 so: call "C:\Program Files\FSI\F-Prot\fpcmd.exe" -silent -auto -ai -archive -saferemove -disinf -del -append -report=C:\SmarterMail\logs\virusscan.log %1 Set ERR=%ErrorLevel% IF %ERR% EQU 0 GOTO CLEAN @REM echo Virus scanned by F-Prot (%ERR%) viruses found>> %1 MOVE /Y %1 C:\SmarterMail\Viruses GOTO END :CLEAN @REM echo Virus scanned by F-Prot (%ERR%) viruses found >> %1 :END Would work as well, just not on NT4 or lower. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Jay Sudowski - Handy Networks LLC To: Message Sniffer Community Sent: Sunday, March 18, 2007 1:36 AM Subject: [sniffer] Re: Integration with Mailenable -> Domain Keys I really don't see why it wouldn't be possible to do. Here is the script that's used for f-prot: - SET ERR=0 call "C:\Program Files\FSI\F-Prot\fpcmd.exe" -silent -auto -ai -archive -saferemove -disinf -del -append -report=C:\SmarterMail\logs\virusscan.log %1 IF NOT ERRORLEVEL 1 GOTO CLEAN IF ERRORLEVEL 1 SET ERR=1 IF ERRORLEVEL 2 SET ERR=2 IF ERRORLEVEL 3 SET ERR=3 IF ERRORLEVEL 4 SET ERR=4 IF ERRORLEVEL 5 SET ERR=5 IF ERRORLEVEL 6 SET ERR=6 @REM echo Virus scanned by F-Prot (%ERR%) viruses found>> %1 MOVE /Y %1 C:\SmarterMail\Viruses GOTO END :CLEAN @REM echo Virus scanned by F-Prot (%ERR%) viruses found >> %1 :END - I think you should be able to modify it so that it calls Sniffer, rather than FProt. %1 is the path to the mail file. Based upon the error code/return code, you could then delete/hold spam detected by Sniffer accordingly. As for SM not having a GUI, it really hasn't be an issue for us... -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Chris Bunting Sent: Saturday, March 17, 2007 4:03 PM To: Message Sniffer Community Subject: [sniffer] Re: Integration with Mailenable -> Domain Keys The other issue with SmarterMail is it doesn't have any gui. Which I guess isn't a bad thing. But I sometimes like a gui for certain things. Also Declude seemed very expensive to use with sniffer Sent via my BlackBerry -> Ask me about it! -Original Message- From: "E. H. \(Eric\) Fletcher" <[EMAIL PROTECTED]> Date: Sat, 17 Mar 2007 14:42:43 To:"Message Sniffer Community" Subject: [sniffer] Re: Integration with Mailenable -> Domain Keys Phil / Jay: I am also looking at SmarterMail as an addition to or replacement for several IMail servers and looking at calling MessageSniffer from it without Declude because of the Declude bundling of things we don't want or see value in. While doing a little more reading on the SmarterTools site I saw a link that addresses your discussion on domain keys: http://smartermail.exhalus.net/domainkeys/ Eric - Original Message - From: "Jay Sudowski - Handy Networks LLC" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Saturday, March 17, 2007 1:43 PM Subject: [sniffer] Re: Integration with Mailenable Hi Phil - Good question. We integrate Sniffer into SmarterMail via Declude. However, SmarterMail does have the capability to run a program against a message before it is delivered. We have some customers that use a batch file to call f-prot and get virus scanning integrated into their mail server on the cheap. I believe it would likely be possible to make use of the same functionality to call Sniffer directly, and thus avoid having to purchase Declude. I have just never had a need to attempt this. As for domain keys, I don't believe so. However, you can setup SPFyou're your domains simply by adding the appropriate DNS records to said domains zone files. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Cohen Sent: Friday, March 16, 2007 12:01 PM To: Message Sniffer Community Subject: [sniffer] Re: Integration with Mailenable Jay, Thanks for the heads up on Mailenable. I took a look at SmarterMail and it looks pretty good. How does it interface with Message Sniffer or does it require and external gateway such as EWall? How has support been with it and how have they been as far as updates. Also does it have "domain keys" capability and SPF support for sending mail to yahoo.com etc... Thanks, Phil At 07:26 PM 3/15/2007, you wrote: >Stay Away From MailEnable. > >There are so many exploits out there for MailEnable, and there are more >exploits found monthly, if not weekly. A
