RE: [sniffer] Error with Postfix/amavis-new/spamassassin

[Landry William]

Bill, 
what version of SA are you running, and how are you integrating Sniffer into 
SA?  I would like to try this on one of my test 
servers.
 
Thanks,
 
Bill

  -Original Message-From: Bill Boebel 
  [mailto:[EMAIL PROTECTED]Sent: Monday, February 09, 2004 3:50 
  PMTo: [EMAIL PROTECTED]Subject: RE: [sniffer] 
  Error with Postfix/amavis-new/spamassassin
  It 
  was a permissions issue.  I moved it to my amavis folder as Vevek 
  suggested, and all is good now.  Thanks.
   
  Bill
   
  
-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On 
Behalf Of MadscientistSent: Monday, February 09, 2004 3:15 
PMTo: [EMAIL PROTECTED]Subject: Re: [sniffer] 
Error with Postfix/amavis-new/spamassassinAt 01:00 AM 
2/9/2004, you wrote:
I'm trying to get Sniffer 
  running with Postfix/amavis-new/spamassassin usingthis patch: http://bugzilla.spamassassin.org/show_bug.cgi?id=2602And 
  I'm running into this error in 
  SpamAssassin:---debug: 
  Sniffer is available: /usr/local/bin/sniffer/hidden.exe 
  key=hiddendebug: entering helper-app run modedebug: Sniffer 
  command: 
  /usr/local/bin/sniffer/hidden.exehidden/spool/amavis/sa.30371.8gSb6u 
  2>&1debug: leaving helper-app run modeSniffer -> check 
  failed: sniffer said: j215ty1i.LOCK [c] lock failed.(sig=13,exit=0) 
  at/usr/local/lib/perl5/site_perl/5.8.2/Mail/SpamAssassin/Dns.pm line 
  988.---Any 
  idea what would be casing this?  Could it be a permissions 
  problem?Sniffer runs fine using the test.sh script.This 
might be a permissions issue, or it might be an environment issue (where is 
Sniffer running). This message is sent out stderr by the cellular 
Peer Server logic by Sniffer if it is unable to obtain a lock when it goes 
to count the files in the workspace. Sniffer obtains this lock by creating 
the file .LOCK ( in your case j215ty1i.LOCK ).The 
lightweight locking mechanism will try to create the LOCK file. If it is 
unable to create the file the lock operation will fail. In most cases, 
processing will continue since a failed lock does not guarantee there will 
be errors. Processing only stops when the lock fails and we are assured that 
errors will result.This particular lock occurs in PeerServer.cpp 
during the initial count of the number of server instances in the 
worskspace. If the lock fails then processing continues. The possible 
ramifications of this are that the number of current servers might be 
inaccurate - most frequently this would only result in an additional server 
instance being present - which is not harmful.It is extremely 
unlikely that a lock operation would fail here unless Sniffer tried to 
create the lock file in a directory where it did not have create 
priveleges.Hope this helps,_MPS:The code that 
makes this message is really meant only for debugging. If necessary the 
write to stderr can be commented out so that any lock failure at this point 
is handled silently.Here is the code snippet (watch out for 
wrapping):/ 
int CountServers()// 20031125 _M The CountServers() method is where 
we will serialize entry into// the peer group by locking the realm. The 
locking is decidedly lightweight so// we will ignore any errors that 
occur during the lock or unlock process. Loss// of control here is ok... 
the original algorithm doesn't require it, but it// turns out that if we 
do get serialization we're better optimized.int 
PeerServer::CountServers(){  DIR 
*dir;  
// Hold our directory  const char* 
dirname;  
// Name of the directory  struct dirent 
*entry; 
// Hold our file entry  struct stat 
statinfo; 
// Hold entry data  int 
ServerCount=0;    
// How many servers counted?  RealmDepth = 
0;   
// Reset our realm depth.  
dirname=getLocation();    
// Look here for files.  // Now we lock before 
counting.  // Try the lock. If it fails send a tiny message to 
cerr.  try{Lock();}catch(...){cerr << LockName << " 
[c] lock failed." << endl;}  // A note about the position 
of the lock above. If the following code throws,  // then the lock 
will be abandoned in place - and it will become stale. It is  // 
extremely unlikely that this would happen... and if it did it would 
slow  // things down quite a bit while other peers waited to kill 
the stale lock. That  // might even be a good thing since an 
inability to open the direc

RE: [sniffer] Error with Postfix/amavis-new/spamassassin

[Landry William]

Thanks!  I think I will take a look at the 2.70 snapshot, since it 
now supports system-wide plug-ins (and SPF).
 
