[sniffer] Re: MDaemon 9.5 Gateways
My suggestion to AltN would be to release a Unlimited gateway only version of Mdaemon for those of you just using it as a gateway. They could even raise the price a bit, but make it cheaper than the full Unlimited User version of Mdaemon, let's say $1,500 per copy. Still a good deal for what you get but not a major hit like the $4,490 now for features you don't even need. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] Original Message - From: Jorge Asch To: Message Sniffer Community Sent: Sunday, November 26, 2006 10:31 AM Subject: [sniffer] Re: MDaemon 9.5 Gateways Since this is way off topic (this is not a MD discussion list), I will just say 2 things (my last reply to this matter). 1. You didn't need the $495 6-user Pro license. A 6-user Standard licenses was enough to host unlimited gateways (around $120) even with MessageSniffer support. As for the AV, hey you could allways run Norton or McAfee on the server for RT scanning. 2. You surely dont' need unlimited gateways, do you? (unless you have unlimited clients). Put yourself on the shoes of AltN (or any developer by that matter). I agree with you that the change was somewhat sudden, but it was an obvious shortcoming that should have been made since the beginning. Like I said (and from experience). As a reseller, I noticed lost of people purchased 6-user licenses to host their own gateways... for a total investment of less than $150 in licenses. On Nov 24, 2006, at 10:36 PM, Peer-to-Peer ((Support)) wrote: Jorge, You may be a little misinformed. Alt-n used to charge $495 for a 6-user Pro license w/ AV and unlimited gateways. Now they are charging $4,490 for a Pro license w/ AV and unlimited gateways. -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION
[sniffer] New MDaemon 9.51 any issues with Sniffer?
Pete, Are their any issues with using the current sniffer MDaemon plug-in with the new version 9.51 version of MDaemon? I usually don’t have to do anything with Sniffer when upgrading, but considering the email I got from MDaemon pushing enhanced spam filtering capacity I wanted to make sure nothing changed with the way sniffer integrates? Has anyone else upgraded to 9.51 with sniffer yet? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED]
[sniffer] Re: Increase spam
I myself am seeing an increase in spam making it through although at the same time I am seeing an increase in caught spam as well, so I think sniffer seems to be catching spam ok but there appears to be just more spam in general it has to deal with and thus a few more slipping through. Most of the new caught spam seems to be mainly from the experimental class so I definitely would recommend looking at raising the weight of that test if you can. Personally I see very few false positives on any of the sniffer tests, I have the really accurate ones to delete automatically with just one sniffer return code and the experimental and similar tests set to hold for 7 days in users spam folder after which they are automatically deleted. We have about a 92%+ spam vs 8%+- legitimate email rate, really scary when you think about most of your email being junk. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: Wednesday, October 18, 2006 8:45 AM To: Message Sniffer Community Subject: [sniffer] Increase spam What's going on with the Sniffer settings? In last days I'm receiving so many spam mails, it looks like the Sniffer is not working. Please advise Thanks Filippo
[sniffer] Re: yahoo mail problems
Would you happen to be running Microsoft DNS server? I ran into something similar a while back with certain dns queries were corrupted for domains that used certain extended dns queries. It turned out in our case that our firewalls were removing the ends of the extended dns packets because they were over limit. Have you made any firewall changes recently? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 9:44 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Weird. I found that only certain domains on our server are having the problem. One domain can successfully send mail to [EMAIL PROTECTED] but when I try mail to this address from my domain, it fails. The other error we are seeing is: rl-recv: connection reset Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:18 PM Subject: [sniffer] Re: yahoo mail problems This issue is occurring for us with the following platforms Windows with Imail, smartermail & Mail enable Linux – about ½ our cpanel servers Exchange servers – at least 1/3 of them From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:27 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Are those of us having this problem all running an Imail server? Michael Stein Computer House - Original Message - From: Matrosity Hosting To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:08 PM Subject: [sniffer] Re: yahoo mail problems same here Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech Support Sent: Tuesday, October 17, 2006 11:52 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 11:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems I’m sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
http://www.dnsreport.com/ is another good site to test your dns/email setup as well. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 8:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems I’m sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: How Many get through
We have our rules setup really strict and it usually works quite well for us running Mdaemon. We probably half of the sniffer return codes automatically delete messages that match a single rule and the other half go to users personally spam folder accessible via the webmail interface (or imap). The messages moved to users spam folders are deleted automatically after they have been there a week to keep the clutter down. We actually have very few false positive doing this and most users don’t even check their spam folder on a regular basis as most emails in there are really spam. I (and a lot of our users) probably see 2 or 3 spam messages max in a given day, mostly new ones that haven’t been coded yet in sniffer. Looking at the log files it looks like we intercepted about 11,000 spam messages yesterday alone out of 13,000 total messages received for about 800 users. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Gary Stark Sent: Friday, August 25, 2006 8:49 AM To: Message Sniffer Community Subject: [sniffer] How Many get through I have a question I've been wanting to ask for awhile: How many spams do most people get leaked into their mailbox? ie they pass message sniffer? When I first started over a year ago, very few spam made it into my mailbox. But the past 6 months I get 60-80 spam emails / day into my personal box. Of course I'll see the same messages in my other mail boxes also, so it relates to a lot of deleting? Could I have something set up incorrectly? Or thresholds set to low that they are getting through? Thanks for any info! Sincerely, Gary Stark
[sniffer] Re: Am I submitting to s...@sortmonster.com properly
Pete, Is there any way to deal with the other new attachment based spasm we have been seeing recently? I see a lot coming in that only say here is your invoice and have an invoice.doc (or similar attachment). Inside the word file is the spam itself. I've seen a bunch of these in the last week or so, I initially thought they were viruses, but none of my virus scanners picked them up as such and their contents were just a bunch of spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, August 22, 2006 2:34 PM To: Message Sniffer Community Subject: [sniffer] Re: Am I submitting to [EMAIL PROTECTED] properly Hello David, I think this format should come through fine. Phishing is a constant challenge because it is so variable and so close to a legitimate message (on purpose). I will code some rules for the message you submitted and I'm sure Jason (Lead Rule Tech) will see this note and help us watch for these more closely. Thanks! _M Tuesday, August 22, 2006, 5:10:58 PM, you wrote: > > > > I just want to know if I am submitting spam emails to > [EMAIL PROTECTED] properly being in Australia we see a lot of > spam targeting ANZ, National and Commonwealth bank and they seem to > be evading the Sniffer program so when I send a spam to > [EMAIL PROTECTED] (I am using Outlook 2003) I copy and paste the > header and forward the email to [EMAIL PROTECTED] is this working > properly. Please see example below. > > > > Regards David Moore > > > > > > Received: from dialup-82-207-6-125.lv.ukrtel.net [82.207.6.125] by romtech.com.au > > (SMTPD-8.22) id A82E053C; Tue, 22 Aug 2006 23:35:42 +1000 > > Message-ID: <[EMAIL PROTECTED]> > > From: "Commonweal Bank of Australia" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: Commonweal Bank of Australia new security features. > > Date: Tue, 22 Aug 2006 10:45:09 +0400 > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="=_NextPart_000_001D_01C6C5D8.0A0008A0" > > X-Priority: 3 > > X-MSMail-Priority: Normal > > X-Mailer: Microsoft Outlook Express 6.00.2900.2527 > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 > > X-mxGuard-Info: Processed by romtech.com.au using mxGuard v2.4 > > X-mxGuard-SpoolID: 082d00a1ecb1 > > X-mxGuard-Sender: [EMAIL PROTECTED] > > X-mxGuard-Virus-Info: No viruses detected > > X-mxGuard-Spam-Score: 0 > > X-mxGuard-Spam-Probability: CLEAN > > X-Note: This message has been scanned for spam and viruses by > mxGuard for IMail (www.mxguard.com) > > X-RCPT-TO: <[EMAIL PROTECTED]> > > Status: U > > X-UIDL: 454949852 > > X-IMail-ThreadID: 082d00a1ecb1 > > > > > > > From: Commonweal Bank of Australia [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 22 August 2006 4:45 PM > To: [EMAIL PROTECTED] > Subject: Commonweal Bank of Australia new security features. > > > > It has come to our attention that your account needs to be > confirmed due to the recent changes we have made to our NetBank online system. > We contacted you for the following reason: Confirm your > Information in order to activate new NetBank security features for > your account. Be sure to log in securely by following the link > below. It's important that you confirm your NetBank account > information otherwise you will not be able to access our online > services. We encourage you to login in to your Commonwealth Bank > account as soon as possible to help avoid this. > > Click here > > We appreciate your understanding as we work to ensure account safety. > > Sincerely, > Commonweal Bank of Australia management stuff. > > Email ID: GFR97DF > > > > > > > -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Sharon Daniels is out of the office.