[sniffer] update rulebase script
Hi, Although I run a mailserver that handles only about 6K messages a day I found that occasionally something went wrong with my sniffer update alhough my script reported success. Turns out there was no error checking in the little part where old file get's deleted and the new file is put in (del, ren, ren). The script uses standard Windows commands available on Windows 2000 and later. DTLog is a little app I wrote years ago that wil enter a line into a logfile and prepend it with date and time info. Replace those lines with whatever suits you. -- [.] :Replace rem If we didn't fail then we can go ahead and make the switch. if exist %IDNAME%.old del %IDNAME%.old rename %IDNAME%.snf %IDNAME%.old rename %IDNAME%.tst %IDNAME%.snf rem Handle any additional successful system updates here (before Done). %DTLog% %Logfile% Rulefile OK, updated echo Rulefile OK, updated > %EmailBody% SET EmailSubj= :Done if NOT %1X==X echo %1 >> %EmailBody% %IMailDir%\imail1 -f %SnifDir%\%EmailBody% -s "Sniffer update on %COMPUTERNAME% %EmailSubj%" -t %EmailRpt% -u postmaster -h tio.nl [.] -- So I changed this to: -- [.] :Replace rem If we didn't fail then we can go ahead and make the switch. rem First delete any existing old file if exist %IDNAME%.old del %IDNAME%.old Set Err=%ErrorLevel% IF %Err% GEQ 1 Goto ErrDelOld rem Old file is gone, swap out current rulefile rename %IDNAME%.snf %IDNAME%.old Set Err=%ErrorLevel% IF %Err% GEQ 1 Goto ErrSnf2Old Rem Now we don't have any rulefile, get the new one in rename %IDNAME%.tst %IDNAME%.snf Set Err=%ErrorLevel% IF %Err% GEQ 1 Goto ErrTst2Snf Goto ReplaceOk :ErrDelOld %DTLog% %Logfile% Error %Err% deleting %IDNAME%.old !!! Echo Error deleting %IDNAME%.old !!! > %EmailBody% goto Done :ErrSnf2Old %DTLog% %Logfile% Error %Err% renaming %IDNAME%.snf to %IDNAME%.old !!! Echo Error renaming %IDNAME%.snf to %IDNAME%.old !!! > %EmailBody% Echo Old rulefile still in place >> %EmailBody% Goto Done :ErrTst2Snf %DTLog% %Logfile% Error %Err% renaming %IDNAME%.tst to %IDNAME%.snf !!! Echo Error renaming %IDNAME%.tst to %IDNAME%.snf !!! > %EmailBody% Echo NO RULEFILE !!! >> %EmailBody% SET EmailSubj=PANIC!!! rem Might even send SMS Alert here Goto Done :ReplaceOk rem Handle any additional successful system updates here (before Done). %DTLog% %Logfile% Rulefile OK, updated echo Rulefile OK, updated > %EmailBody% SET EmailSubj= :Done if NOT %1X==X echo %1 >> %EmailBody% %IMailDir%\imail1 -f %SnifDir%\%EmailBody% -s "Sniffer update on %COMPUTERNAME% %EmailSubj%" -t %EmailRpt% -u postmaster -h tio.nl [.] -- Please feel free to use this as a guideline to update your own scripts. Pete, you might want to think about updating the sample script on the website p.s. For whatever reason the line "if exist %IDNAME%.old del %IDNAME%.old" in this mail script will report errorlevel 1 at my server when the *.old file does not exist eventhough another script with exactly the same line on the same server DOES work correctly. If I ever find out why. :-( Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] Re: My rulebase download and log upload script
Hi John, Weekend, what is that? That's the days where those pesky users are usualy not messing with the network so YOU can mess with it. ;-) Groetjes, Bonno Bloksma -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, July 07, 2006 6:24 PM To: Message Sniffer Community Subject: [sniffer] My rulebase download and log upload script The last thing before I leave for the weekend... [..] Andrew 8) # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer]Spam Storm - It's a big one.