Bill

  -Original Message-From: Bill Boebel 
  [mailto:[EMAIL PROTECTED]Sent: Monday, February 09, 2004 4:24 
  PMTo: [EMAIL PROTECTED]Subject: RE: [sniffer] 
  Error with Postfix/amavis-new/spamassassin
  I'm 
  running SA 2.62, patched by hand with the changes mentioned here:  http://bugzilla.spamassassin.org/show_bug.cgi?id=2602
   
  That 
  URL also mentions how to edit SpamAssassin's local.cf to call 
  Sniffer.
   
  Bill
   
  
-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On 
Behalf Of Landry WilliamSent: Monday, February 09, 2004 7:03 
PMTo: '[EMAIL PROTECTED]'Subject: RE: [sniffer] 
Error with Postfix/amavis-new/spamassassin
Bill, what version of SA are you running, and how are you integrating 
Sniffer into SA?  I would like to try this on one of my test 
servers.
 
Thanks,
 
Bill

  -Original Message-From: Bill Boebel 
  [mailto:[EMAIL PROTECTED]Sent: Monday, February 09, 2004 3:50 
  PMTo: [EMAIL PROTECTED]Subject: RE: [sniffer] 
  Error with Postfix/amavis-new/spamassassin
  It was a permissions issue.  I moved it to 
  my amavis folder as Vevek suggested, and all is good now.  
  Thanks.
   
  Bill
   
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of 
MadscientistSent: Monday, February 09, 2004 3:15 
PMTo: [EMAIL PROTECTED]Subject: Re: 
[sniffer] Error with 
Postfix/amavis-new/spamassassinAt 01:00 AM 
2/9/2004, you wrote:
I'm trying to get Sniffer 
  running with Postfix/amavis-new/spamassassin usingthis patch: http://bugzilla.spamassassin.org/show_bug.cgi?id=2602And 
  I'm running into this error in 
  SpamAssassin:---debug: 
  Sniffer is available: /usr/local/bin/sniffer/hidden.exe 
  key=hiddendebug: entering helper-app run modedebug: Sniffer 
  command: 
  /usr/local/bin/sniffer/hidden.exehidden/spool/amavis/sa.30371.8gSb6u 
  2>&1debug: leaving helper-app run modeSniffer -> 
  check failed: sniffer said: j215ty1i.LOCK [c] lock 
  failed.(sig=13,exit=0) 
  at/usr/local/lib/perl5/site_perl/5.8.2/Mail/SpamAssassin/Dns.pm 
  line 
  988.---Any 
  idea what would be casing this?  Could it be a permissions 
  problem?Sniffer runs fine using the test.sh 
script.This might be a permissions issue, or it might 
be an environment issue (where is Sniffer running). This message 
is sent out stderr by the cellular Peer Server logic by Sniffer if it is 
unable to obtain a lock when it goes to count the files in the 
workspace. Sniffer obtains this lock by creating the file 
.LOCK ( in your case j215ty1i.LOCK ).The 
lightweight locking mechanism will try to create the LOCK file. If it is 
unable to create the file the lock operation will fail. In most cases, 
processing will continue since a failed lock does not guarantee there 
will be errors. Processing only stops when the lock fails and we are 
assured that errors will result.This particular lock occurs in 
PeerServer.cpp during the initial count of the number of server 
instances in the worskspace. If the lock fails then processing 
continues. The possible ramifications of this are that the number of 
current servers might be inaccurate - most frequently this would only 
result in an additional server instance being present - which is not 
harmful.It is extremely unlikely that a lock operation would 
fail here unless Sniffer tried to create the lock file in a directory 
where it did not have create priveleges.Hope this 
helps,_MPS:The code that makes this message is 
really meant only for debugging. If necessary the write to stderr can be 
commented out so that any lock failure at this point is handled 
silently.Here is the code snippet (watch out for 
wrapping):/ 
int CountServers()// 20031125 _M The CountServers() method is 
where we will serialize entry into// the peer group by locking the 
realm. The locking is decidedly lightweight so// we will ignore any 
errors that occur during the lock or unlock process. Loss// of 
control here is ok... the original algorithm doesn't require it, but 
it// turns out that if we do get serialization we're better 
optimized.int PeerServer::CountServers(){  DIR 
*dir;  