Pete unsubscribed them earlier, so you shouldn't get any more. Yeah! Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Monday, August 07, 2006 11:11 AM To: Message Sniffer Community Subject: [sniffer] Re: Sharon Daniels is out of the office. Bleeping wonderful. We have to put up with this for a week? I guess a nice little Outlook rule is called for. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, August 07, 2006 10:02 AM > To: Message Sniffer Community > Subject: [sniffer] Sharon Daniels is out of the office. > > > > > > I will be out of the office starting 07/08/2006 and will not return until > 15/08/2006. > > I will respond to your message when I return. If your request is urgent > please resend your message to [EMAIL PROTECTED] or call 623-5700. > > Have a great day! > Sharon > > > > # > > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Help
It sure sounds like a server issue to me and not a spam filtering issue. However, on that issue, wouldn’t WHITELIST TODOMAIN @mydomain whitelist all email going to your domain? It’s been a while since I’ve run declude but that seems like it shouldn’t be right. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: Thursday, July 27, 2006 9:11 AM To: Message Sniffer Community Subject: [sniffer] Re: Help Whese: #= WHITELISTS === #WHITELIST HABEAS PREWHITELIST ON WHITELIST AUTH #WHITELIST LOCAL #(PRO version only) enables addresses in the web address book to automatically be white listed. #AUTOWHITELIST ON # - Domain Example -> WHITELIST FROM @declude.com # - User Example -> WHITELIST FROM [EMAIL PROTECTED] # - IP Example - #WHITELIST IP 63.246.13.90 # - TO Example - #WHITELIST TO postmaster@ #WHITELIST TO abuse@ WHITELIST TO [EMAIL PROTECTED] WHITELIST TO [EMAIL PROTECTED] WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain WHITELIST TODOMAIN @mydomain Filippo At 18:06 27/07/2006, you wrote: *** My mail server have the relay activated only for certain IP address and networks. Filippo *** Sorry, I didn't read your message close enough. What whitelist settings do you have in global.cfg? Paul Navarre # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer]Possible Paypal Phishing
I had one a couple months back from Cisco Systems asking for some updated information regarding my Cisco Certifications, looked totally bogus going to a non Cisco.com domain hosted in a foreign country, the links listed in the email went to a different spot than they said they were for. I put in a TAC case to let them know someone was phishing asking for Cisco certification info and CCO logins, I got the response back from Cisco to just click the links and all would be fine, this time they sent legitimate links though. After asking them to escalate as they seemed to have no clue, 2 weeks later I got a response back from someone who actually knew what they were doing saying they made the mistake of outsourcing that email to a legitimate foreign company who was tracking responses through their overseas servers and then redirecting back to Cisco.com. It's really bad when the big guys don't even know what they are doing. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, May 24, 2006 9:59 AM To: Message Sniffer Community Subject: Re: [sniffer]Possible Paypal Phishing That is what has me worried. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jay > Sudowski - Handy Networks LLC > Sent: Wednesday, May 24, 2006 9:51 AM > To: Message Sniffer Community > Subject: Re: [sniffer]Possible Paypal Phishing > > The owner of a domain need not authorize a reverse DNS PTR record in any > way, shape or form. If the netblock was owned, or the netblock owner > had delegated rDNS to a malicious customer, they could easily set rDNS > to whatever they wanted. Aol.com, paypal.com, ebay.com, chase.com ... > > -Jay > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Wednesday, May 24, 2006 12:38 PM > To: Message Sniffer Community > Subject: Re: [sniffer]Possible Paypal Phishing > > It's really from PostDirect.com aka YesMail.com ... > > You can tell that it's authorized because the reverse DNS which ends in > PayPal.com (ok, that does set off alarm bells when it's someone else's > netblock) matches the forward lookup of the resulting address at PayPal. > > Therefore, PayPal is deliberately allowing that reverse IP in someone > else's netblock. > > That, or both the netblock and PayPal's DNS have been p0wned. > > Andrew 8) > > > > > -Original Message- > > From: Message Sniffer Community > > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > > Sent: Wednesday, May 24, 2006 9:31 AM > > To: Message Sniffer Community > > Subject: [sniffer]Possible Paypal Phishing > > > > Attached are the headers to an e-mail I am suspecting as a > > clever phising that has me worried. > > > > It looks like a legit message sent on behalf of Paypal, > > however, it is sent from an IP address not owned by Paypal > > BUT which has a REVDNS that ends in paypal.com. > > > > The message is full of links to images.postdirect.com but > > does have legit links to paypal.com. > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > > > > # > > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > > > > # > > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer]Ebay Phishing Emails getting through
Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. Thank You, Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
RE: [sniffer] New Web Site!
I would think at least it would be prudent to restrict account creation to users verified as active sniffer customers, by allowing anyone on the internet to create an account I would think would be a massive security problem. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman Sent: Friday, March 17, 2006 10:05 AM To: sniffer@SortMonster.com Subject: Re: [sniffer] New Web Site! A wiki is a site that is publically editable. Anyone can add to the site as long as they have a valid account. - Original Message - From: "Harry Vanderzand" <[EMAIL PROTECTED]> To: Sent: Friday, March 17, 2006 11:15 AM Subject: RE: [sniffer] New Web Site! > What is a wiki? > > Harry Vanderzand > inTown Internet & Computer Services > 519-741-1222 > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil > > Sent: Friday, March 17, 2006 11:07 AM > > To: sniffer@sortmonster.com > > Subject: [sniffer] New Web Site! > > > > Hello Sniffer Folks, > > > > Today we are making a major transition. The old Message Sniffer web > > site will be torn down and replaced with a new WIKI: > > > > http://kb.armresearch.com/index.php?title=Message_Sniffer > > > > The top Message Sniffer page will retain it's index for a while but > > instead of sending you to the original pages the links will take you > > to appropriate pages in the new WIKI. > > > > Also - if you try to go directly to an old page you will be > > redirected automatically to the appropriate new page. > > > > The WIKI requires that you create an account and log-in before > > making any changes. We know there are blackhats out there so we will > > be watching very closely... If we find there is abuse, we will > > disable the ability to create accounts and you will need to contact > > us at support@ if you want the ability to post -- let's hope it > > doesn't come to that. > > > > We will continue to update, improve, and correct the wiki - it will, > > in fact, be under constant development. > > > > Have fun! > > > > Thanks, > > > > _M > > > > Pete McNeil (Madscientist) > > President, MicroNeil Research Corporation Chief SortMonster > > (www.sortmonster.com) Chief Scientist (www.armresearch.com) > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information and (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > > > > > > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] False Positives
Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR> My users have been getting a lot of FPs by Sniffer lately. They send me KR> the email with the FULL HEADERS displayed and I forward this email on to KR> SortMonster. The program they use to analyze incoming submissions check KR> MY email headers, determine that SNIFFER was not at fault and sends me KR> back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Automate MDaemon Updating
We actually did that exact thing, went from Imail to MDaemon when Imail started drastically increasing their prices a year or so ago. We are using the same scripts now with MDaemon that we used in Imail and they just fine (I think they may be Bills Landry's scripts). As for license file, it transferred over without any issues either. The plugin works great too, MDaemon is much better than Imail, although I do miss declude functionality. We have MDaemon setup to automatically delete spam messages based upon some of the higher accuracy return codes (such as the adult themed ones) and have the ones that have a higher false positive chance to simply move the spam messages to the MDaemon user spam directory. I also setup a rule to automatically delete these spam captured messages every 5 days from the users spam directories to keep the clutter down. This works great for us and I would highly recommend that transition. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Stufft Sent: Thursday, February 02, 2006 9:25 AM To: sniffer@SortMonster.com Subject: [sniffer] Automate MDaemon Updating Has anyone got an automated updating script for updating rulebases for MDaemon. I am just demoing the software now. The plugin seems to be working well. I have used the Imail script from the website that Bill Landry contributed (thanks Bill). Is there a way to automatically send the conformation email that the update worked as it was supposed to like it does in IMail? If we discontinue Imail usage and go to MDaemon will the Sniffer license transfer OK? (Only running one server with it at a time). Thanks, Grant --- [This E-mail scanned for viruses by EA Media Internet Services] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Stock Market Spam Messages
They seem to be different ones sporadically over the last week or so. I'll keep an eye on any new ones and let you know if they change. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, January 26, 2006 10:54 AM To: Jim Matuska Jr. Subject: Re[2]: [sniffer] Stock Market Spam Messages I see. I misunderstood. We generally get text based stock-push campaigns very quickly. We have seen an increase in these recently tough. If it's a plain text stock push then it's most likely that you saw it before we did. I'll make sure that the rest of the team are watching out for these just in case - (we have two new guys on the team,... if they "pushed it back" then we might have been delayed in coding for it). Those guys are on this list too so they'll see this note when the get a minute. If you see the same one repeatedly then please .zip it and send a copy to support as a "chronic" spam. The other night I saw a burst of more than 5 new stock push campaigns come out in the same 10 minute period across the spamtraps. I thought that was unusual. It's possible, perhaps even likely, that you got this burst before we saw it. Please let use know if you're getting the same one repeatedly or different ones. Thanks, _M On Thursday, January 26, 2006, 11:55:52 AM, Jim wrote: JMJ> The ones I seem to be getting have no images, and are only plain text. JMJ> Jim Matuska Jr. JMJ> Computer Tech2, CCNA JMJ> Nez Perce Tribe JMJ> Information Systems JMJ> [EMAIL PROTECTED] JMJ> JMJ> -Original Message- JMJ> From: [EMAIL PROTECTED] JMJ> [mailto:[EMAIL PROTECTED] JMJ> On Behalf Of Pete McNeil JMJ> Sent: Thursday, January 26, 2006 8:53 AM JMJ> To: Jim Matuska Jr. JMJ> Subject: Re: [sniffer] Stock Market Spam Messages JMJ> On Thursday, January 26, 2006, 11:22:40 AM, Jim wrote: JMJ>> I seem to be noticing a lot of spam messages recently that are stock JMJ> ads for JMJ>> offshore companies; I seem to be getting a lot of these that are not JMJ> being JMJ>> classified by sniffer. I have been forwarding these to the spam@ JMJ> address, JMJ>> but have yet to notice any real changes. Any thoughts on these? JMJ> There has been a recent shift to using randomized images for these JMJ> which makes them a bit harder to defeat. JMJ> I'll take a look. JMJ> _M JMJ> This E-Mail came from the Message Sniffer mailing list. For information and JMJ> (un)subscription instructions go to JMJ> http://www.sortmonster.com/MessageSniffer/Help/Help.html JMJ> This E-Mail came from the Message Sniffer mailing list. For JMJ> information and (un)subscription instructions go to JMJ> http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Stock Market Spam Messages
The ones I seem to be getting have no images, and are only plain text. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, January 26, 2006 8:53 AM To: Jim Matuska Jr. Subject: Re: [sniffer] Stock Market Spam Messages On Thursday, January 26, 2006, 11:22:40 AM, Jim wrote: JMJ> I seem to be noticing a lot of spam messages recently that are stock ads for JMJ> offshore companies; I seem to be getting a lot of these that are not being JMJ> classified by sniffer. I have been forwarding these to the spam@ address, JMJ> but have yet to notice any real changes. Any thoughts on these? There has been a recent shift to using randomized images for these which makes them a bit harder to defeat. I'll take a look. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Stock Market Spam Messages
I seem to be noticing a lot of spam messages recently that are stock ads for offshore companies; I seem to be getting a lot of these that are not being classified by sniffer. I have been forwarding these to the spam@ address, but have yet to notice any real changes. Any thoughts on these? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] <>
RE: [sniffer] Last chance to renew at the old price!