Hi Pete, Watch out for today's spam storm -- it's a lot bigger than we've seen in a long while. 48 hour image attached. This has low priority but. I've tried to find a live version of that graph you've sent but I cannot find it at http://kb.armresearch.com/index.php?title=Message_Sniffer.LiveReports which would seem to be the logical place. Is it nowhere live to be found or am I looking at the wrong place? Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer] [Fwd: Diann Helms]
Hi Pete, [] > If you wish, it is possible to create a local black rule for any > geocities link. On many ISP systems this would cause false positives, > but on more private systems it may be a reasonable solution. > I think I could use such a black rulw without getting to may FPs, but in which catagoeries would that rule then go? I score the several Sniffer results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 would put it several points below my hold weight. An extra hit would be needed to get it held. > If you want such a black rule added to your rulebase please send a > request off-list to [EMAIL PROTECTED] As the above information might be of interest to others I'll ask here first. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] Bad Rule - 828931
Hi, I sort of tried something like that that as well but my cut command went wild. I ended up with a list of spoolfilenames (rulespool.log), without the D/Q, but each line ending with 0D0D0A (CRCRLF) sequence. :-( The ruleD.log file was ok. grep "rulenum" snf.log > rule.log grep "Final" rule.log > rulef.log cut -f 3 rulef.log > ruleD.log cut -b2- ruleD.log > rulespool.log After some manual editing I ran a smal batchfile to move all files into the spam old direcory and do a manual review. I had only a few dozen hits that were held. @echo off Set SpamDir=C:\IMail\Spool\Spam Set SpamHold=C:\IMail\Spool\Spam\Hold For /F %%a in (rulespool.log) do ( echo Testing %SpamDir%\D%%a if exist %SpamDir%\D%%a ( echo %%a move %SpamDir%\D%%a %SpamHold%\ move %SpamDir%\Q%%a %SpamHold%\ ) ) :end -------- Groetjes, Bonno Bloksma - Original Message - From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 08, 2006 3:10 AM Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 OK to answer my own question. Run the following commands grep -U "Final.828931" snf.log >1.txt cut -b26-41 1.txt >2.txt grep -U -f2.txt d:\spool\dec0207.log >3.txt egrep -U "\smd Tests failed|\smd Subject" 3.txt >4.txt notepad 4.txt Now I have to read my 4.txt and figure out what I am going to do about it. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 8:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of David Sullivan > Sent: Tuesday, February 07, 2006 7:47 PM > To: Landry, William (MED US) > Subject: Re[4]: [sniffer] Bad Rule - 828931 > > Hello William, > > Tuesday, February 7, 2006, 7:39:05 PM, you wrote: > > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log > > That's what I tried. Just figured out I forgot to capitalize the "F". > It works. > > Confirmed - 22,055 > > I'm writing a program now to parse the sniffer log file, extract the > file ID, lookup the id in sql server, determine quarantine > location, extract q/d pair from quarantine and send to user. > > -- > Best regards, > Davidmailto:[EMAIL PROTECTED] > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] auto update tmp files
Hi, I had trouble for a while with the "del %1" functionality, but I had a problem with the script running in the wrong directory. I [] Yeah, my script does explicitly enter the sniffer directory, and the line to delete the file is explicit as well: Del s:\imail\spool\%1 ...but that never worked. Maybe if I cd into the spool first it might It would not work because.. I have the %1 parameter in the email sent to me as part of the reporting. Using IMail 8.21 Here is what's in the email: Rulefile OK, updated C:\IMail\spool\tmp6C40.tmp As you can see the %1 is a complete path. So just Del %1 should do the trick. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] auto update tmp files
Hi, Ok, I had auto update pretty much in the air. Seems all I needed was a program alias that fired the script. ;-) There's just one thing, I end up with alot of "tmpID.tmp" files in my spool directory. Any way of deleting those automagically? I could simply delete all tmp.tmp files in my midnight run. Would that be a problem? The only program alias I have is the sniffer update. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool toerisme en hospitality julianalaan 9 / 7553 ab hengelo t 074 255 06 10 / f 074 255 06 16 [EMAIL PROTECTED] / www.tio.nl
[sniffer] false positives which catagories?