RE: [sniffer] F-Prot and netsky

[Landry William]

Title: Message



The 
virus definitions F-Prot released today is what is now catching Mydoom.F, as 
F-Prot has been catching them since about 3am here and I have not upgraded to 
3.14c yet.
 
Bill

  
  -Original Message-From: Matt 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 7:22 
  AMTo: [EMAIL PROTECTED]Subject: Re: [sniffer] 
  F-Prot and netskyF-Prot prompted me for an upgrade of the 
  program when I logged in this morning (full download and install 
  process).  I assume that this is meant to take care of the issue in not 
  catching Mydoom.F.  Before that I was showing definitions that were last 
  updated on the 18th.  Everyone should log onto their servers and run the 
  updater if they aren't immediately prompted.If I'm correct, it also 
  took several days for them to fix an issue with Mimail and that required a 
  version upgrade.MattMadscientist wrote:
  At 09:32 AM 2/24/2004, you wrote:
I was 
  wondering if anyone else is using F-prot for their virus engine in 
  declude, and what they now think about it. Netsky was discovered on the 
  18th, and F-Prot actually had it posted on their website as being 
  discovered by them on the 19th. But they didn't update their definition 
  files to actually catch it until early this morning. This meant that 
  netsky ran rampant under F-Prots nose for 6 days. I feel this is 
  completely unacceptable, and I am going to change my virus engine this 
  week unless someone can tell me that there is a good reason why I 
  shouldn't.  Any ideas or 
  feedback from someone using F-Prot?ThanksWe 
recently abandoned McAfee for F-Prot. F-Prot is much more efficient and 
stable on our NT test platform. Though I am not pleased with the delays you 
mention, I'm also not willing to throw them out given the alternatives and 
at this point I consider the delay an aberration rather than a systemic 
flaw. A better strategy to dropping F-Prot, in my opinion, is to also 
include alternatives - since diversity is better protection anyway and the 
costs are well within reason.My 
$0.02._M
Pete McNeil (Madscientist)President, MicroNeil Research 
Corporation.Chief SortMonster, www.SortMonster.com.Vox 703-406-2016, Fax 
703-406-2017-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

RE: [sniffer] F-Prot and netsky

[Landry William]

Possibly the site you are pointed to for the definition downloads is late in
getting the updates?  I point to ftp1.mirrors.frisk.is for updates and was
catching Netsky on the 18th.

Bill

-Original Message-
From: Mike VandeBerg [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 24, 2004 7:43 AM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] F-Prot and netsky


Thanks for the replies folks, I think I may just stay with F-Prot. But one
thing is still confusing me.. Why did some people get a def file on the 18th
that caught netsky, but mine didn't. On the 20th, I even went so far as to
re-install f-prot which initially installs a July 02 def file, and ran the
updater just to make sure that I was getting the latest updated file as it
was being distributed by F-Prot, and I still got the 18th def file, which
according to Terry here, was catching it, but mine wasn't... Any ideas with
that glitch?  

