Re: [sniffer]Numeric spam
I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. Goran Jovanovic Omega Network Solutions > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Heimir Eidskrem > Sent: Tuesday, June 06, 2006 9:03 AM > To: Message Sniffer Community > Subject: Re: [sniffer]Numeric spam > > We are seeing tons too. > > H. > > > Markus Gufler wrote: > > Mabe people at Sniffer are already aware of this new type of spam. Not > the > > malformed mailfrom one but this with the short number and nothing else > in > > subject and body) > > Attached are some examples from the last 8 hours. All has failed some > other > > tests and all has reached a final weight in order to be marked in the > > subject line. However none of this messages was identified as spam by > > sniffer. > > > > There is also another type of spam (stock spam now with attached png > image) > > this morning passing our filters. Here too some tests has had positive > > results (see mail headers of attached samples) but sniffer has also > > completely missed. > > > > Markus > > > > > > > > > > > > Subject: > > [SPAM: 145] 586876 > > From: > > "Markus" <[EMAIL PROTECTED]> > > Date: > > Tue, 6 Jun 2006 00:51:20 +0200 > > To: > > "Markus" <[EMAIL PROTECTED]> > > > > To: > > "Markus" <[EMAIL PROTECTED]> > > > > > > 5556 > > > > > > > > Subject: > > [SPAM: 108] 455 > > From: > > "Markus" <[EMAIL PROTECTED]> > > Date: > > Tue, 6 Jun 2006 01:54:07 +0200 > > To: > > "Markus" <[EMAIL PROTECTED]> > > > > To: > > "Markus" <[EMAIL PROTECTED]> > > > > > > 5556 > > > > > > > > Subject: > > [SPAM: 106] Re: > > From: > > "Aisha Riddle" <[EMAIL PROTECTED]> > > Date: > > Tue, 6 Jun 2006 10:26:23 +0200 > > To: > > <[EMAIL PROTECTED]> > > > > To: > > <[EMAIL PROTECTED]> > > > > > > 6J > > > > > > > > Subject: > > [SPAM: 90] 557 > > From: > > "Domain" <[EMAIL PROTECTED]> > > Date: > > Tue, 6 Jun 2006 06:55:29 +0200 > > To: > > "Domain" <[EMAIL PROTECTED]> > > > > To: > > "Domain" <[EMAIL PROTECTED]> > > > > > > 969 > > > > > > > > Subject: > > [SPAM: 116] Re: > > From: > > "Josefa Roberson" <[EMAIL PROTECTED]> > > Date: > > Tue, 6 Jun 2006 09:30:21 +0200 > > To: > > <[EMAIL PROTECTED]> > > > > To: > > <[EMAIL PROTECTED]> > > > > > > M > > > > > > # > > This message is sent to you because you are subscribed to > > the mailing list . > > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > > Send administrative queries to <[EMAIL PROTECTED]> > > > > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer]Sniffer updates down?