Is it possible to pay low price extend your subscription more than one year at the current price or would you only be able to get 1 more year at the low price and have to pay later years at the full rate? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch Sent: Tuesday, December 27, 2005 12:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! 1) The monthly rate is going to $ 45.00. 2) It would be a one year extension to your current subscription and then your next renewal would be at the new price. For example, if your license expires 02/08/2006, your next renewal would be on 02/08/2007. This is offer is completely optional and is available to all existing customers. Thanks, MM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 27, 2005 2:47 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Last chance to renew at the old price! 1) what will the monthly rate be after 2005? 2) If we where to renew at the current rate, how long will that rate be good for? As you mentioned grandfathered - is this forever or just one year. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] OT Mdaemon Ldap (Ldaemon is Slow question)
I hate to put this to the sniffer list since it is way OT, however people on this list seem to have good insight. I've been having an issue with Ldaemons Ldap server being incredibly slow to respond to Ldap querys from clients such as Netscape, Outlook, and outlook express. Simply queries usually take about 10 seconds to complete (even with only 500 accounts), I have submitted a support request to Altn and posted to their forum but they have no idea why Ldap queries are slow for me. I have even purged and reloaded the Ldaemon Database to no avail. Has anyone running Mdaemon and Ldaemon run into this before. Sorry for the OT message. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] <>
RE: Re[4]: [sniffer]
We are running Sniffer with the Mdaemon plug-in and SA and it seems to work great for us, much better than our previous Imail/Declude sniffer combination. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, November 10, 2005 9:36 AM To: Peer-to-Peer (Support) Subject: Re[4]: [sniffer] On Thursday, November 10, 2005, 11:45:48 AM, Peer-to-Peer wrote: PtPS> _M, PtPS> <<_M said>> will create a "default" installation that emits headers and puts PtPS> a .cf file in place for SA to interpret them. PtPS> Not sure if this is relevant to your thought process, but we feel that SA PtPS> (SpamAssassin) does more harm than good. Under moderate loads it bogs-down PtPS> MDaemon so we always have SA disabled. Sniffer is by far superior in every PtPS> category, (accuracy, speed, dependability etc...) so there's no need to use PtPS> SpamAssassin. PtPS> My point: Keep in mind that some of us use sniffer independently (not tied PtPS> to SA). We're using sniffers .cfg plug-in for MD ver 8. PtPS> I assume you will, and I probably misunderstood your post, but just wanted PtPS> to mention this out-loud. Thanks for this! I think it's the first time I've heard it said out loud from anyone involved with MDaemon. As a result I'm operating under the assumption that folks who install SNF on MDaemon _most likely_ have SA running and so that would be the simplest default installation. Is that true (do you think) or is it now more likely that SA would be disabled? In any case, the installer is intended for someone who just wants to push the button and have it work. In that context, what is the best "default install"? All that said, once the installation is complete, a technically savvy person could reconfigure SNF to and MDaemon to work in any way they prefer. We're definitely not going to do anything to make that more difficult. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Headers showing up in message body after switching to Mdaemon - solution
It's weird, if I set the alias [EMAIL PROTECTED] to [EMAIL PROTECTED] in my Mdaemon configuration I seem to reject all sorts of messages (I have a feeling that I missed most of the replies to this thread. Now that I removed that alias most email seems ok but a lot of stuff going to [EMAIL PROTECTED] instead of [EMAIL PROTECTED] seems to get rejected. I think I'm going to leave that alias out for now and see what happens, if I get any complaints I'll inform the users to use the correct [EMAIL PROTECTED] format. Anyone else ran into something similar? If you already replied to this, I apologize if I didn't get your message due to these misc issues. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Bryan Bussey" <[EMAIL PROTECTED]> To: Sent: Thursday, August 25, 2005 11:34 AM Subject: RE: [sniffer] Headers showing up in message body after switching to Mdaemon - solution I encountered the same problem when I activated the "XHeader..." options. MDaemon 8.x doesn't like the fact that the X-header didn't have a colon with a value following. I rectified the problem by changing the respective entries in PlugIn.cfg to these: XHeaderBlack: X-SNF-Black: YES # XHeaderBlack: X-Spam-Flag: YES XHeaderWhite: X-SNF-White: YES XHeaderClean: X-SNF-Clean: YES With the "YES" value following the X-header, MDaemon worked fine. Pete - FYI, I got an "Article rejected, un-authorized poster" returned email when I tried to respond to this thread. bb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jorge Asch Sent: Sunday, August 21, 2005 4:28 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Headers showing up in message body after switching to Mdaemon I am using the latest version of MDaemon and the Sniffer plugin and I can say I haven't noticed any strange behavior. -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam Messages held in the Bad Message Queue Mdaemon/Sniffer
I am using the plugin, at this point it looks like this doesn't really have anything to do with Sniffer, but with Mdaemons DNS-BlackLists. I had DNS blacklists enabled, but expected them to follow my spam rules, instead it looks like it was putting those messages failing DNS-BL into the bad message queue and sending the postmaster an undeliverable message. I have DNS BL disabled and so far nothing seems to be going into the bad message queue that doesn't belong there. Does anyone know if there is a way I can use Mdaemons DNS Blacklists to weight messages rather than just hold like they seem to be doing? Thanks again to Pete on this one too as he has been helping me off list and seems to have steered me in the right direction :>). Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Jorge Asch To: sniffer@SortMonster.com Sent: Wednesday, August 24, 2005 11:48 AM Subject: Re: [sniffer] Spam Messages held in the Bad Message Queue Mdaemon/Sniffer Has anyone ran into this? Any thoughts? I haven't noticed this. I assumer you're using the plugin? I've been using the plugin since 0.1 I think (I was an alpha tester you can say) and I neer noticed those problems you are referring to. -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION
[sniffer] Spam Messages held in the Bad Message Queue Mdaemon/Sniffer
Since switching to Mdaemon/Sniffer from Imail/Declude/Sniffer I have been seeing quite a few message (right now about 500) stuck in the bad message queue. Most of these messages have failed a good deal of spam tests, but not all the messages. I'm not sure why exactly these are being held. I am receiving postmaster messages that the user is unknown, but the account does exist and in most cases works fine (I have been unable to recreate this problem myself, but at any given time I see 500 messages going between the bad queue and the retry queue until they timeout and are sent to the postmaster account. Has anyone ran into this? Any thoughts? Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: Re[2]: [sniffer] Headers showing up in message body after switching to Mdaemon
Yes, something is going on weird in Mdaemon. The strange thing is I got both copies of your message, the one to me direct and the one to the sniffer list. The strange thing is the one Pete sent to the list I had to pull out of the bad message directory as it did not make it to me. I'm not sure what the difference is. I also found I get the following errors in the Mdaemon log for these messages: Fri 2005-08-19 11:10:33: Error parsing Fri 2005-08-19 11:10:33: Message moved to Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Alberto Santoni" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Friday, August 19, 2005 11:15 AM Subject: RE: Re[2]: [sniffer] Headers showing up in message body after switching to Mdaemon Hello I received messages of this kind me too. Then I must understand that the cause is MDaemon and not iMail? Alberto -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: venerdì 19 agosto 2005 20.03 To: Jim Matuska Cc: [EMAIL PROTECTED] Subject: Re[2]: [sniffer] Headers showing up in message body after switching to Mdaemon On Friday, August 19, 2005, 12:53:39 PM, Jim wrote: JM> Pete, JM> The switch in question was from Imail to Mdaemon, so far so I was almost hoping this was a switch to a new version of MDaemon since this seems to be a new phenomena. Thanks for the data! JM> good other than a few misc bugs, I like the Mdaemon Sniffer JM> integration much better than the declude integration. We're hoping to go this route with other systems too-- but change is slow. The MDaemon folks are very aggressive in seeking new improvements :-) JM> Also Pete for some reason your message to the list got stuck JM> in the bad message queue but I recieved my original post to the JM> list. Any thoughts? Please cc: me direct [EMAIL PROTECTED] if JM> you can so I don't have to read the response from my bad message JM> queue when it comes from the list. Can you check the headers for the SNF results and any other tests which might have cause the message to get captured? There's something there that needs to be fixed. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Headers showing up in message body after switching to Mdaemon
Pete, The switch in question was from Imail to Mdaemon, so far so good other than a few misc bugs, I like the Mdaemon Sniffer integration much better than the declude integration. Thanks for the info, that was where I was leaning towards too, It's mainly an asthetic thing though, so I'm not too concerned. Another unrelated issue tbut maybe you or someone else on this list has an idea on. I have a few instantces in Mdeamon where messages that are being held in the bad mail queue and are also returning a postmaster userunknown message if in certain instances mail is sent to an address including the mail server name in the address i.e. [EMAIL PROTECTED] rather than [EMAIL PROTECTED] This doesn't appear to be happening on all messages(I have a [EMAIL PROTECTED] to @nezperce.org alias), just in some instances this is happening. Also Pete for some reason your message to the list got stuck in the bad message queue but I recieved my original post to the list. Any thoughts? Please cc: me direct [EMAIL PROTECTED] if you can so I don't have to read the response from my bad message queue when it comes from the list. Thank You, Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] Pete wrote: I've heard more about this lately than ever before. You say, "after the switch" --- I ask, what switch? Is this perhaps anew bug (it acts like one in other ways). What I know about this is that most-likely something in MDaemon thatmodifies the subject header is causing this problem. What appears to happen is that SNF add's it's headers at the end ofthe existing headers in the message - most specifically, at the firstdouble new line. In most (perhaps all) cases this is immediately afterthe subject header. After SNF has finished, additional headers are added. Some time after that the subject header is modified to include anextra "new line" at the end. This causes all headers after the subjectto become part of the body of the message. Hope this helps, - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Friday, August 19, 2005 8:22 AM Subject: [sniffer] Headers showing up in message body after switching to Mdaemon I'm not sure if this is related to sniffer or related to Mdaemon, but just after the switch all sniffer update notifications have the following headers visible in the message body rather than hidden in the headers. I also am noticing several newsletters such as zdnets have headers as well in the message body. Anyone have an idea what is going on, I am listing what shows up in the message body below: In Sniffer update email: X-SNF-WhiteX-MDRcpt-To: [EMAIL PROTECTED]X-Rcpt-To: [EMAIL PROTECTED]X-MDRemoteIP: 216.88.36.96X-Return-Path: [EMAIL PROTECTED]X-MDaemon-Deliver-To: [EMAIL PROTECTED] The ***.snf rule base has been updated.This is your unique rulebase and license ID. The authentication code for this license is: From Zdnet Message: X-SNF-White X-Lookup-Warning: MAIL lookup on [EMAIL PROTECTED] does not match 206.16.1.131 X-MDRcpt-To: [EMAIL PROTECTED] X-Rcpt-To: [EMAIL PROTECTED] X-MDRemoteIP: 206.16.1.131 X-Return-Path: [EMAIL PROTECTED] X-MDaemon-Deliver-To: [EMAIL PROTECTED] Any thoughts??? Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
[sniffer] Headers showing up in message body after switching to Mdaemon
I'm not sure if this is related to sniffer or related to Mdaemon, but just after the switch all sniffer update notifications have the following headers visible in the message body rather than hidden in the headers. I also am noticing several newsletters such as zdnets have headers as well in the message body. Anyone have an idea what is going on, I am listing what shows up in the message body below: In Sniffer update email: X-SNF-WhiteX-MDRcpt-To: [EMAIL PROTECTED]X-Rcpt-To: [EMAIL PROTECTED]X-MDRemoteIP: 216.88.36.96X-Return-Path: [EMAIL PROTECTED]X-MDaemon-Deliver-To: [EMAIL PROTECTED] The ***.snf rule base has been updated.This is your unique rulebase and license ID. The authentication code for this license is: From Zdnet Message: X-SNF-White X-Lookup-Warning: MAIL lookup on [EMAIL PROTECTED] does not match 206.16.1.131 X-MDRcpt-To: [EMAIL PROTECTED] X-Rcpt-To: [EMAIL PROTECTED] X-MDRemoteIP: 206.16.1.131 X-Return-Path: [EMAIL PROTECTED] X-MDaemon-Deliver-To: [EMAIL PROTECTED] Any thoughts??? Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: Re[2]: [sniffer] New Spam/Virus?