>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Smart 
>Business Support
>Sent: Tuesday, February 24, 2004 9:28 AM
>To: Mike VandeBerg
>Subject: Re: [sniffer] F-Prot and netsky
>
>Mike,
>
>Tuesday, February 24, 2004 you wrote:
>MV> I was wondering if anyone else is using F-prot for their virus
>MV> engine in declude, and what they now think about it. Netsky was 
>MV> discovered on the 18th, and F-Prot actually had it posted on their 
>MV> website as being discovered by them on the 19th. But they didn't 
>MV> update their definition files to actually catch it until 
>early this
>MV> morning. This meant that netsky ran rampant under F-Prots
>nose for 6
>MV> days. I feel this is completely unacceptable, and I am going to
>MV> change my virus engine this week unless someone can tell 
>me that there is a good reason why I shouldn't.
>
>  This is not our experience.  Here's an excerpt form our virus  
> reporter for the 18th.  Scanner 1 is Fprot.  Scanner 2 is NAI  
> (McAfee).  So on the 18th Fprot caught 39 it identified as Netsky.  
> However, some of these were corrupted.  All in all I'm happy with  
> F-prot but I see enough difference to run 2 and might add a 3rd:
>
>> From: 02/18/2004 00:00:30 Thru 02/18/2004 23:59:36 Log files:
>> vir0218.log
>> 
>> Scanner 1 Virus names
>> VBS/Haptime.F  = 1
>> W32/[EMAIL PROTECTED]  = 4
>> W32/[EMAIL PROTECTED] (corrupted)  = 1
>> W32/[EMAIL PROTECTED]  = 1
>> W32/[EMAIL PROTECTED]  = 1
>> W32/[EMAIL PROTECTED]  = 5
>> W32/[EMAIL PROTECTED]  = 39
>> 
>> Scanner 1 Days
>> 02/18/2004 = 52
>> 
>> Scanner 2 Virus names
>> VBS/[EMAIL PROTECTED] virus  = 1
>> W32/[EMAIL PROTECTED] virus  = 4
>> W32/Bugbear.b.dam virus  = 1
>> W32/[EMAIL PROTECTED] virus  = 1
>> W32/[EMAIL PROTECTED] virus  = 1
>> W32/[EMAIL PROTECTED] virus  = 3
>> W32/[EMAIL PROTECTED] virus  = 2
>> W32/[EMAIL PROTECTED] virus  = 14
>> W32/Sober!data trojan  = 3
>> 
>> Scanner 2 Days
>> 02/18/2004 = 30
>
> 
>
>
>
>
>Terry Fritts
>
>
>This E-Mail came from the Message Sniffer mailing list. For
>information and (un)subscription instructions go to 
>http://www.sortmonster.com/MessageSniffer/Help/Help.html
>---
>[This E-mail scanned for viruses by Declude Virus]
>
>

---
[This E-mail scanned for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] F-Prot and netsky

[Landry William]

Title: Message



ClamAV 
works very well, and is lightening fast when run daemonized 
(clamd).  It's also hard to beat the price!  I run is along with 
F-Prot and McAfee's uvscan, and Clam seems to keep up with the commercial 
scanners as far as virus updates.
 
Bill

  
  -Original Message-From: Fred 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 9:02 
  AMTo: [EMAIL PROTECTED]Subject: Re: [sniffer] 
  F-Prot and netsky
  Does anyone run ClamAV?  I've been hearing a lot of 
  good reviews on it..
  Frederic 
  TaraseviciusInternet Information Services, Inc.

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

RE: [sniffer] Spam storm?

[Landry William]

I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file
today, as well.  Is this due to the ruleset issue from earlier today?

Bill

-Original Message-
From: Sheldon Koehler [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Spam storm?


Well it may not be a spam storm. Log file shows:

nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0
2 5
nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0

What is a Bad Matrix?


Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Error_Bad_Matrix

[Landry William]

Me too.  I have 2252 
"ERROR_BAD_MATRIX" entries in my log so far today.  Pete, what's going on 
here?  I am still running v2r1, not the latest alpha/beta 
version.
 
Bill

  -Original Message-From: Butch Andrews 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, March 25, 2004 10:23 
  AMTo: [EMAIL PROTECTED]Subject: [sniffer] 
  Error_Bad_Matrix 
  I am seeing my log file continue to fill with 
  "Error_Bad_Matrix" errors and sniffer failing since a lot of spam is 
  getting through. I was running the beta but have gone back to the original 
  version just now. I did a manual update when the program change had no effect 
  and it's back up. I checked last nights log and the problem started with date 
  code 20040325083243 and continued until now. This is for your info since I was 
  using the beta.
   