Hi, I'd like to make a difference in the ways I score the varions sniffer catagories in Declude. I hold at 20 and have had the several sniffer catagories all at 19. As we are a school for tourism I score sniffer travel lower but I would like to score some catagories higher, at 20. If we have a false positive it's mostly in the general, exp-abstract, ip-rules catagorie is my feeling. Someone must have made a comparison of false positives against sniffer and in which catagories those fp's are mostly. Right? Which catagories have virtually no FPs and which should I keep (well) below my hold level? Of course all held mail gets reviewed by be, unless it scrores enough other points te get deleted (at 27 points). Groetjes, Bonno Bloksma
Re: [sniffer] Declude and Sniffer
Hi, > I currently tag subject lines at 10 and delete at 20. Sniffer results are > scored at 9. No two tests currently result in more than 18 and therefore it > takes three failed tests to delete. I tag at 12, hold on 20 and delete on 27. Sniffer is at 19, just 1 under hold. If anything agrees with sniffer it is held, is several sources agree with sniffer it is deleted. We are a prepschool/university and process about 4K to 5K msg a day. I have one to two false positives in the held mail each year. Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Changes - another reminder.
Hi, [...] This is a _special_ reminder that we are in the process of migrating our servers and applications to a new facility. [] See you on the other side ;-) Looks like sniffer is now "on the other side". ;-) 2005/02/15 12:28:02 : Running AutoSNF 2005/02/15 12:28:34 : Rulefile gedownload 2005/02/15 12:28:34 : Rulefile OK, updated [] 2005/02/16 04:28:01 : Running AutoSNF 2005/02/16 04:28:09 : Rulefile gedownload 2005/02/16 04:28:10 : Rulefile OK, updated and 2005/02/15 00:10:04 : Starting ftp upload 2005/02/15 00:23:16 : Finished ftp upload [] 2005/02/16 00:10:04 : Starting ftp upload 2005/02/16 00:10:16 : Finished ftp upload Thanks Pete. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] midnight ftp upload
Hi, When I started using sniffer, April 2004, uploading the log took about 20 seconds. Then on June 19th 2004 it suddenly took over 13 minutes. After that it has consistently taken arround 13 minutes to upload the small logfile. I've never found a reason, the suggestion overhere was it might be because of the load arround midnight Central European time. About a week ago, Jan 18th, I did some experimenting with the time. At first I rotated the logs a minute later to get them rotated closer to midnight, the upload started and finished one minute later. Then a few days later, Jan 21th, I delayed the ftp upload by 10 minutes to get a better timeslot. To my surprise it STILL took 13 minutes to upload the small logfile. Anybody ANY idea where I, or Pete, can start to look for a clue about what is going on? Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? Log snippets: 2004/04/16 23:59:02 : Running logrotate 2004/04/16 23:59:21 : Ready rotating logs 2004/04/17 23:59:00 : Running logrotate 2004/04/17 23:59:21 : Ready rotating logs 2004/04/18 23:59:00 : Running logrotate 2004/04/18 23:59:23 : Ready rotating logs 2004/04/19 23:59:01 : Running logrotate 2004/04/19 23:59:20 : Ready rotating logs 2004/04/20 23:59:00 : Running logrotate 2004/04/20 23:59:20 : Ready rotating logs 2004/04/21 23:59:01 : Running logrotate 2004/04/21 23:59:20 : Ready rotating logs []2004/06/16 23:59:02 : Running logrotate 2004/06/16 23:59:21 : Ready rotating logs 2004/06/17 23:59:00 : Running logrotate 2004/06/17 23:59:20 : Ready rotating logs 2004/06/18 23:59:01 : Running logrotate 2004/06/19 00:12:27 : Ready rotating logs 2004/06/19 23:59:01 : Running