Hi John, I got my Sniffer update at 5:03 pm no problem from Toronto Goran Jovanovic Omega Network Solutions -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, June 02, 2006 5:23 PM To: Message Sniffer Community Subject: [sniffer]Sniffer updates down? I am getting errors since late last night that host can not be found. John T eServices For You "Seek, and ye shall find!" # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer]Ebay Phishing Emails getting through
Hi, I normally see maybe 6 to 10 phishing e-mails per day for the volume of mail that I handle (~15,000 msg/day). Yesterday was an explosion in my terms. HTML.PHISHING.BANK.GEN088.SANESECURITY.0603080..52 HTML.PHISHING.BANK.GEN615.SANESECURITY.06051202.F6 HTML.PHISHING.BANK.GEN220.SANESECURITY.0603240...4 HTML.PHISHING.CARD.SANESECURITY.0602210..4 HTML.PHISHING.BANK.GEN015.SANESECURITY.0602180...1 HTML.PHISHING.BANK.GEN055.SANESECURITY.0603050...1 I catch these and treat them as a virus using CLAM AV and the SANE Security database. Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, May 18, 2006 10:33 AM To: Message Sniffer Community Subject: [sniffer]Re[2]: [sniffer]Ebay Phishing Emails getting through Hello Andrew, Wednesday, May 17, 2006, 5:35:36 PM, you wrote: >> Certainly, submitting samples to spam@ (or preferably your >> local spam submission point polled by our bots) will put >> these messages in front of us if we have not already created >> rules for them. > I've just manually submitted the ~35 messages that my filters triggered > on for phishing that didn't trigger Message Sniffer today but ended up > in my HOLD folder anyway due to their total spamminess. > Most of them are against eBay and came from Germany. If your overall false positive rate is low enough then it would be great if you could automate that process to create a synthetic spamtrap. Somehow, take the most spammy of the messages that get past SNF and send them to a special account on your system from which our robots could pull the messages Since we code rules 24x7x365 we would be able to respond to these quickly and (from your perspective) automatically. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
RE: [sniffer] Test
Got it but was not marked with [sniffer] in the subject line Goran Jovanovic Omega Network Solutions > -Original Message- > From: sniffer@sortmonster.com [mailto:[EMAIL PROTECTED] On Behalf > Of Pete McNeil > Sent: Tuesday, May 16, 2006 1:12 AM > To: sniffer@sortmonster.com > Subject: Test > > Hello sniffer, > > Just testing. > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] When to go persistent
Hi, I just got my service up and running using Matt's post http://www.mail-archive.com/sniffer@sortmonster.com/msg00169.html It was simple especially since I already the resource kit installed. Now I know that this I supposed to work to get the persistent instance to load the new rulebase after a download. REM Load new rulebase file. %LicenseID%.exe reload But is there any way to query the service and ask it to tell you when was the last time the rulebase was loaded? Or what version of the rulebase it is using? When running in peer mode this question does not arise since the instances read the file off disk so there is no problem. With the persistent instance this is not the case and I would like to know that it really is using the newest rulebase. Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Thursday, February 23, 2006 3:11 PM > To: Rick Robeson > Subject: Re[4]: [sniffer] When to go persistent > > On Thursday, February 23, 2006, 1:22:53 PM, Rick wrote: > > RR> I thought you had to run this as a service? > > RR> Rick Robeson > RR> getlocalnews.com > RR> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > Strictly speaking you do not have to run it as a service, but it is > more convenient to do so. If you run it from the command line then you > would need to remain logged in. > > Running the persistent instance from the command line is convenient > for testing, but it is much better to run it as a service in a > production environment - that way it starts and stops with the other > services as expected, doesn't require any account to be logged in, > etc... > > _M > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] What is this file
Thank you that is great. Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Thursday, February 23, 2006 3:08 PM > To: Goran Jovanovic > Subject: Re: [sniffer] What is this file > > On Thursday, February 23, 2006, 1:07:07 PM, Goran wrote: > > GJ> Pete, > > GJ> I have seen a couple of times that the file > > GJ> C:\External\Sniffer\-20060221071316x386D4931-2352.SVR > > GJ> Is open and cannot be backed up. > > GJ> What is this file? I assume that I do not need to be worried since the > GJ> file disappears. > > When in peer-server mode, if an instance comes to life and finds it is > the only instance around it will set itself up as a server just in > case another instance comes along and needs help. > > When an instance of SNF is acting as a server it will announce that by > creating a .SVR file in the working directory. > > In peer-server mode, a server-peer will handle a few jobs, then it's > own, and then it will go away so it can return it's result. While it > is active it will leave it's .SVR file out to advertise to the > peer-clients that it is available to process messages. > > In persistent mode, the server-peer never has a message of it's own to > process and so it never goes away (almost). As a result, all > peer-clients always hand off their messages to the persistent > peer-server. Since the persistent peer-server never goes away the .SVR > file will also not go away. > > These files are all generally transient. (.QUE, .FIN, .ABT, .XXX, > etc...) This causes some trouble with backup software. > > It's usually best to skip backing up the sniffer working directory > except for the .exe, .snf, and any script files you have. It is > usually best to keep a current / recent copy of those files in a > separate directory that can be backed up and to otherwise treat the > SNF working directory as you would a temp directory. (skip it) > > Hope this helps, > > _M > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] What is this file
Pete, I have seen a couple of times that the file C:\External\Sniffer\-20060221071316x386D4931-2352.SVR Is open and cannot be backed up. What is this file? I assume that I do not need to be worried since the file disappears. Thanx Goran Jovanovic Omega Network Solutions This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] When to go persistent
Pete, > To run in persistent mode, simply launch an instance of SNF from the > command line with the word "persistent" in place of the file to scan. > > .exe persistent > I am calling Sniffer from Declude. Could I just later my statement in my config file to include persistent? That way the first time it is called that instance will go persistent and all the rest will end up talking to it? Regardless of how the persistent instance is started should I have the persistent keyword on the line that is called from Declude? Goran Jovanovic This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] When to go persistent
Andrew, So when you went to persistent it lowered the stress on your already stressed hardware? And I see that Pete has responded as I write this with: "Use it" Well I will set it up and see how my system reacts. Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Colbeck, Andrew > Sent: Thursday, February 23, 2006 11:39 AM > To: sniffer@SortMonster.com > Subject: RE: [sniffer] When to go persistent > > Goran, I'd be interested in Pete's technical answer, too. > > The practical answer is that you should always go with the persistent > instance of Message Sniffer. From reading Pete's previous screeds and > monitoring the list here in the last year and from having my own > troubles, it's pretty clear to me that only marginal cases suffer with > the persistent mode (and I was one of them). > > Pete's answer on volumes won't answer what are the marginal cases, it > just doesn't fit your question. For me, it was simple lack of hardware, > but I was *right* on the edge. > > Andrew 8) > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic > > Sent: Thursday, February 23, 2006 8:30 AM > > To: sniffer@SortMonster.com > > Subject: [sniffer] When to go persistent > > > > Hi, > > > > Is there any good rule of thumb, in terms of messages > > processed per minute/hour/day when you should move to a > > persistent instance of Sniffer? > > > > Thank you > > > > Goran Jovanovic > > Omega Network Solutions > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information and (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] When to go persistent
Hi, Is there any good rule of thumb, in terms of messages processed per minute/hour/day when you should move to a persistent instance of Sniffer? Thank you Goran Jovanovic Omega Network Solutions This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
OK to answer my own question. Run the following commands grep -U "Final.828931" snf.log >1.txt cut -b26-41 1.txt >2.txt grep -U -f2.txt d:\spool\dec0207.log >3.txt egrep -U "\smd Tests failed|\smd Subject" 3.txt >4.txt notepad 4.txt Now I have to read my 4.txt and figure out what I am going to do about it. Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Goran Jovanovic > Sent: Tuesday, February 07, 2006 8:39 PM > To: sniffer@SortMonster.com > Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 > > I just ran the grep command on my log and I got 850 hits. > > Now is there a way to take the output of the grep command and use it > pull out the total weight of corresponding message from the declude log > file, or maybe the subject? > > Goran Jovanovic > Omega Network Solutions > > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of David Sullivan > > Sent: Tuesday, February 07, 2006 7:47 PM > > To: Landry, William (MED US) > > Subject: Re[4]: [sniffer] Bad Rule - 828931 > > > > Hello William, > > > > Tuesday, February 7, 2006, 7:39:05 PM, you wrote: > > > > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log > > > > That's what I tried. Just figured out I forgot to capitalize the "F". > > It works. > > > > Confirmed - 22,055 > > > > I'm writing a program now to parse the sniffer log file, extract the > > file ID, lookup the id in sql server, determine quarantine > > location, extract q/d pair from quarantine and send to user. > > > > -- > > Best regards, > > Davidmailto:[EMAIL PROTECTED] > > > > > > > > This E-Mail came from the Message Sniffer mailing list. For > information > > and (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of David Sullivan > Sent: Tuesday, February 07, 2006 7:47 PM > To: Landry, William (MED US) > Subject: Re[4]: [sniffer] Bad Rule - 828931 > > Hello William, > > Tuesday, February 7, 2006, 7:39:05 PM, you wrote: > > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log > > That's what I tried. Just figured out I forgot to capitalize the "F". > It works. > > Confirmed - 22,055 > > I'm writing a program now to parse the sniffer log file, extract the > file ID, lookup the id in sql server, determine quarantine > location, extract q/d pair from quarantine and send to user. > > -- > Best regards, > Davidmailto:[EMAIL PROTECTED] > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Stock SPAM now HTML
This is going to get harder and harder to identify and fight. Is it worthwhile to put something like this in a new category which we are very confident about and so if it fails on the new combined image/text thing we can delete it outright? Not sure if this is a good idea or not but I had to add extra static filters to pop the older text only stock spam above my delete weight. This combined image/text is going to make it tougher I think. Thoughts? Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Thursday, February 02, 2006 11:40 AM > To: Goran Jovanovic > Subject: Re[2]: [sniffer] Stock SPAM now HTML > > There are some new mutations of the latest campaigns out today. These > ones look like they were hand tweaked (not evolved by machine). They > are a lot tougher, but I think we've got some abstracts coming out > that will get them. > > This new trend - using embedded images, adding static to images to > avoid hashing systems, stuffing text, and avoiding links and email > addresses is going to increase. > > _M > > On Thursday, February 2, 2006, 11:12:59 AM, Goran wrote: > > GJ> Will it ever stop :( > > GJ> Probably not. Actually maybe I shouldn't be wishing that SPAM stops > GJ> because then I would lose a revenue streamhmm conundrum > > GJ> Goran Jovanovic > GJ> Omega Network Solutions > > GJ> > > >> -Original Message- > >> From: [EMAIL PROTECTED] > GJ> [mailto:[EMAIL PROTECTED] > >> On Behalf Of Pete McNeil > >> Sent: Thursday, February 02, 2006 7:20 AM > >> To: Goran Jovanovic > >> Subject: Re: [sniffer] Stock SPAM now HTML > >> > >> On Wednesday, February 1, 2006, 11:30:49 PM, Goran wrote: > >> > >> GJ> > >> GJ> > >> GJ> > >> GJ> Well the plain text stock spam has just taken a turn to more > >> GJ> interesting and SNF is not capturing it yet as of 10:55 EST. I > GJ> have > >> submitted a couple to spam@ > >> GJ> > >> GJ> Now they are including part of a picture to make up the text. > >> GJ> Here is what the source looks like > >> > >> Isn't it amazing. > >> > >> I've coded some abstracts for this. More to come. > >> > >> _M > >> > >> > >> > >> This E-Mail came from the Message Sniffer mailing list. For > GJ> information > >> and (un)subscription instructions go to > >> http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > GJ> This E-Mail came from the Message Sniffer mailing list. For > GJ> information and (un)subscription instructions go to > GJ> http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Stock SPAM now HTML
Will it ever stop :( Probably not. Actually maybe I shouldn't be wishing that SPAM stops because then I would lose a revenue streamhmm conundrum Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Thursday, February 02, 2006 7:20 AM > To: Goran Jovanovic > Subject: Re: [sniffer] Stock SPAM now HTML > > On Wednesday, February 1, 2006, 11:30:49 PM, Goran wrote: > > GJ> > GJ> > GJ> > GJ> Well the plain text stock spam has just taken a turn to more > GJ> interesting and SNF is not capturing it yet as of 10:55 EST. I have > submitted a couple to spam@ > GJ> > GJ> Now they are including part of a picture to make up the text. > GJ> Here is what the source looks like > > Isn't it amazing. > > I've coded some abstracts for this. More to come. > > _M > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Stock SPAM now HTML
Well the plain text stock spam has just taken a turn to more interesting and SNF is not capturing it yet as of 10:55 EST. I have submitted a couple to spam@ Now they are including part of a picture to make up the text. Here is what the source looks like CHINA WORL Sy Price $ Shares out: Market Capit Significant Revenue Growth i Averag Rating: Stro 7 days trading 30 day trading target: $3. Goran Jovanovic Omega Network Solutions
RE: [sniffer] The SPAM bots?