  -Butch

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

RE: [sniffer] Error_Bad_Matrix

[Landry William]

I run snf2check.exe against every .snf file downloaded.  I just checked it
again manually, and no errors were reported.  I now have almost 3500
Error_Bad_Matrix entries in today's log.

Bill

-Original Message-
From: Vivek Khera [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 25, 2004 12:52 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Error_Bad_Matrix



On Mar 25, 2004, at 3:39 PM, Paul Lushinsky wrote:

> I decided to look in my log files for the past several days because of 
> number of Error_Bad_Matrix related messages. I can't find this message 
> in any of my log files until today starting with the update I auto 
> downloaded at 8:15 this morning, and went until the update at noon. 
> While I was look at the log file, another update notice came, so an 
> update was done and the Error_Bad_Matrix message is back.
>


I'm curious if the people who are seeing these messages are running 
snf2check.exe before making the rule files live.  I do so, and have not 
seen a single instance of this error.

Can you run snf2check.exe on the current bad matrix you have and see if 
it reports an error?


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Spam storm?

[Landry William]

Looks like a bandwidth issue to me, since even doing the download manually,
my connection stalled 5 times before I could complete a successful download.
And the download speeds were atrocious, many times in bytes/second rather
than even kb/second - and my connection speeds to the Internet are in
multiple 100mb connections.

Have you considered mirror sites or adding bandwidth?

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 25, 2004 3:06 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Spam storm?


This helps narrow things down. Specifically we know that the rulebase files 
are not corrupted on the server but during the download. That explains why 
I haven't been able to recreate a problem in the lab.

I have a suspicion that wget may be failing intermittently.
Another customer recently had unexplainable, intermittent issues with wget. 
They replaced wget with code of their own and have had no further problems.

Can we narrow this down to wget under heavy traffic conditions perhaps?

_M


At 10:08 PM 3/24/2004, you wrote:
>I've noticed that if I do a manual download of the rule base file, it works
>well, but if it is downloaded automatically via the Windows Task CMD, then
>sniffer fails and the log fills up with the BAD_MATRIX errors.
>
>Anyone else seeing this?
>
>
>Mike
>
>
>- Original Message -
>From: "Landry William" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Wednesday, March 24, 2004 8:43 PM
>Subject: RE: [sniffer] Spam storm?
>
>
> >
> > I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log
file
> > today, as well.  Is this due to the ruleset issue from earlier today?
> >
> > Bill
> >
> > -Original Message-
> > From: Sheldon Koehler [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, March 24, 2004 3:19 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [sniffer] Spam storm?
> >
> >
> > Well it may not be a spam storm. Log file shows:
> >
> > nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71
0
>0
> > 2 5
> > nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71
0
>0
> >
> > What is a Bad Matrix?
> >
> >
> > Sheldon
> >
> >
> > Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
> > Ten Forward Communications   360-457-9023
> > Nationwide access, neighborhood support!
> >
> > "Whenever you find yourself on the side of the majority, it's time
> > to pause and reflect." Mark Twain
> >
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For information
>and
> > (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >
> >
--
>-
> > This message and any included attachments are from Siemens Medical
>Solutions
> > USA, Inc. and are intended only for the addressee(s).
> > The information contained herein may include trade secrets or privileged
>or
> > otherwise confidential information.  Unauthorized review, forwarding,
>printing,
> > copying, distributing, or using such information is strictly prohibited
>and may
> > be unlawful.  If you received this message in error, or have reason to
>believe
> > you are not authorized to receive it, please promptly delete this
message
>and
> > notify the sender by e-mail with a copy to
>[EMAIL PROTECTED]
> >
> > Thank you
> >
> > This E-Mail came from the Message Sniffer mailing list. For information
>and (un)subscription instructions go to
>http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >
>
>
>This E-Mail came from the Message Sniffer mailing list. For information 
>and (un)subscription instructions go to 
>http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Spam storm?