Thanks Pete, What Return code will this be under? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Dave Koontz" Sent: Monday, June 06, 2005 3:00 PM Subject: Re[2]: [sniffer] New Spam/Virus? On Monday, June 6, 2005, 5:50:38 PM, Dave wrote: DK> Same exact IP here! We've got a couple of rules for this now -- making the rounds as new compiles go out. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New Spam/Virus?
That's the one I am seeing too.
Jim Matuska Jr.Computer Tech2, CCNANez
Perce TribeInformation Systems[EMAIL PROTECTED]
- Original Message -
From:
Nick
Hayer
To: sniffer@SortMonster.com
Sent: Monday, June 06, 2005 2:42 PM
Subject: Re: [sniffer] New
Spam/Virus?
Was this the ip?
209.67.220.164
This is the only address I have seen -
-Nick
Scott Fisher wrote:
Yes I have seen them too:
email starts with:
Dear Valued Member, According to our site
policy you will have to confirm your account by the following link or else
your account will be suspended within 24 hours for security
reasons.
- Original Message -
From: Jim Matuska
To: sniffer@SortMonster.com
Sent: Monday, June 06, 2005 4:13 PM
Subject: [sniffer] New Spam/Virus?
Is anyone else seeing a huge rash of spam/virus messages in the last
hour or so? I have multiple users that are getting messages that are
forging our own addresses and have a link that appears to go to our
website but instead goes elsewhere with a IP address link. These do
not appear to be infecting as file attachments but from the web link
itself. Pete, I have forwarded a few to your spam@ address, let me
know what you think.
Jim Matuska Jr.Computer Tech2, CCNANez Perce
TribeInformation Systems[EMAIL PROTECTED]
[sniffer] New Spam/Virus?
Is anyone else seeing a huge rash of spam/virus messages in the last hour or so? I have multiple users that are getting messages that are forging our own addresses and have a link that appears to go to our website but instead goes elsewhere with a IP address link. These do not appear to be infecting as file attachments but from the web link itself. Pete, I have forwarded a few to your spam@ address, let me know what you think. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: Re[2]: [sniffer] New Spam Storm
Thanks Pete, would you be able to provide the current false positive rates for the return codes? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Tuesday, May 17, 2005 11:54 AM Subject: Re[2]: [sniffer] New Spam Storm On Tuesday, May 17, 2005, 1:44:30 PM, Jim wrote: JM> Pete, JM> Is there a possibility of setting up another return code for JM> situations such as this such as a blacklist rulecode that only has JM> rules for messages such as these that should be blacklisted JM> immediately. I wouldn't mind setting certain high priority rules JM> to block immediately. A couple of things --- When we first saw this we didn't know it was a virus, so we were blocking the messages as normal spam. Once we did know it was malware we coded it to the malware group. No filters are perfect (even ours ;-) but I believe the code you are looking for is our malware result code: 55 That's as close as I can come to this requests without doing something new and therefore less reliable. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New Spam Storm
Pete, Is there a possibility of setting up another return code for situations such as this such as a blacklist rulecode that only has rules for messages such as these that should be blacklisted immediately. I wouldn't mind setting certain high priority rules to block immediately. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Andy Schmidt To: sniffer@SortMonster.com Sent: Tuesday, May 17, 2005 10:41 AM Subject: RE: [sniffer] New Spam Storm Yes, these messages were caused by Sunday's Sober.O and Sober.P remote update of previously infected PCs, causing them to send out millions of neo-nazi mail. The next update (likely a new spam-wave) is scheduled in 10 days. Some public mailboxes got as many as 50,000 emails in 48 hours to a single account. SURBL will catch many of them for a while - big problem are returns to faked senders that are not as easily blocked. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim MatuskaSent: Tuesday, May 17, 2005 01:27 PMTo: sniffer@SortMonster.comSubject: [sniffer] New Spam Storm Is anyone else seeing a huge amount of spam increase over the last couple days. Most is being caught by sniffer but the overall number of messages especial foreign language spam messages seems to be very high. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] New Spam Storm
I think that is it, do the links in the messages go to the virus rather than the normal attachment method to avoid the virus scanners? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Tuesday, May 17, 2005 10:38 AM Subject: Re: [sniffer] New Spam Storm On Tuesday, May 17, 2005, 1:27:25 PM, Jim wrote: JM> Is anyone else seeing a huge amount of spam increase over JM> the last couple days. Most is being caught by sniffer but the JM> overall number of messages especial foreign language spam messages JM> seems to be very high. You are probably seeing the "German sober" virus - which sends out a huge volume of spam pointing at various sites --- mostly concerned with WW2. That one has proved to be quite prolific. Not only that - but outscatter from it and complaints about it with copies of the message are also quite high right now. Think this is it? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] New Spam Storm
Is anyone else seeing a huge amount of spam increase over the last couple days. Most is being caught by sniffer but the overall number of messages especial foreign language spam messages seems to be very high. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
[sniffer] Setting up notification to users on Spam Folder messages Mdaemon
Does anyone know a way I could setup digest style notifications in Mdaemon so that messages copied to users spam folder would be provided notification digest messages letting them know they should check their spam folder if need be? Also is there a way I can setup a autopurge feature so every couple weeks each users spam directory is purged of old messages? Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo
Thanks Jorge, That was exactly what I needed. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Jorge Asch" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 20, 2005 7:05 PM Subject: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo Put this in local.cf in your /rules directory under SpamAssassin, for having SA score SNF matches header MESSAGE_SNIFFER X-SortMonster-MessageSniffer-Result =~ /([1-63])/ describe MESSAGE_SNIFFER Flagged by message sniffer (www.sortmonster.com) score MESSAGE_SNIFFER 8.0 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[6]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo
That sounds like exactly what I would like to do. Do you have any instructions on how to set SpamAssasin to act based on the sniffer results? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Jorge Asch" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 20, 2005 7:05 PM Subject: Re: Re[6]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo Since SNF runs before SpamAssasin, I created a filter for SpamAssasin, so if the message was flagged by Sniffer, then SpamAssasin would give it a higher score. That way I don't have to deal with rules for both spam filters, I just interpret SpamAssasin's result score... This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: RE:Re: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo
That will work, we are actually migrating from another email platform so I am doing this from scratch. Is there any way I can set this rule to attach the original spam message to a warning message rather than move it to a separate directory, like you can for the built in spam tests in Mdaemon? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Peer-to-Peer (Support)" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 20, 2005 2:17 PM Subject: RE:Re: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo _M i'll try this one, Jim, you will keep all of your Content Filter rules the same 'except' you will disable (or delete) the two Sniffer entries 'Run Message Sniffer' & Add Headers'. Those two functions will be generated from the plug-in. Also, if you are using the results codes (in the Content Filter) you will need to change any instance of "X-SPAM-Msg-Sniffer-Result" TO "X-SortMonster-MessageSniffer-Result" as indicated in the readme.txt file. Paul R -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jim Matuska Sent: Wednesday, April 20, 2005 5:01 PM To: sniffer@SortMonster.com Subject: (DUMP)Re: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo I meant do I configure actions based on the headers that sniffer returns like in the non plug in version, or does the plugin do this automatically, the documentation for the plug in is kind of vague in comparison to the older version. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Wednesday, April 20, 2005 1:51 PM Subject: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo On Wednesday, April 20, 2005, 4:19:48 PM, Jim wrote: JM> Do you configure rules similar to in the previous versions, or by using this JM> as a plug in is there a GUI for configuration. We configure the rulebase the same way we have in the past. Using the plugin is not different from using the command line utility except that the performance is better (faster) and the installation and operation is simpler. The "service/subscription" part of Message Sniffer has not changed. --- We have a GUI web app for the rulebase (we use it every day), however we have discovered through trial and error that a lot of specialized training is required to keep the rulebase working correctly and that one GUI does not suit many users... each group seems to need their own! We are working on plans for some simpler web apps in the future to handle specialized tasks, however that too seems best handled in other ways for the time being. For example, every system that provides automation to their users for false positive handling and custom black-rules seems to do it in their own special way --- so rather than build a web app that doesn't really suit anyone we have adopted the strategy of providing automation tools (such as our XML based REmost SCripted Updater [RESCU] utility) and consulting to integrate each customer's existing or planned automation efforts with their back-end rulebase configuration. These efforts are usually reserved for larger systems such as small ISPs and filtering service providers. As always we want to support any third party efforts to provide automation tools also. So far we haven't seen much in the way of GUI automation, probably for the same reasons we haven't tackled it yet. I think I may have answered more than the base question here - but I'm hoping I've addressed some of the underlying questions. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo
I meant do I configure actions based on the headers that sniffer returns like in the non plug in version, or does the plugin do this automatically, the documentation for the plug in is kind of vague in comparison to the older version. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Wednesday, April 20, 2005 1:51 PM Subject: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo On Wednesday, April 20, 2005, 4:19:48 PM, Jim wrote: JM> Do you configure rules similar to in the previous versions, or by using this JM> as a plug in is there a GUI for configuration. We configure the rulebase the same way we have in the past. Using the plugin is not different from using the command line utility except that the performance is better (faster) and the installation and operation is simpler. The "service/subscription" part of Message Sniffer has not changed. --- We have a GUI web app for the rulebase (we use it every day), however we have discovered through trial and error that a lot of specialized training is required to keep the rulebase working correctly and that one GUI does not suit many users... each group seems to need their own! We are working on plans for some simpler web apps in the future to handle specialized tasks, however that too seems best handled in other ways for the time being. For example, every system that provides automation to their users for false positive handling and custom black-rules seems to do it in their own special way --- so rather than build a web app that doesn't really suit anyone we have adopted the strategy of providing automation tools (such as our XML based REmost SCripted Updater [RESCU] utility) and consulting to integrate each customer's existing or planned automation efforts with their back-end rulebase configuration. These efforts are usually reserved for larger systems such as small ISPs and filtering service providers. As always we want to support any third party efforts to provide automation tools also. So far we haven't seen much in the way of GUI automation, probably for the same reasons we haven't tackled it yet. I think I may have answered more than the base question here - but I'm hoping I've addressed some of the underlying questions. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo
Do you configure rules similar to in the previous versions, or by using this as a plug in is there a GUI for configuration. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Dave Koontz" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 20, 2005 12:36 PM Subject: RE: Re[2]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo Pete, I've been using this plugin for the last couple of months and can say it's been rock solid. Nice work! One little feature request though would be to add an option to auto prune the sniffer log file to so many days, or "X" killobytes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, April 20, 2005 1:45 PM To: Jim Matuska Subject: Re[2]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo On Wednesday, April 20, 2005, 1:15:37 PM, Jim wrote: JM> Pete, JM> Should we change the license info in the plugin.cfg file to match JM> our license info or should we wait to do so until the release version comes out? Please go ahead and make the change. The current code is considered to be production ready. Any changes prior to release will be minor additions, and it is likely there will be no changes... that is, unless someone reports a bug ;-) The new plugin is clearly the preferable Message Sniffer implementation for MDaemon. Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo
Pete, Is there a difference between the normal .snf files I have been downloading and the one for the plugin? I have setup my script to download the .snf file and noticed it is a couple mb's smaller than the included demo .snf file. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Wednesday, April 20, 2005 10:45 AM Subject: Re[2]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo On Wednesday, April 20, 2005, 1:15:37 PM, Jim wrote: JM> Pete, JM> Should we change the license info in the plugin.cfg file to match our JM> license info or should we wait to do so until the release version comes out? Please go ahead and make the change. The current code is considered to be production ready. Any changes prior to release will be minor additions, and it is likely there will be no changes... that is, unless someone reports a bug ;-) The new plugin is clearly the preferable Message Sniffer implementation for MDaemon. Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo
Pete, Should we change the license info in the plugin.cfg file to match our license info or should we wait to do so until the release version comes out? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: Sent: Monday, April 18, 2005 3:57 PM Subject: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo Hello Sniffer folks, For those of you who are MDaemon users and may not know, we have developed a plugin version of Message Sniffer that works on the latest version of MDaemon (v8). The folks on the MDaemon beta list have had access to it for a while now and it has been working well. There are no known bugs at this time :-). You can find the plugin on the MDaemon installation page of our site: http://www.sortmonster.com/MessageSniffer/Installation/MDaemon.html The plugin is VERY, VERY fast and much easier to use than the command line utility. If you are still using the command line utility I highly recommend that you switch to the plugin version right away :-) Now that version 8 of MDaemon is out, it is time to finish testing this new version and to get the word out. To help with testing, we have been providing a fully updated rulebase to our beta testers. To help with this next phase of testing we are making this fully updated license public for MDaemon users who want to try the new plugin!! :-) This will only last until the end of April though ;-) Please help us to get the word out about this -- tell all your MDaemon friends what they have been missing. Most of our customers come from your recommendations and we really appreciate that. Remember to tell your friends to let us know about your help when they purchase Message Sniffer so that we can give you your free month! Every new user makes Message Sniffer more powerful! Thanks for all your help! Best, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Smartermail
You might want to check into Mdaemon as well. You won't be able to run declude on it (at least for now), but sniffer will integrate with it. We are in the process of switching from Imail to Mdaemon. Mdaemon has lots of cool features including AV, Collaboration Features, and Efax. It is priced somewhat reasonable too. You might want to check out their website www.altn.com Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "sniffer" <[EMAIL PROTECTED]> To: Sent: Tuesday, March 15, 2005 8:08 AM Subject: [sniffer] Smartermail Hello sniffer list, Like so many declude/sniffer users, we have been using IMail for the past seven years and currently host mail for about 1600 domains/5000 users. We are going to be moving to another mail package (you know why) and I know I have seen some comments on this list regarding making the move to Smartermail. From what I can see, Smartermail is *almost* there, but still lacks in a few of areas. I am looking for feedback from recent IMail to Smartermail converts -- the good, the bad and the ugly... Thanks, Steve. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer Notifications now failing declude spamheaderstest
Thanks, I have disabled spamheaders for
now.
Jim Matuska Jr.Computer Tech2, CCNANez
Perce TribeInformation Systems[EMAIL PROTECTED]
- Original Message -
From:
Matt
To: sniffer@SortMonster.com
Sent: Monday, January 03, 2005 8:08
AM
Subject: Re: [sniffer] Sniffer
Notifications now failing declude spamheaderstest
Jim,See the Declude list, it is a Declude
problemIn short, turn off SPAMHEADERS by commenting out the
test. It has a bug with 2005 years in the date header. They should
be coming out with a fix shortly.MattJim Matuska
wrote:
Has anything changed recently in the format of
the sniffer notification messages? I am noticing all the notifications
for the last few days have been failing decludes spamheaders test, this
hasn't happened before.
Jim Matuska Jr.Computer Tech2, CCNANez
Perce TribeInformation Systems[EMAIL PROTECTED]
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
Re: [sniffer] Sniffer Notifications now failing declude spamheaders test
Another update too, it looks like the sniffer mailing list messages are failing spamheaders as well. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Jim Matuska To: sniffer@SortMonster.com Sent: Monday, January 03, 2005 8:02 AM Subject: [sniffer] Sniffer Notifications now failing declude spamheaders test Has anything changed recently in the format of the sniffer notification messages? I am noticing all the notifications for the last few days have been failing decludes spamheaders test, this hasn't happened before. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
[sniffer] Sniffer Notifications now failing declude spamheaders test
Has anything changed recently in the format of the sniffer notification messages? I am noticing all the notifications for the last few days have been failing decludes spamheaders test, this hasn't happened before. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] Downloads are slow...
As far as I understand it wget is comparing the date stamp on the file in the local directory to the date stamp on the file at sortmonster.net, if its not don't download the file, if it is do download it. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 28, 2004 11:38 AM Subject: Re: [sniffer] Downloads are slow... Quick question if when you have a sucessful download if abcdef.new is renamed than what is wget comparing on the next run of the script? Darrell Jim Matuska writes: So far it seems to be working, at least it doesn't seem to be downloading the rulebase yet, I'll have to see if it does later when there is an updated rulebase. My script uses a copy at the end rather than a move. It's listed below for reference. Do you see any issues? wget -N http://www.sortmonster.net/Sniffer/Updates/fp0o4jye.snf -O abcdefg.new --http-user=* --http-passwd=* if exist abcdefg.new goto Replace goto Done :Replace rename abcdefg.new abcdefg.tst snf2check.exe abcdefg.tst abcdefg if errorlevel 1 goto Done echo New File Tested GOOD! if exist abcdefg.old del abcdefg.old rename abcdefg.snf abcdefg.old rename abcdefg.tst abcdefg.snf copy /V /Y abcdefg.snf C:\sniffer\abcdefg.snf :Done if exist abcdefg.tst del abcdefg.tst Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Tuesday, December 28, 2004 11:12 AM Subject: Re[2]: [sniffer] Downloads are slow... On Tuesday, December 28, 2004, 12:49:21 PM, Jim wrote: JM> I agree that something needs to be done about the update scripts that are JM> inadvertently downloading the full rulebase all the time. I didn't even JM> know it but we were doing this until I went through our update script again JM> this morning and found it didn't have the -N option in Wget, so we were Watch out - you may still have not fixed it. One of the tricks with the -N option is that the file downloaded previously must still be in it's place for the comparison. If it has been moved then the -N will not matter. This make things a little bit more complex since you can't download a rulebase file on top of the one that is running. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Downloads are slow...
Update, I just launched my script and it is downloading just fine. In my case it was as simple as adding the -N option. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Tuesday, December 28, 2004 11:12 AM Subject: Re[2]: [sniffer] Downloads are slow... On Tuesday, December 28, 2004, 12:49:21 PM, Jim wrote: JM> I agree that something needs to be done about the update scripts that are JM> inadvertently downloading the full rulebase all the time. I didn't even JM> know it but we were doing this until I went through our update script again JM> this morning and found it didn't have the -N option in Wget, so we were Watch out - you may still have not fixed it. One of the tricks with the -N option is that the file downloaded previously must still be in it's place for the comparison. If it has been moved then the -N will not matter. This make things a little bit more complex since you can't download a rulebase file on top of the one that is running. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Downloads are slow...
So far it seems to be working, at least it doesn't seem to be downloading the rulebase yet, I'll have to see if it does later when there is an updated rulebase. My script uses a copy at the end rather than a move. It's listed below for reference. Do you see any issues? wget -N http://www.sortmonster.net/Sniffer/Updates/fp0o4jye.snf -O abcdefg.new --http-user=* --http-passwd=* if exist abcdefg.new goto Replace goto Done :Replace rename abcdefg.new abcdefg.tst snf2check.exe abcdefg.tst abcdefg if errorlevel 1 goto Done echo New File Tested GOOD! if exist abcdefg.old del abcdefg.old rename abcdefg.snf abcdefg.old rename abcdefg.tst abcdefg.snf copy /V /Y abcdefg.snf C:\sniffer\abcdefg.snf :Done if exist abcdefg.tst del abcdefg.tst Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Tuesday, December 28, 2004 11:12 AM Subject: Re[2]: [sniffer] Downloads are slow... On Tuesday, December 28, 2004, 12:49:21 PM, Jim wrote: JM> I agree that something needs to be done about the update scripts that are JM> inadvertently downloading the full rulebase all the time. I didn't even JM> know it but we were doing this until I went through our update script again JM> this morning and found it didn't have the -N option in Wget, so we were Watch out - you may still have not fixed it. One of the tricks with the -N option is that the file downloaded previously must still be in it's place for the comparison. If it has been moved then the -N will not matter. This make things a little bit more complex since you can't download a rulebase file on top of the one that is running. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Downloads are slow...