logrotate 2004/06/20 00:12:27 : Ready rotating logs 2004/06/20 23:59:00 : Running logrotate 2004/06/21 00:12:26 : Ready rotating logs 2004/06/21 23:59:01 : Running logrotate 2004/06/22 00:12:26 : Ready rotating logs 2004/06/22 23:59:01 : Running logrotate 2004/06/23 00:12:26 : Ready rotating logs [] 2004/06/28 23:59:01 : Running logrotate 2004/06/28 23:59:01 : Starting ftp upload 2004/06/29 00:12:27 : Finished ftp upload 2004/06/29 00:12:27 : Ready rotating logs 2004/06/29 23:59:00 : Running logrotate 2004/06/29 23:59:00 : Starting ftp upload 2004/06/30 00:12:26 : Finished ftp upload 2004/06/30 00:12:26 : Ready rotating logs [.]2005/01/16 23:59:00 : Running logrotate 2005/01/16 23:59:00 : Starting ftp upload 2005/01/17 00:12:14 : Finished ftp upload 2005/01/17 00:12:14 : Ready rotating logs 2005/01/17 23:59:01 : Running logrotate 2005/01/18 00:00:01 : Starting ftp upload 2005/01/18 00:13:12 : Finished ftp upload 2005/01/18 00:13:12 : Ready rotating logs 2005/01/18 23:59:00 : Running logrotate 2005/01/19 00:00:01 : Starting ftp upload 2005/01/19 00:13:11 : Finished ftp upload 2005/01/19 00:13:11 : Ready rotating logs 2005/01/19 23:59:01 : Running logrotate 2005/01/20 00:00:01 : Starting ftp upload 2005/01/20 00:13:12 : Finished ftp upload 2005/01/20 00:13:12 : Ready rotating logs 2005/01/20 23:59:00 : Running logrotate 2005/01/21 00:00:01 : Renaming logfile 2005/01/21 00:10:04 : Starting ftp upload 2005/01/21 00:23:15 : Finished ftp upload 2005/01/21 00:23:15 : Ready rotating logs 2005/01/21 23:59:03 : Running logrotate 2005/01/22 00:00:04 : Renaming logfile 2005/01/22 00:10:07 : Starting ftp upload 2005/01/22 00:23:18 : Finished ftp upload 2005/01/22 00:23:18 : Ready rotating logs 2005/01/22 23:59:00 : Running logrotate 2005/01/23 00:00:01 : Renaming logfile 2005/01/23 00:10:04 : Starting ftp upload 2005/01/23 00:23:15 : Finished ftp upload 2005/01/23 00:23:15 : Ready rotating logs 2005/01/23 23:59:01 : Running logrotate 2005/01/24 00:00:01 : Renaming logfile 2005/01/24 00:10:05 : Starting ftp upload 2005/01/24 00:23:15 : Finished ftp upload 2005/01/24 00:23:15 : Ready rotating logs
Re: [sniffer] log rotation
Hi, > BB> Am I doing something wrong, I want my logfile for a certain day to contain > BB> the log for that day, from midnight till midnight. > > It's possible that the confusion is about the time used by SNF. SNF > logs all use GMT time. As a result, the hour in your logs at midnight > your time will be that of GMT at that time -- so unless you are on the > date line, your time will be different. Should have realised that, I think you have mentioned this before. > So, you're probably not doing anything wrong per se, it's just that > the time zone in the log files is different. > > Hope this helps, Yup. Now all I have to do is remember it. ;-) Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] log rotation
Hi, I recently changed a bit in my rotate script in order to rotate it closer to midnight. I start the script at 23:59 to get the current date in some variables. As of the 17th I have added a "sleep 1m" to get the "rotation" for the logfile at midnight. Somehow the sniffer log still covers the same timepriod, I think. Looking at the log for the 16th, it starts at 15-jan-2005, 23:00:09 and stops at 16-jan-2006, 22:58:18. The log for the 18th, it starts at 17-jan-2005, 23:01:56 and stops at 18-jan-2005, 22:57:37. Still an hour short for the day. I'm not running any persistent instances, we only process aboy 4K messages a day. Am I doing something wrong, I want my logfile for a certain day to contain the log for that day, from midnight till midnight. My log for the job, renaming the .log file to snf.log occurs just before the ftp upload, which at night from