[Landry William]

Also, I agree with Paul that a rule-base should not be rolled into
production if it is corrupted.  My issue, even with a successful manual
download, is that the rule-base cannot be replaced because it is in use:

=
New File Tested GOOD!
The process cannot access the file because it is being used by another
process.
A duplicate file name exists, or the file cannot be found.
=

The existing rule-base file cannot be renamed because it is in use, thus the
new rule-base file rename fails and disappears because of the final delete
statement in the autosnf.cmd file.  Any better way to handle the migration
of new rule-base files into a busy Sniffer environment?

Bill

-Original Message-
From: Landry William 
Sent: Thursday, March 25, 2004 3:52 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [sniffer] Spam storm?



Looks like a bandwidth issue to me, since even doing the download manually,
my connection stalled 5 times before I could complete a successful download.
And the download speeds were atrocious, many times in bytes/second rather
than even kb/second - and my connection speeds to the Internet are in
multiple 100mb connections.

Have you considered mirror sites or adding bandwidth?

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 25, 2004 3:06 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Spam storm?


This helps narrow things down. Specifically we know that the rulebase files 
are not corrupted on the server but during the download. That explains why 
I haven't been able to recreate a problem in the lab.

I have a suspicion that wget may be failing intermittently.
Another customer recently had unexplainable, intermittent issues with wget. 
They replaced wget with code of their own and have had no further problems.

Can we narrow this down to wget under heavy traffic conditions perhaps?

_M


At 10:08 PM 3/24/2004, you wrote:
>I've noticed that if I do a manual download of the rule base file, it works
>well, but if it is downloaded automatically via the Windows Task CMD, then
>sniffer fails and the log fills up with the BAD_MATRIX errors.
>
>Anyone else seeing this?
>
>
>Mike
>
>
>- Original Message -
>From: "Landry William" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Wednesday, March 24, 2004 8:43 PM
>Subject: RE: [sniffer] Spam storm?
>
>
> >
> > I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log
file
> > today, as well.  Is this due to the ruleset issue from earlier today?
> >
> > Bill
> >
> > -Original Message-
> > From: Sheldon Koehler [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, March 24, 2004 3:19 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [sniffer] Spam storm?
> >
> >
> > Well it may not be a spam storm. Log file shows:
> >
> > nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71
0
>0
> > 2 5
> > nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71
0
>0
> >
> > What is a Bad Matrix?
> >
> >
> > Sheldon
> >
> >
> > Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
> > Ten Forward Communications   360-457-9023
> > Nationwide access, neighborhood support!
> >
> > "Whenever you find yourself on the side of the majority, it's time
> > to pause and reflect." Mark Twain
> >
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For information
>and
> > (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >
> >
--
>-
> > This message and any included attachments are from Siemens Medical
>Solutions
> > USA, Inc. and are intended only for the addressee(s).
> > The information contained herein may include trade secrets or privileged
>or
> > otherwise confidential information.  Unauthorized review, forwarding,
>printing,
> > copying, distributing, or using such information is strictly prohibited
>and may
> > be unlawful.  If you received this message in error, or have reason to
>believe
> > you are not authorized to receive it, please promptly delete this
message
>and
> > notify the sender by e-mail with a copy to
>[EMAIL PROTECTED]
> >
> > Thank you
> >
> > This E-Mail came from the Message Sniffer mailing list. For information
>and (un)subscription instructions go to
>http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >
>
>
>This E-Mail came from the Message Sniffer mailing list. For information 
>and (un)subscription instructions go to 

RE: [sniffer] Spam storm?

[Landry William]

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 

> Normally our bandwidth is sufficient. We have considered mirror sites
also, 
> and we have plans to move our hosting into a local Equinix facility where 
> we will have similar bandwidth to yours and other benefits. Unfortunately 
> we are not quite up to that level of revenue yet.
> 
> We currently have two T1s through two networks (Savvis & Sprint). More
than 
> 90% of the time more than 80% of our bandwidth is avaialable. There are 
> occasional short-lived peaks where this is not the case, but those are
rare.