Thanks Pete, I think I am seeing a slowdown of this type of SPAM getting through now. Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Monday, January 30, 2006 7:20 PM > To: Goran Jovanovic > Subject: Re: [sniffer] The SPAM bots? > > On Monday, January 30, 2006, 10:16:06 AM, Goran wrote: > > GJ> Hi, > > GJ> Are the bots working again? I am seeing a number of the STOCK pitches > GJ> coming through (the ones that use the picture attachment eg. > GJ> GJ> src="cid:a8c0936faa69131141800cf3347d17a4">) > > GJ> Sniffer did not catch the message and I have forwarded it to SPAM@ > > There was a lot of that today. > > No, the bots are off until further notice. > > I think we have the image spam under control for the moment. > > Thanks, > > _M > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] The SPAM bots?
Hi, Are the bots working again? I am seeing a number of the STOCK pitches coming through (the ones that use the picture attachment eg. ) Sniffer did not catch the message and I have forwarded it to SPAM@ Thanx Goran Jovanovic Omega Network Solutions This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Hit Rate Discrepancy
Hi, I think I am having a problem with my Declude log file numbers/stats and I want to try and figure it out. Last week my Sniffer hit rate went from SNIFFER6,699...64.78% To yesterday SNIFFER1,299...10.24% This is wrong as Sniffer should and does trigger much more often (more like the first one) So I looked in the Sniffer log from yesterday and tried to do some quick stats. There are: Final 8573 67.6% Clean 4104 32.4% Total 12677 And the total compares to the total number of messages processed Total Messages Processed: 12,685 So am I interpreting the Sniffer log correctly? Do I need to worry about the "Match" entries? Thanx Goran Jovanovic The LAN Shoppe This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] RAID Levels for Spool Folder
Matt and Charles, Thank you for your insight and comments. Now I just have to go and get the money to get something that I want :) Goran Jovanovic The LAN Shoppe This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] RAID Levels for Spool Folder
Matt, I think that you sort of answered the question that I did not really ask. I was really trying to get information on the different performance levels for of S/W vs H/W RAID for an “ideal” scanning only box. So let me try this out and people can comment All SCSI 15K drives with HW RAID controller 2 x 36 GB drives R1 on first channel (36 GB usable) C – Windows 10 GB D – IMAIL/Smartermail/Declude files/Declude filters & per domain configs/banned files (5 days only) 20 GB P – Page volume 3 GB 3 x 36 GB drives R5 on second channel (72 GB usable) L – Logs for JM, Virus, IMAIL/SmarterMail, Sniffer, invURIBL, et al 10 GB S – Storage for all daily logs 60 GB 1 x 36 GB Hot Spare drive From what we have discussed here drive L will get hit a lot. If you create a process that Matt is describing to move the active logs from L to S you should not worry about running out of space on the L drive. Now looking back I am not sure if I have crafted this well since the SPOOL files for IMAIL will end up on D. Is there a way to move them for Smartermail as there does not seem to be a way to move them in IMail? The good part of this config is that the spool files which have a lot of read/write are on a different volume/channel from the other log files. I am not sure what amount of space you should allocate to a server that would process 100,000+ messages a day? Anyone have comments on this config. Thanx Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, March 16, 2005 3:49 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] RAID Levels for Spool Folder IMO, Software RAID is not the way to go on a busy machine. You will save a measurable amount of overhead by going with hardware based RAID of any sort since the controller should handle the processes associated with the RAID. Note that this isn't the case with inexpensive RAID controllers such as the cheaper IDE and SATA controllers which still place a fair burden on the OS/processor. True RAID cards also offer additional cache which can speed up the performance on reads, and also on writes if you are battery backed up (otherwise don't use write caching because you could lose or corrupt data during a power outage). There's also several common misconceptions about what is proper to do for a mail server. RAID 5 is the best choice under almost all conditions. The trick here is that while RAID 10 offers both redundancy in mirroring and speed in striping, most servers have a limited amount of space for disks. So a server with 6 disks will operate with the speed of 3 disks spanned in a RAID 10 configuration, but 6 disks in RAID 5 will operate as 5 disks spanned plus a little bit of overhead, though