the 17th to the 18th happens indeed one minute later. LOGROT.LOG 2005/01/15 23:59:00 : Running logrotate 2005/01/15 23:59:00 : Starting ftp upload 2005/01/16 00:12:11 : Finished ftp upload 2005/01/16 00:12:11 : Ready rotating logs 2005/01/16 23:59:00 : Running logrotate 2005/01/16 23:59:00 : Starting ftp upload 2005/01/17 00:12:14 : Finished ftp upload 2005/01/17 00:12:14 : Ready rotating logs 2005/01/17 23:59:01 : Running logrotate 2005/01/18 00:00:01 : Starting ftp upload 2005/01/18 00:13:12 : Finished ftp upload 2005/01/18 00:13:12 : Ready rotating logs 2005/01/18 23:59:00 : Running logrotate 2005/01/19 00:00:01 : Starting ftp upload 2005/01/19 00:13:11 : Finished ftp upload 2005/01/19 00:13:11 : Ready rotating logs snf0115.log 20050114230001 D4ee10334027cb259.SMD 125 16 Match 236533 60 841 880 34 20050114230001 D4ee10334027cb259.SMD 125 16 Match 271368 61 1508 1526 34 [...] 20050115225621 D9f8e16bb0206d48a.SMD 125 0 Final 273425 61 0 2441 34 20050115225659 D61a81450b30.GSC 125 0 Clean 0 0 0 2126 31 snf0116.log 20050115230009 Da076099d015660ce.SMD 125 0 Clean 0 0 0 3886 38 20050115230143 Da0d509ac0156d108.SMD 125 16 Match 215399 63 1 54 39 [] 20050116225610 D3401d7f0c2c.GSC 140 0 Clean 0 0 0 4823 30 20050116225818 D34211fc0c70.GSC 188 0 Clean 0 0 0 1265 31 snf0117.log 20050116230728 Df3af11310234769b.SMD 125 47 Match 272652 57 1849 1877 37 20050116230728 Df3af11310234769b.SMD 125 47 Match 272654 57 2023 2088 37 [] 20050117225648 D42a90f2801a6f844.SMD 203 0 Clean 0 0 0 2704 38 20050117225756 D06817510b08.GSC 125 0 Clean 0 0 0 1348 31 snf0118.log 20050117230156 D43e008580160b509.SMD 250 46 White 73573 0 1 497 41 20050117230156 D43e008580160b509.SMD 250 46 Final 73573 0 0 12715 41 [...] 20050118225648 D58d6a4d0a98.GSC 141 0 Clean 0 0 0 2536 34 20050118225737 D58e27340b80.GSC 218 16 Clean 0 0 0 9468 33 Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] test sender
Hi, Is there a test sender where I can have the program send us a test mail that should fail a specific sniffer test? I know I can test sniffer itself agains a single good and bad file, but I want to test the chain. The Declude site has something like that where it is sending the EICAR teststring in the various ways a virus might reach the mailserver. That way the full setup of the mailserver with the scanner can be tested. I would like something where I can send myself a msg which should fail with an exitcode for TRAVEL or for PORN etc. That way I can test for sure whether my "improvements" haven't broken something in stead of waiting till my users complain (certain) spam has increased. It's the small typos that can get to ya in a big way. ;-) Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse?
Re: Re[2]: [sniffer] Test ordering/precedence
Hi Pete, The false positive rates for all of these rule groups have fallen dramatically over the past 8 months and at this point they are all comparable. Different systems see different rates, but all rates are low. Yup, I used to rate the sixties series different in declude but I have stopped to do so. Most spam that came through had been tagged by one of those sixties sniffer returncodes. Saved myself some work by just scoring all sniffer returns with the same high score, it's JUST below my hold weight. Any additional points by Declude will trip it into my hold weight. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
Hi, > > Well, still no problems so far so I'll write it up to . > solar spots, pick whatever you want>. > > It seems it was a one time thing. > > You must be referring to the RAW law. RAW? Random Answer Whatchamacallit? > John Tolmachoff > Engineer/Consultant/Owner > eServices For You Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.