Ah, that's probably it, since one of our Internet circuits is with Sprint,
as well, so the traffic would have been prioritized over the Sprint network.

Bill

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Spam storm?

[Landry William]

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 

> Since we're both up at this insane hour. Would you mind making a test?
> I've just shut down the Sprint line - so we're running through Savvis 
> exclusively. If I'm right about the connectivity issue then you should
> be able to get a good download. Would you give that a shot for me and
> tell me the stats when you're done?

Well, it didn't start out well, stalled, restarted, and then picked up:

0K .. .. .. .. ..  0%9.49
KB/s
   50K .. .. .. .. ..  1%7.90
KB/s
  100K .. .. .. .. ..  2%4.80
KB/s
  150K .. .. .. .. ..  3%6.36
KB/s
  200K .. .. .. .. ..  3%9.14
KB/s
  250K .. .. .. .. ..  4%9.41
KB/s
  300K .. .. .. .. ..  5%9.27
KB/s
  350K .. .. .. .. ..  6%8.94
KB/s
  400K .. .. .. .. ..  7%9.94
KB/s
  450K .. .. .. .. ..  7%9.61
KB/s
  500K .. .. .. .. ..  8%9.79
KB/s
  550K .. .. .. .. ..  9%9.41
KB/s
  600K .. .. .. .. .. 10%9.41
KB/s
  650K .. .. .. .. .. 10%4.43
KB/s
  700K .. .. .. .. .. 11%   31.37
KB/s
  750K .. .. .. .. .. 12%   14.29
KB/s
  800K .. .. .. .. .. 13%   13.22
KB/s
  850K .. .. .. .. .. 14%   13.33
KB/s
  900K .. .. .. .. .. 14%   15.02
KB/s
  950K .. .. .. .. .. 15%   14.03
KB/s
 1000K .. .. .. .. .. 16%   14.95
KB/s
 1050K .. .. .. .. .. 17%   15.31
KB/s
 1100K .. .. .. .. .. 17%   13.62
KB/s
 1150K .. .. .. .. .. 18%   13.56
KB/s
 1200K .. .. .. .. .. 19%   17.98
KB/s
 1250K .. .. .. .. .. 20%   18.39
KB/s
 1300K .. .. .. .. .. 21%  728.83
B/s
 1350K .. .. .. ..21%  138.20
KB/s

00:34:30 (6.97 KB/s) - Connection closed at byte 1415514. Retrying.

--00:34:30--  http://www.sortmonster.net/Sniffer/Updates/rulebase-id.snf
  (try: 2) => `b5s5xsaw.new'
Connecting to www.sortmonster.net[216.88.37.61]:80... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 6,577,528 (5,170,294 to go) [text/plain]

   [ skipping 1350K ]
 1350K ,, ,, .. .. .. 21%   12.98
KB/s
 1400K .. .. .. .. .. 22%   14.10
KB/s
 1450K .. .. .. .. .. 23%   14.03
KB/s
 1500K .. .. .. .. .. 24%   12.90
KB/s
 1550K .. .. .. .. .. 24%   14.35
KB/s
 1600K .. .. .. .. .. 25%   16.93
KB/s
 1650K .. .. .. .. .. 26%   14.68
KB/s
 1700K .. .. .. .. .. 27%   14.29
KB/s
 1750K .. .. .. .. .. 28%   13.85
KB/s
 1800K .. .. .. .. .. 28%   14.16
KB/s
 1850K .. .. .. .. .. 29%   13.50
KB/s
 1900K .. .. .. .. .. 30%   13.97
KB/s
 1950K .. .. .. .. .. 31%   12.35
KB/s
 2000K .. .. .. .. .. 31%   14.41
KB/s
 2050K .. .. .. .. .. 32%   12.45
KB/s
 2100K .. .. .. .. .. 33%   19.75
KB/s
 2150K .. .. .. .. .. 34%   15.69
KB/s
 2200K .. .. .. .. .. 35%   14.74
KB/s
 2250K .. .. .. .. .. 35%   19.39
KB/s
 2300K .. .. .. .. .. 36%   16.84
KB/s
 2350K .. .. .. .. .. 37%   16.33
KB/s
 2400K .. .. .. .. .. 38%   14.81
KB/s
 2450K .. .. .. .. .. 38%   19.39
KB/s
 2500K .. .. .. .. .. 39%   16.75
KB/s
 2550K .. .. .. ..