I agree that something needs to be done about the update scripts that are inadvertently downloading the full rulebase all the time. I didn't even know it but we were doing this until I went through our update script again this morning and found it didn't have the -N option in Wget, so we were downloading the entire rulebase whether we needed it or not. The gzip compression is cool, and I will likely implement it soon, but I think the major problem is everyone that is using scripts that keep downloading the same file over and over again tying up the bandwidth. I would recommend 2 things to help alleviate this problem: 1. Monitor connections to rulebase downloads to see who is downloading the rulebase everytime they connect on a schedule to determine who has their scripts setup wrong, and contact them to correct it. It took me under a minute to add the -N option to wget, it should be a no brainer. 2. Correct the scripts posted on the Sniffer website to include date checking, and possibly gzip compression, I used one of those scripts for our system and assumed it would be setup correctly, but it was not. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Monday, December 27, 2004 10:03 PM Subject: Re: [sniffer] Downloads are slow... I agree entirely. If bandwidth has become an issue, it would be resolved with a focus on producing very tight and easily customizable scripts (a variables section in the top of the scripts). I believe that going the VBScript route might be the best way to go, or at least I believe that more of us can hack a more involved VBScript than a batch or CMD file. Enforcing compressed downloads and checking for timestamps prior to downloading should be done in these scripts as well. Right now the script examples assume a familiarity with scripting, and while local participants can mostly handle that stuff, the non-vocal ones are most likely to not even be aware of the issues or how to fix them, and might have scripted timed downloads because it is definitely the easiest way to go. This is probably the majority of the customer base. There is an impression for instance with Declude's user base that +80% use primarily the default config which most of us know is severely lacking in comparison to the potential that exists by tweaking the settings. With better script examples and a careful step-by-step readme promoted in a mailing to your customers, I believe that this issue could go away, or at least theoretically it should. Personally, I have mine tied to the E-mails, I download the zipped versions, I don't bother checking on the status, and have never noticed any issues as a result. It would be a small shame if I was missing downloads due to timeouts, but not that big of a deal if this has never caused a noticeable problem. Matt Andy Schmidt wrote: Pete, With all due respect - I think the download problem is "self-inflicted", because your web site is providing unsuitable examples to your customers! Even with moderate bandwidth, your server would be able to handle tens of thousands of hits a day. Checking if an updated file exists should barely be noticeable - as long as it doesn't result in an unnecessary download. You probably suffer TWO problems: A) Most of your customers are downloading rules based on a schedule, even if no rules exists. Potential savings: 100% per download attempt. B) Your customers are not downloading "compressed" rule files. Potential savings: about 66%, but that's not bad either. One likely explanation is that at least THREE of your sample scripts do an unconditional and uncompressed download! Here the 3 URLs you list on your web site and WGET command they are using: http://www.sortmonster.com/MessageSniffer/Help/UserScripts/david_snifferUpda teMethod.zip wget http://www.sortmonster.net/Sniffer/Updates/.snf -O .new --http-user=username --http-passwd=password http://www.sortmonster.com/MessageSniffer/Help/UserScripts/Hank_SnifferScrip ts.zip wget http://www.sortmonster.net/Sniffer/Updates/.snf -O .new --http-user=sniffer --http-passwd=ki11sp8m http://www.sortmonster.com/MessageSniffer/Help/UserScripts/Michiel_AutoUpdat e.zip wget http://sniffer:[EMAIL PROTECTED]/Sniffer/Updates/12345678.snf -O .tst My recommendation: Replace these with examples that implement conditional, compressed downloading. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, December 27, 2004 08:10 AM To: Chuck Schick Subject: Re: [sniffer] Downloads
Re: Re[2]: [sniffer] Sniffer Updates
Title: Re: Re[2]: [sniffer] Sniffer Updates Does anyone have any good instructions on how to modify your update scripts to use gzip? Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Tom Baker | Netsmith Inc To: sniffer@SortMonster.com Sent: Monday, December 27, 2004 10:43 AM Subject: Re: Re[2]: [sniffer] Sniffer Updates Automate harassment reminders to those of us not using it. :)I think I'll go enable gzip tonight-Original Message-From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>To: Landry William <sniffer@SortMonster.com>Sent: Mon Dec 27 12:36:06 2004Subject: Re[2]: [sniffer] Sniffer UpdatesOn Monday, December 27, 2004, 12:46:19 PM, Landry wrote:LW> Are folks taking advantage of the "wget" compression option beforeLW> downloading their rulebase updates? If the slow download speeds are aLW> bandwidth saturation issue on the Sniffer end, this would certainly cut downLW> on the bandwidth requirements on their end and increase the download timesLW> for everyone.LW> Also, I've got to ask, if the downloads are happening "behind the scenes",LW> by an automated or triggered download, why the concern about speeds, as longLW> as your downloads are successful?>From what I've seen in the logs, only about 5% of folks are takingadvantage of gzip right now.Also, I did some incantations on the log (grep, awk, uniq etc) andcame up with just under half of our customers downloading theirrulebase between 1200 and 1300 today. That's between 2 and 3 times asmany as should have done it ;-) -- so the backlog is explainable.This kind of thing happens for lots of reasons and there are a lot ofways to mitigate the problem.A big one on the list - certainly - is using the gzip capability. Withonly 5% of folks using this and average compression ratios well above50% there is plenty of room to "make a big dent" in this._MThis E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer Updates
It's actually getting worse now with a timed out transfer and now under 1k a sec: Resolving www.sortmonster.net... done.Connecting to www.sortmonster.net[216.88.37.61]:80... connected.HTTP request sent, awaiting response... 200 OKLength: 11,104,576 [application/x-sortmonster] 19% [==> ] 2,141,361 2.99K/s ETA 48:46 09:29:12 (2.99 KB/s) - Connection closed at byte 2141361. Retrying. Connecting to www.sortmonster.net[216.88.37.61]:80... connected.HTTP request sent, awaiting response... 200 OKLength: 11,104,576 [application/x-sortmonster] 0% [ ] 87,921 993.81B/s ETA 3:04:45 Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: "Jim Matuska" <[EMAIL PROTECTED]> To: <sniffer@SortMonster.com> Sent: Monday, December 27, 2004 9:22 AM Subject: Re: [sniffer] Sniffer Updates >I too am seeing really slow speeds, I'm running an update now and it is only > downloading at about 3k/sec. Pretty bad considering we have 2 T1's and a > DS3 none of which have much traffic on them this morning.> > Jim Matuska Jr.> Computer Tech2, CCNA> Nez Perce Tribe> Information Systems> [EMAIL PROTECTED]> - Original Message - > From: "Russ Uhte" <[EMAIL PROTECTED]>> To: <sniffer@SortMonster.com>> Sent: Monday, December 27, 2004 8:45 AM> Subject: Re: [sniffer] Sniffer Updates> > >> Kevin Stanford wrote:>>> Our updates seem to be taking a very long time. I am 85% updated and the >>> ETA shows 07:00. Is it me?>>>> I see stuff like this come and go... Our updates are (finally) triggered >> from the email notifications... Below is a snippet of the last update >> that shows exactly what speeds we saw, which ran at 10:45 EST this >> morning... Every once in a while, I will see it slow down to about 8KB/s, >> but rarely slower than that...>>>> Thanks,>> Russ>>>> (This will probably wrap and look real ugly, but the last number is the >> average download speed for that part of the download...)>>>>>> 0K .. .. .. .. .. 0% 110.38 >> KB/s>> 50K .. .. .. .. .. 1% 160.26 >> KB/s>> 100K .. .. .. .. .. 2% 71.12 >> KB/s>> 150K .. .. .. .. .. 3% 110.13 >> KB/s>> 200K .. .. .. .. .. 4% 118.76 >> KB/s>> 250K .. .. .. .. .. 5% 145.35 >> KB/s>> 300K .. .. .. .. .. 6% 168.35 >> KB/s>> 350K .. .. .. .. .. 7% 168.35 >> KB/s>> 400K .. .. .. .. .. 8% 168.35 >> KB/s>> 450K .. .. .. .. .. 9% 160.26 >> KB/s>> 500K .. .. .. .. .. 10% 159.74 >> KB/s>> 550K .. .. .. .. .. 11% 188.68 >> KB/s>> 600K .. .. .. .. .. 12% 177.30 >> KB/s>> 650K .. .. .. .. .. 13% 168.35 >> KB/s>> 700K .. .. .. .. .. 14% 177.94 >> KB/s>> 750K .. .. .. .. .. 15% 168.35 >> KB/s>> 800K .. .. .. .. .. 16% 177.94 >> KB/s>> 850K .. .. .. .. .. 17% 168.35 >> KB/s>> 900K .. .. .. .. .. 18% 168.35 >> KB/s>> 950K .. .. .. .. .. 19% 168.35 >> KB/s>> 1000K .. .. .. .. .. 20% 168.92 >> KB/s>> 1050K .. .. .. .. .. 21% 159.74 >> KB/s>> 1100K .. .. .. .. .. 22% 168.35 >> KB/s>> 1150K .. .. .. .. .. 23% 177.94 >> KB/s>> 1200K .. .. .. .. .. 24% 177.94 >> KB/s>> 1250K .. .. .. .. .. 25% 159.74 >> KB/s>> 1300K .. .. .. .. .. 26% 177.94 >> KB/s>> 1350K .. .. .. .