Hi, [] > I understand. I have no reasonable explanation for your experience. > There have been no other reported problems and I have been unable to > recreate your conditions. > > BB> I just once more "installed" the 2.3.2 exe, we'll see what happens. As it is > BB> close to 9 PM overhere it should not disrupt any business going on and let > BB> me do some testing. > > Thanks for your efforts. Well, still no problems so far so I'll write it up to . . It seems it was a one time thing. [] > One change you should make is to adjust your Declude configuration so > that your message file name is emitted into your message headers. This > way when a false positive does occur we can match the message up to > the log entries and identify the rule or rules that fired. Did that, so for the next time something like this happens.. ;) Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] New Version 2-3.2 has been officially released.
Hi, > BB> Just to let you know. We had a problem after updating to 2.3.2 this morning > BB> where suddenly a lot of our internal mail got caught as spam by sniffer. Ive > BB> allready sent a report to the support address. For whatever reason I could > BB> net send to the false@ address. > > BB> All I did was replace the 2.3.1 exe with the 2.3.2 exe (of course with the > BB> correct id name). > > I am unable to duplicate your results. > I have re-verified my testing. > I have version 2-3.2 running on our test server without any problems > and it is capturing 9+ / 10 messages which is typical. > > Please verify that you have the correct executable in place by running > the program from the command line with no parameters. The correct > build information is: > > build - v2-3.2 Nov 23 2004 01:21:33 > > Then please also verify that you have the correct rulebase in place. The version is the same as you say. The rulebase was downloaded last night and later that morning once more but not updated because there were no changes. I verify every downloaded rulebase. Like I wrote, all I did was early thismorng replace the 2.3.1. exe with the 2.3.2 exe. After that the problems started. When I replace the 2.3.2 exe with the 2.3.1 exe all problems disappeared. As I had to attend a seminar this afternoon I did not any time for further testing. I just once more "installed" the 2.3.2 exe, we'll see what happens. As it is close to 9 PM overhere it should not disrupt any business going on and let me do some testing. Did you receive the mail I sent along with the "caught" e-mail and the logfiles? Anything that pointed to a special rule? Should I change the logging when this happens so as to provide more information about what might be happening? > Hope this helps, > _M We'll see. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New Version 2-3.2 has been officially released.
Hi, Just to let you know. We had a problem after updating to 2.3.2 this morning where suddenly a lot of our internal mail got caught as spam by sniffer. Ive allready sent a report to the support address. For whatever reason I could net send to the false@ address. All I did was replace the 2.3.1 exe with the 2.3.2 exe (of course with the correct id name). Groetjes, Bonno Bloksma - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 23, 2004 8:58 AM Subject: [sniffer] New Version 2-3.2 has been officially released. > Hello Sniffer Folks, > > We have now officially released version 2-3.2 of Message Sniffer. > You can download the distribution files from our Try-It page. [.] --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] ruleupdate script (was: 2-3.0i9 looks good to me... How about you?)
Hi, Don't know if Pete ever incorporated my update into the tool package at the Sniffer site but. I mailed them some changes to the default script they had where I had a few "constant" definitions at the beginning of the script. In stead of everybody needing to do a "find and replace" you just fill in the right code. I also do a comp to test is the new file is different. I log that info to see if my update frequency, every 4 hours, is still good. So I start of with a few lines like: SET IDNAME=xyz1234 SET AUTHCODE=abc5678 And then later on use: [] rem The check utility gets the ID from the name but it ignores the rem extension so we'll rename it for the test. rename sniffer.new %IDNAME%.tst rem Now we need to test the file and check our error level. If the rem check fails we'll skip to the end snf2check.exe %IDNAME%.tst %AUTHCODE% if errorlevel 1 goto Done echo New File Tested GOOD! rem Next let's see if the rulefile changed at all comp /D %IDNAME%.tst %IDNAME%.snf < No.txt > comp.txt find "Files compare OK" comp.txt > nul if errorlevel 1 goto Replace rem Some logging here goto Done :Replace rem If we didn't fail then we can go ahead and make the switch. if exist %IDNAME%.old del %IDNAME%.old rename %IDNAME%.snf %IDNAME%.old rename %IDNAME%.tst %IDNAME%.snf [] Groetjes, Bonno Bloksma - Original Message - From: "Landry William" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 28, 2004 8:48 AM Subject: RE: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you? > > Here is what I've been using for several months now, compiled from the > original Sniffer autosnf.cmd file and suggestions found on this list: > = > rem First, get the updated rules file from the web site. > > wget -N http://www.sortmonster.net/Sniffer/Updates/rulebase.snf -O > rulebase.new.gz --header=Accept-Encoding:gzip --http-user=sniffer > --http-passwd=ki11sp8m -o snfupd.txt > > rem Uncompress the rulebase file. > > gzip -d -f rulebase.new.gz > > rem If that worked, then there will be a sniffer.new file. > > if exist rulebase.new goto Replace > > rem If the above test fails, then we skip to the end of the file > rem and take no further action. Everything stays as it is. > > goto Done > > rem If the test didn't fail we'll replace our file. > > :Replace > > rem The check utility gets the ID from the name but it ignores the > rem extension so we'll rename it for the test. > > rename rulebase.new rulebase.tst > > rem Now we need to test the file and check our error level. If the > rem check fails we'll skip to the end > > snf2check.exe rulebase.tst license-id > if errorlevel 1 goto Done > > echo New File Tested GOOD! > > rem If we didn't fail then we can go ahead and make the switch. > > if exist rulebase.old del rulebase.old > rename rulebase.snf rulebase.old > rename rulebase.tst rulebase.snf > > rem Handle any additional successful system updates here (before Done). > > :Done > > rem If things went well we're all ok. > rem If something went wrong then we'll do a bit of cleanup. > > if exist rulebase.tst del rulebase.tst > = > --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Automatic update snafu
Hi, > c:\winnt\wget.exe http://www.sortmonster.net/Sniffer/Updates/mysnfcode.snf > -N -O mysnfcode.new.gz --header=Accept-Encoding:gzip --http-user=sniffer > --http-passwd=password -o snfupd.txt > > I'm doing something wrong. Everytime the script fires it pulls the file, > even if it isn't newer. I thought the -N parameter was supposed to limit > that. What am I missing? As I don't know anything about the internals of wget only one thing comes to mind. When you process the mysnfcode.new.gz file does it get deleted? If so, wget has nothing to compare. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] A few notes...
Hi, [.] > The spam@ address is ONLY for submitting spam that you wish to have > filtered. About that I have been sending the occasional spam mails as an attachment, that way you have the full message including any headers. Is that indeed the preffered way? Met vriendelijke groet, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] uploading logs slower
Hi, For the past few weeks, als long as I have been uploading my logs automatically, it has taken 18-21 seconds for the entire logrotate process each and every night. As of 19-jun midnight (GMT-2) it has suddenly, and consistently taken, 12minutes and 26 to 28 seconds to complete. I'm still looking for a clue but is there a problem uploading arround that time? Groetjes, Bonno Bloksma
[sniffer] downloading the compressed rulebase
Hi, > Another feature you should implement if possible is the use of gzip > in your rulebase download scripts. This can reduce the bandwidth > required for your download significantly (typically 70% or more!). > > Here is a link to the mail archive that describes how this can be > implemented with wget: > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg00427.html > > If you are not familiar with gzip you can find it here: > > http://www.gzip.org/ And for those who are on Windows machines and want to use more of those Unix tools (like I do), here is where I downloaded the stuff I used to set it up. http://unxutils.sourceforge.net/ Using the message Pete quoted above and these tools setting this up was *easy*. Note that using gzip it will automagically convert a zipped file name.ext.gz into name.ext using "gzip -d name.ext.gz" and delete the compressed *.gz file. So all you realy need to download the compressed version of the rule file is the slightly modified wget line and *one* extra gzip line. From the UnxTools.zip file all you realy *need* is the gzip.exe file. The 10 min I invested, ok 15 as I wanted to realy test whether it was realy that simple, were well spent. Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse? --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] logrotate
Hi, In the default logrotate.cmd script is a move in stead of a ren command. Is there any special reason for that? As Ren is an internal command and move an external command I would have expected Ren to be used. p.s. Did my comment about an updated AutoSNF.cmd file make it to you Pete? I sent it to the list friday april 9th but it never made it back overhere? Groetjes, Bonno Bloksma