not nearly enough so that it falls short of the performance of just 3 disks in a simple span. Therefore RAID 5 should be the default choice for speed in such an environment. Another misconception is that data is always striped in RAID 0 or RAID 5. This depends on the file size and the stripe size. Most stripes are 64 KB (configurable in most setups). If you have some form of striping for your spool drive, most messages fall far under 64 KB and will only get written to one disk (CRC will also get written in RAID 5). Therefore for a spool folder, RAID 5 with 3 drives (the minimum), will perform rather closely to RAID 5 with 10 drives since most files will only land on one disk (with the other corresponding stripes containing no data). The MFT however for a drive with a lot of files will grow to be quite large and benefits from having multiple disks, and opening very large files such as logs will also benefit from having many disks. There is also an advantage to seek times when having multiple disks, especially if you keep your partitions sized small for performance. I've run a dual processor 3.06 Ghz server with both 6 Seagate 15,000 RPM drives in RAID 5 and the same with 3 Seagate 10,000 RPM drives in RAID 5 running on a less capable controller, and there was no impact on performance while the server was handling over 125,000 unique messages a day. The only noticeable difference was the time it would take to open a 500 MB log file, or the time it would take to enumerate the file names from the MFT on a partition that contained tens of thousands of files in the root. It seems quite apparent that with modern processors, even in dual processor configurations, that you will run out of CUP cycles long before you run out of disk I/O in a well managed RAID 5, 3 drive configuration on an IMail/Declude/Sniffer server. Take note that the log files for Declude, Sniffer and IMail all become massively fragmented, and if you don't have a process to remove these from active partitions on your server or defragment them, then performance will be severely impacted. I run
RE: Re[2]: [sniffer] Moving Sniffer to Declude/SmarterMail
OK that is for hardware level RAID. I had thought that you would offset the extra processing time by being able to write less to each drive. Now does anyone know how much overhead Windows 2000/2003 software RAID 1 on dynamic disks produces over hardware level RAID 1? I am assuming it would be substantial. Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Wednesday, March 16, 2005 11:43 AM > To: Goran Jovanovic > Subject: Re[2]: [sniffer] Moving Sniffer to Declude/SmarterMail > > On Wednesday, March 16, 2005, 11:25:46 AM, Goran wrote: > > > > GJ> I guess this is going against what I think should be happening. In a > GJ> RAID 5 array the write to the drives is broken into many smaller > writes > GJ> along with the data protection/CRC info and then those writes are > GJ> written to different drives. It seems to me that it should be faster > to > GJ> do a bunch of small writes rather than 1 big write. > > GJ> What am I missing? > > Writing data to a single hard drive takes x amount of work. > > Writing data to more than one drive takes x+y amount of work where y > is breaking up the data into chunks. > > Writing data to a raid 5 takes x+y+z amount of work where y is > described above and z is calculating a CRC stripe which must now also > be saved to a hard drive. > > So, writing to raid5 is relatively very expensive compared to writing > to a plain old hard drive, or a less complex raid (such as mirroring). > > IMO, the best strategy for email servers is to use an ordinary, single > fast HD for all spool operations, and place mailboxes on a raid 1 or > raid 10. > > Hope this helps, > > _M > > > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Moving Sniffer to Declude/SmarterMail
John, > > It is a well known and published fact (on the Imail list) that RAID5 > should > never ever be used for the spool directory or any other directory that has > a > high write activity. This is basic physics. RAID5 should really only be > used > for high read activity only, such as databases where most of the writing > is > done to transaction (log) files and at spaced intervals those transactions > are committed to the database. > > RAID1 or even RAID0+1 is best for the spool and logs. I guess this is going against what I think should be happening. In a RAID 5 array the write to the drives is broken into many smaller writes along with the data protection/CRC info and then those writes are written to different drives. It seems to me that it should be faster to do a bunch of small writes rather than 1 big write. What am I missing? Goran Jovanovic The LAN Shoppe This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Lists Ping?