Re: [sniffer] Sniffer Updates
I too am seeing really slow speeds, I'm running an update now and it is only downloading at about 3k/sec. Pretty bad considering we have 2 T1's and a DS3 none of which have much traffic on them this morning. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Russ Uhte" <[EMAIL PROTECTED]> To: Sent: Monday, December 27, 2004 8:45 AM Subject: Re: [sniffer] Sniffer Updates Kevin Stanford wrote: Our updates seem to be taking a very long time. I am 85% updated and the ETA shows 07:00. Is it me? I see stuff like this come and go... Our updates are (finally) triggered from the email notifications... Below is a snippet of the last update that shows exactly what speeds we saw, which ran at 10:45 EST this morning... Every once in a while, I will see it slow down to about 8KB/s, but rarely slower than that... Thanks, Russ (This will probably wrap and look real ugly, but the last number is the average download speed for that part of the download...) 0K .. .. .. .. .. 0% 110.38 KB/s 50K .. .. .. .. .. 1% 160.26 KB/s 100K .. .. .. .. .. 2% 71.12 KB/s 150K .. .. .. .. .. 3% 110.13 KB/s 200K .. .. .. .. .. 4% 118.76 KB/s 250K .. .. .. .. .. 5% 145.35 KB/s 300K .. .. .. .. .. 6% 168.35 KB/s 350K .. .. .. .. .. 7% 168.35 KB/s 400K .. .. .. .. .. 8% 168.35 KB/s 450K .. .. .. .. .. 9% 160.26 KB/s 500K .. .. .. .. .. 10% 159.74 KB/s 550K .. .. .. .. .. 11% 188.68 KB/s 600K .. .. .. .. .. 12% 177.30 KB/s 650K .. .. .. .. .. 13% 168.35 KB/s 700K .. .. .. .. .. 14% 177.94 KB/s 750K .. .. .. .. .. 15% 168.35 KB/s 800K .. .. .. .. .. 16% 177.94 KB/s 850K .. .. .. .. .. 17% 168.35 KB/s 900K .. .. .. .. .. 18% 168.35 KB/s 950K .. .. .. .. .. 19% 168.35 KB/s 1000K .. .. .. .. .. 20% 168.92 KB/s 1050K .. .. .. .. .. 21% 159.74 KB/s 1100K .. .. .. .. .. 22% 168.35 KB/s 1150K .. .. .. .. .. 23% 177.94 KB/s 1200K .. .. .. .. .. 24% 177.94 KB/s 1250K .. .. .. .. .. 25% 159.74 KB/s 1300K .. .. .. .. .. 26% 177.94 KB/s 1350K .. .. .. .. .. 27% 168.35 KB/s 1400K .. .. .. .. .. 28% 168.35 KB/s 1450K .. .. .. .. .. 29% 168.35 KB/s 1500K .. .. .. .. .. 30% 168.35 KB/s 1550K .. .. .. .. .. 31% 177.94 KB/s 1600K .. .. .. .. .. 32% 168.35 KB/s 1650K .. .. .. .. .. 33% 168.35 KB/s 1700K .. .. .. .. .. 34% 168.92 KB/s 1750K .. .. .. .. .. 35% 168.35 KB/s 1800K .. .. .. .. .. 36% 159.74 KB/s 1850K .. .. .. .. .. 37% 177.94 KB/s 1900K .. .. .. .. .. 38% 91.41 KB/s 1950K .. .. .. .. .. 39% 86.51 KB/s 2000K .. .. .. .. .. 40% 86.51 KB/s 2050K .. .. .. .. .. 41% 81.97 KB/s 2100K .. .. .. .. .. 42% 97.09 KB/s 2150K .. .. .. .. .. 43% 86.51 KB/s 2200K .. .. .. .. .. 44% 81.97 KB/s 2250K .. .. .. .. .. 45% 61.58 KB/s 2300K .. .. .. .. .. 46% 60.39 KB/s 2350K .. .. .. .. .. 47% 40.00 KB/s 2400K .. .. .. .. .. 48% 159.74 KB/s 2450K .. .. .. .. ...
[sniffer] Excess spam over the weekend
Is anyone else seeing a huge flood of spam over the weekend? I have received a ton of it since Friday, a lot of it is not being picked up by sniffer either. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] Sniffer updates...
Title: Message After much debate we decided to abandon Declude/Imail and switch to Mdaemon and will migrate sniffer to the new platform. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Joe Wolf To: [EMAIL PROTECTED] Sent: Wednesday, December 22, 2004 6:41 AM Subject: [sniffer] Sniffer updates... I'm currently using Sniffer via Imail and Declude. We all know that Ipswitch has lost their mind and is abandoning the small ISP, and now it seems that Declude has lost their way. The new version of Declude is tied to a single MAC address. That counts me out since I run multiple NIC's in the same machine and am multi-homed. Their spyware "phone home" system is a violation of our security policies as well. That leads me to Sniffer. I love the product. Does anyone have a complete list of mail servers that have direct support for Sniffer? The Imail / Declude thing is too much to deal with and I'm going to make a change. Thanks, Joe
Re: [sniffer] Test ordering/precedence
Pete, We have rules setup in declude based upon sniffer return codes 60 and 62 to mark all messages with those tests as spam, however we do not have any 61 or 62 return codes setup. Can you briefly explain what each of these groups includes and a false positive rate for each. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 02, 2004 11:31 AM Subject: [sniffer] Test ordering/precedence Hello Sniffer Folks, During a previous discussion in late September, it was generally agreed that it was time to re-order the priority of the experimental and generalized rule groups. I am going to begin that work today. The new ordering will be: 63: Experimental Received [IP] 62: Obfuscation 61: Experimental Abstract 60: General The concept of this priority is to give more specific rules a higher priority over less specific rules. So, for example, a spam text pattern or URI in the "General" group will have priority over an IP rule. By the end of the day these rule groups will have been renumbered. While this will have some subtle effects over time as the rulebase system "learns" some new structures, the most important short term effects will be seen by systems that give individual weights to each rule group. Please begin making the appropriate changes in your weighting schemes if you use them. Systems that do not use weighting schemes will not need to take any action. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] MDaemon Opinion OT
Thanks for the info Jorge. Pete, any idea when the direct plugin for Mdaemon will be available? Also does anyone know if MDaemon has a way users can modify their spam settings independent of a global policy or administrator set rules. It would be nice to let our users that complain about false positive lower their spam setting and those that complain about anything getting through the spam filters. Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Jorge Asch To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 10:26 AM Subject: Re: [sniffer] MDaemon Opinion OT Jim Matuska wrote: What is everyone's opinion of Mdaemon for Email/Groupware as well as integration with Sniffer. We are looking at the possibility of switching from Imail to Mdaemon, anyone have an opinion on this or any thoughts, suggestions?MDaemon is a great piece of software. I've been using it since 2.85 (about 6 years ago), and the developers are probably the best I've seen (about a tie with Microneil of course). You have new versions a couple of times a year, and they do keep up with new technologies and features... SPF, SA 3.0, DomainKeys, HashCash, etc.You can almost get replies from them 24/7/365 on their md-beta list (just like here) and not only that but the software is pretty powerful, and bugs are fixed fast on both final and beta releases.Also, MDaemon has a new API for plugins (with the 7.50 version that will be release soon), so MessageSniffer is being developed into a native plugin for mdaemon that integrates transparently with the system. It works great and its blazing fast...MDaemon has a 30-day evaluation period you can try out. Groupware as well (the addon that let's you integrate with Outlook Groupware functions). -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION
[sniffer] MDaemon Opinion OT
What is everyone's opinion of Mdaemon for Email/Groupware as well as integration with Sniffer. We are looking at the possibility of switching from Imail to Mdaemon, anyone have an opinion on this or any thoughts, suggestions? Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
[sniffer] Spam Link with 1639 port web link, possibly malicious?
Has anyone noticed a influx of email messages with spam type content that seems to link to a 1639 port on a remote webserver. I have had several reports of these in the last half hour, some appear to be fake paypal scams, one was porn related, but both link to the same site and one user actually reported the message causing their PC to reboot. Any else seen these. Jim Matuska Jr.Computer Tech IICCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
[sniffer] Integrating Sniffer with new Imail Collaboration Suite
Is there a way to integrate message sniffer directly with the new Imail Collaboration Suite. We are currently using it with Imail via declude, but that may change soon due to this latest Imail fiasco. If we decide to migrate to the new Collaboration suite I need to know if we can use message sniffer directly or if we would need to use a 3rd party add in still such as declude (if a version is released that will work with the collaboration suite). Any thoughts? Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer setup
Are you sure the useradd executable is in the directory you are running the script from. bash: useradd: command not found I would think would simply indicate that either useradd is not in the directory, or maybe it is not set executable. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Ken Scott" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 15, 2004 1:05 PM Subject: [sniffer] Sniffer setup Hello, I'm setting sniffer on a redhat 9 machine, i just started the setup and i'm getting this error: [EMAIL PROTECTED] Source]# useradd -g 93 -u 93 -c "Spam Filter" -d /bin/false -s /bin/false snfilter bash: useradd: command not found [EMAIL PROTECTED] Source]# chown snfilter /var/spool/snfilter /var/spool/snfilter/msg chown: `snfilter': invalid user [EMAIL PROTECTED] Source]# cd /var/spool/snfilter [EMAIL PROTECTED] snfilter]# chown snfilter sniffer snfrv2r3.exe snfrv2r3.snf chown: `snfilter': invalid user [EMAIL PROTECTED] snfilter]# chmod 500 snfrv2r3.exe sniffer [EMAIL PROTECTED] snfilter]# chmod 600 snfrv2r3.snf [EMAIL PROTECTED] snfilter]# i was using the setup info from http://sortmonster.com/MessageSniffer/Help/UserScripts/Readme_Postfix.txt groupadd -g 93 snfilter useradd -g 93 -u 93 -c "Spam Filter" -d /bin/false -s /bin/false snfilter chown snfilter /var/spool/snfilter /var/spool/snfilter/msg cd /var/spool/snfilter chown snfilter sniffer snfrv2r3.exe snfrv2r3.snf chmod 500 snfrv2r3.exe sniffer chmod 600 snfrv2r3.snf does any one know why this isn't working for me? or know of some commands that would work for insted of useradd? thanks in advance for your time! -ken --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam Leakage - last 2-3 weeks.
Thanks for the info Pete. I will be enabling groups 60 and 62 and see how if we see many false positives. Thanks for the quick response. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 15, 2004 11:10 AM Subject: [sniffer] Spam Leakage - last 2-3 weeks. Hello Sniffer, I think we've identified the cause of some reports of spam leakage over the past few weeks. I've been testing submitted messages against customer rulebases and I've noted that in almost every case there were rules that matched the messages. One of the customers testing with me pointed out that the results from my test included primarily rules from group 60 and 62. These are the Experimental IP and Experimental Abstract rule groups respectively. After that I reviewed other test results and found a similar thread. We have been announcing on the list that the content of our Experimental rule groups has been changing and that we have made these groups significantly more accurate in recent weeks. One of the changes that we have also made in these weeks is that we have increased the number of rules that are generated automatically from our spamtraps. The auto-rule AI runs every 20 minutes, much more frequently than we can manually review the incoming spam, as a result the system is much more responsive to new spam. All of these rules are placed in the appropriate experimental rule groups. As a result, over the past few weeks a greater number of new rules have been generated in these groups rather than manually into other groups. This trend will continue over time. We have not (and probably will not) implemented a practice of recoding these rules to specific content categories because this would be of little value. It turns out that the vast majority of the rule candidates generated by the AI are of the type that spammers re-use for multiple campaigns. For example, we might see a Snake-oil spam, a porn-spam, and a get-rich spam all within the same week using the same throw-away domain detected by our AI. If you are using a weighting system such as Declude and you have not yet revisited your weights on group 60 and 62, then you are probably seeing more "spam leakage" as a result. I recommend that you review your weights using a combination of your current experiences and the spam test quality analysis found here: <http://www2.spamchk.com/public.html> One formula that you can use to derive your test weights from this analysis is W = (SA^2)*HOLD_WEIGHT. So, in the case of these two groups you might select these weights for your system: SNIFFER-IP(60), estimated accuracy 81%, (.81)*(.81) => .6561, recommended weight: 66% of hold weight. SNIFFER-EXP(62), estimated accuracy 92%, (.92)*(.92) => .8464, recommended weight: 85% of hold weight. We are continuing to refine these processes and improve our accuracy so it is a good idea to review these settings periodically for the best performance. They days of the Gray-Hosting group with a high false positive rate are long gone and will not return ;-) Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Increase in FPs
Pete, What about the Spam that seems to have been slipping through recently? I have submitted half a dozen or so in the last 24 hours and I am still getting copies. I also loaded the new version of sniffer yesterday but that did not change anything. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Landry William" <[EMAIL PROTECTED]> Sent: Tuesday, September 14, 2004 11:42 PM Subject: Re: [sniffer] Increase in FPs On Wednesday, September 15, 2004, 2:06:22 AM, Landry wrote: LW> I have seen a fairly substantial increase on false positives LW> today. I have submitted several FPs to the false@ address. Has LW> there been a big change in the core rulebase today? I wouldn't LW> think that upgrading to the new code this morning would cause LW> this, would it? No, the upgrade should not have this effect. It appears that a number of secondary services we reference have had problems recently such as SORBS and SURBL. I've been pushing false processing to mitigate the problems quickly, we are adjusting our tuning parameters for candidate generation, and will continue to monitor conditions closely. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Surprising missed spam
I just forwarded half a dozen myself, they have been coming in for the last week or so, much more so than before. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Agid, Corby" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 14, 2004 8:41 AM Subject: RE: [sniffer] Surprising missed spam To which addresss should I send these? Also, I mis-stated the spam. They were not plain text, but html, but clearly have many "classic" spam attributes. I will send them along, but need to know where. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, September 13, 2004 4:29 PM To: Agid, Corby Subject: Re: [sniffer] Surprising missed spam On Monday, September 13, 2004, 7:22:03 PM, Corby wrote: AC> Hello, AC> I was surprised recently by some spam that got through without AC> getting caught by the sniffer. We've been getting some plain text AC> messages that have obvious spam words in the subject line. For AC> example, a plain text message with "horny teenagers" AC> came through. The content was also very spammy, but all plain text. AC> I tried sending myself a few messages with standard spam phrases and AC> none of them tripped any sniffer rules. AC> Am I missing something? Can you zip up some examples and send them to me? I'm researching this issue right now and I need more data. Thanks, _M PS: A number of word / phrase based rules have been dropped from the core rule base due to false positives - not many, but this might explain some of what you're seeing - I will know more when I have some examples. If that's the case I can always put the rules back in for your local rule base. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Reporting - was: spam leakage up
HTML would be cool, even nicer would be an installer that would make it an option under the Imail Administrator's web interface menu. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Aaron Caviglia" <[EMAIL PROTECTED]> Sent: Thursday, June 24, 2004 11:00 AM Subject: [sniffer] Reporting - was: spam leakage up > We are working on specs for real-time reporting out of Sniffer and > haven't had a lot of feedback on the XML based format. We were looking > at this format because, in theory anyway, it's easy to port into a > database or even directly into a web page or other format. > > Am I guessing right that the reason we didn't get a lot of feedback is > because not many folks can really use XML data in practice? > > Should we adopt a different format for a "real-time scoreboard" > output file? Tab delimited? CSV? --- perhaps directly to HTML? > > (if HTML then I will continue with the XML concept and use DOM to read > the XML as a data island and format the output - anybody have experience > with this - it seems harder in practice than the examples let on.) > > Any thoughts would be appreciated. > > Thanks, > _M > > (The idea of a "scoreboard" was to create some useful indicators that > could be read in near real-time - without a lot of heavy lifting. At > the time it seemed there was a pressing need for this kind of > functionality. I'm beginning to wonder - I don't want to spend effort > on something that nobody really cares about. There are plenty of other > features planned that we could focus on. I need some feedback. > Thanks!) > > On Thursday, June 24, 2004, 12:02:06 PM, Aaron wrote: > > AC> Thanks Herb but we don't have Coldfusion. > > AC> Looks great tho! > > AC> Aaron > AC> www.vantech.net > > AC> On Jun 24, 2004, at 8:55 AM, Herb Guenther wrote: > > >> I wrote a coldfusion page that parses the logs into a sql database > >> every night, and then the display page you saw. If you have a > >> coldfusion server I would be happy to give you the code. > >> > >> Herb > >> > >> Aaron J.Caviglia wrote: > >> > >> Herb, > >> > >> How did you generate that SPAM report? > >> > >> Thanks, > >> Aaron Caviglia > >> www.vantech.net > >> > >> On Jun 24, 2004, at 8:46 AM, Herb Guenther wrote: > >> > >> > >> wow, that is even worse than we are seeing, we are at about 80%, but > >> should really be at about 85% if all were tagged. > >> > >> Here is our last weeks stats, we did not see an increase in volume, > >> so much as the amount gettig thru in the last couple days and > >> continuing today. > >> > >> Herb > >> > >> > >> > >> SPAM Report > >> > >> > >> Statistics are based on the last 6,150,612 email messages received. > >> You are viewing Server 1 Stats View Server 2 stats > >> > >> > >> Statistic > >> 06/17 > >> 06/18 > >> 06/19 > >> 06/20 > >> 06/21 > >> 06/22 > >> 06/23 > >> Weekly Total > >> Daily Avg. > >> > >> Delivered Messages > >> 34,291 > >> 30,762 > >> 22,331 > >> 22,484 > >> 31,245 > >> 33,588 > >> 33,582 > >> 208,283 > >> 25,311 > >> > >> Good Messages > >> 6,493 > >> 5,101 > >> 1,595 > >> 1,721 > >> 6,209 > >> 6,772 > >> 6,170 > >> 34,061 > >> 5,221 > >> > >> Spam Messages > >> 27,798 > >> 25,661 > >> 20,736 > >> 20,763 > >> 25,036 > >> 26,816 > >> 27,412 > >> 174,222 > >> 20,090 > >> > >> Spam Percent > >> 81% > >> 83% > >> 92% > >> 92% > >> 80% > >> 79% > >> 81% > >> 84% > >> 79% > >> > >> Mal Formed Headers > >> 3,845 > >> 4,277 > >> 3,193 > >> 3,555 > >> 4,094 > >> 4,286 > >> 4,459 > >> 27,709 > >> 4,949 > >> > >> Spam Headers > >> 4,544 > >> 4,081 > >> 3,665 > >> 3,367 > >> 4,800 > >> 5,712 > >> 6,1
Re: [sniffer] Config When Using Sniffer With Declude...
I have the following set in the global CFG file SNIFFERGAMBLING external 59 "c:\sniffer\.exe " SNIFFERDEBT external 58 "c:\sniffer\.exe " SNIFFERGETRICH external 57 "c:\sniffer\.exe " SNIFFERINKTONER external 56 "c:\sniffer\.exe " SNIFFERMALWARE external 55 "c:\sniffer\.exe " SNIFFERPORN external 54 "c:\sniffer\.exe " SNIFFERSCAM external 53 "c:\sniffer\.exe " SNIFFERPRESCRIPTION external 52 "c:\sniffer\.exe " SNIFFERSPAMWARE external 51 "c:\sniffer\.exe " SNIFFERMEDIATHEFT external 50 "c:\sniffer\.exe " SNIFFERANTIVIRUS external 49 "c:\sniffer\.exe " SNIFFERINSURANCE external 48 ""c:\sniffer\.exe " SNIFFERTRAVEL external 47 "c:\sniffer\.exe " and in the $default$.junkmail SNIFFERGAMBLING ATTACH SNIFFERDEBT ATTACH SNIFFERGETRICH ATTACH SNIFFERINKTONER WARN SNIFFERMALWARE ATTACH SNIFFERPORN DELETE SNIFFERSCAM ATTACH SNIFFERPRESCRIPTION DELETE SNIFFERSPAMWARE ATTACH SNIFFERMEDIATHEFT ATTACH SNIFFERANTIVIRUS WARN SNIFFERINSURANCE ATTACH SNIFFERTRAVEL ATTACH This basically sets each return code separately and lets you set results for each return code differently. It also will show in any message headers the exact return code. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "EI8HT LEGS Technical Support" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 09, 2004 1:37 PM Subject: [sniffer] Config When Using Sniffer With Declude... > Hello All, > > I am running Sniffer with Declude and was wanting to get some ideas on how > everyone has Declude setup. Currently I just have the basic setup as > follows. > > SNIFFER external nonzero "d:\imail\declude\sniffer2_2\winx\snifferprog.exe > sniffer auth" 10 0 > > I hold anything with a weight of 10m therefore anything failing sniffer gets > held and reviewed. I was thinking that sniffer had a way to check and see > why it failed, but I have not found much on that. I guess I am just not > looking in the right place... Anyone give me some hints? > > Thanks! > > Sincerely, > Grant Griffith, Vice President > EI8HT LEGS Web Management Co., Inc. > http://www.getafreewebsite.com > 877-483-3393 > > > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