I posted two messages yesterday to the Junkmail list and they have not shown up yet I was about to send Scott a message. Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Colbeck, Andrew > Sent: Thursday, February 10, 2005 12:56 PM > To: sniffer@SortMonster.com > Subject: RE: [sniffer] Lists Ping? > > Hey, John. > > Who are you talking to? Gee the lists are quiet. > > > Andrew 8) > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Thursday, February 10, 2005 9:46 AM > To: sniffer@SortMonster.com > Subject: RE: [sniffer] Lists Ping? > > > Your ping was not received. > > You must have done something wrong. > > No one is here. > > No one is home. > > :\ > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > On > > Behalf Of Marc Catuogno > > Sent: Thursday, February 10, 2005 9:35 AM > > To: sniffer@SortMonster.com > > Subject: [sniffer] Lists Ping? > > > > Is it just me or are all the lists (Imail, Declude V and JM and this > > one > > offline??) > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > On Behalf Of Pete McNeil > > Sent: Tuesday, February 08, 2005 5:18 PM > > To: Bill Green dfn Systems > > Subject: Re: [sniffer] ERROR message in snifferp Command Prompt window > > > > On Tuesday, February 8, 2005, 3:20:25 PM, Bill wrote: > > > > BGdS> I have started seeing this line repeated in the persistent > > BGdS> sniffer > > command > > BGdS> window. > > > > BGdS> ERROR_LOGFILE: Bad Lock During Logging > > BGdS> c:\imail\declude\sniffer\"mycode".log > > > > BGdS> It looks like the error has been happening once a day for about > > BGdS> a > > week. > > BGdS> Other than the message all seems to be working well. Where > > BGdS> should I > > look for > > BGdS> the cause? > > > > The first clue I can see is that it happens once per day... Chances > > are there is a scheduled process interfering with the log file, the > > storage system in general (perhaps some backups or other IO intensive > > operation). > > > > Locking is a very lightweight mechanism in SNF because most operations > > > are synchronized and sequential. If you are only seeing one of these > > per day then there is no cause to worry - but do keep an eye on it so > > that it doesn't get worse without you knowing it. > > > > A bad lock is probably a stale lock file --- The protocol would be to > > simply ignore the lock after waiting the appropriate amount of time. > > > > In theory, no lock should be required to write to the log file because > > > it is opened in "append" mode. Unfortunately on Win32 based systems > > this doesn't mean what it should. That is, write operations are not > > 'atomic' --- so if more than one process tries to append to the log > > file at once the result is unpredictable corruption. > > > > The locking mechanism we're using here (creating a lock semaphore > > file) is only intended to synchronize access to the file since Win32 > > doesn't. The fact that one process will wait - even if the lock fails > > - usually accomplishes this task. If the process were to fail and two > > processes wrote (append) to the log file at once then it is possible, > > but not certain, that log corruption would occur -- which is not > > strictly vital for the odd record here and there. > > > > Hope this helps, > > > > _M > > > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information > and > > (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information > and > > (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Sniffer Weighting
Hi, In the licensed version of sniffer you get back what error code/reason sniffer failed the message. Do folks general weight the different reasons with different weights or do you just do a blanket weight? The sniffer docs suggest that the weighting should be 7 if you are tagging at 10 (in Declude's weighting system). Looking for other people's experience. Thanx Goran Jovanovic The LAN Shoppe This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] DMLP
OK I will ask. What is MDLP? Goran Jovanovic The LAN Shoppe > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Pete McNeil > Sent: Friday, January 28, 2005 6:22 PM > To: Scott Fisher > Subject: Re: [sniffer] DMLP > > On Friday, January 28, 2005, 4:42:24 PM, Scott wrote: > > SF> What ever happened to the DMLP project? > > That's MDLP, and it's still going. We're holding on at the moment with > a version that is stable and apparently "sane" with regard to how the > AI tunes test weights. > > Some time soon I hope we can release it - but I don't have a timeline > just yet, and I'd like to have more data about the performance of the > AI before turning it loose on the world ;-) > > _M > > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