RE: [sniffer] Message Sniffer Version 2-3 Official Release!

[Landry William]

Pete, am I correct in assuming that the configuration file (snfrv2r3.cfg)
should also be renamed for your license ID, as well?

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 10, 2004 2:08 AM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!


At 12:35 PM 5/9/2004, you wrote:
>Are there step-by-step upgrade instructions posted anywhere?  Our 
>configuration is Windows 2000 server with Declude.  I don't quite 
>understand what needs to be done to enable the Persistent Instance 
>option.

Step-by-step instructions will depend on how you intend to run the 
persistent instance.

The first step in all cases is simply to replace your .exe files with the 
ones in the new distribution. Be sure to rename (brand) the snfrv2r3.exe 
file for your license ID of course.

The way I run a persistent instance is using RunSvcExe, others have 
reported good results with Fire Daemon. Links to these are on the 
SnifferBasics page along with the basic command line for starting a Message 
Sniffer instance in persistent mode.

Essentially, launch sniffer with the word persistent in place of the usual 
file name to be scanned.

Here is a link to earlier discussions along with some more detailed 
information about getting a persistent instance set up. Follow the thread 
through and you will find more than one example:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg00165.html

Hope this helps,
_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Message Sniffer Version 2-3 Official Release!

[Landry William]

Thanks Pete!  One other question.  I am now downloading my rulebase files as
.gz files (much faster downloads now).  Are you prepared to receive our log
file uploads either zipped or gzipped?

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Sunday, May 09, 2004 2:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release!


At 05:19 PM 5/9/2004, you wrote:

>Pete, am I correct in assuming that the configuration file 
>(snfrv2r3.cfg) should also be renamed for your license ID, as well?
>
>Bill

Yes, that is correct.

.cfg files are "branded" in the same way as the scanner (.exe) file.

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Message Sniffer Version 2-3 Official Release!

[Landry William]

It seems to be working fine for me.  I have it running as a service, per
Matt's instructions using the W2K resource kit files, and it has been
running fine all day.

Bill

-Original Message-
From: Frederick Samarelli [mailto:[EMAIL PROTECTED] 
Sent: Sunday, May 09, 2004 5:10 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!


The persistent mode stopped working after installing new program.

Revert back to old one and it works???

Start xx.exe x persistent

- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 10, 2004 4:59 AM
Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!


> At 11:36 AM 5/9/2004, you wrote:
> >Pete.
> >
> >Should we be able to just replace our .exe file with this one
>
> Yes. It will act just like the current version.
> The persistent server option doesn't take effect until you launch an 
> instance in persistent mode. Until then (or if the persistent server
fails)
> the program will act exactly like version 2-2, except that you can 
> still configure the log format if you wish.
>
> Most importantly the snf2check.exe utility is much improved with this 
> new version.
>
> Hope this helps,
> _M
>
>
> This E-Mail came from the Message Sniffer mailing list. For 
> information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
>


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Message Sniffer Version 2-3 Official Release!

[Landry William]

Fredrick, I stopped the Sniffer service and tested from the command prompt
with:

Start xx.exe x persistent

and this is working fine, as well.  These messages have come in since
starting sniffer persistence from the command prompt:

LicenseID   20040510024905  Ded96001d093c201a.SMD   40  150
Clean   0   0   03720   60
LicenseID   20040510024908  Ded96003f080c201b.SMD   10  20
Clean   0   0   0   149451
LicenseID   20040510025416  Deecf003708b6201f.SMD   10  190
Match   117330  57  3301331578
LicenseID   20040510025416  Deecf003708b6201f.SMD   10  190
Final   117330  57  0   661178
LicenseID   20040510025417  Deecf003d094e2020.SMD   10  30
Match   117330  57  2478249273
LicenseID   20040510025417  Deecf003d094e2020.SMD   10  30
Final   117330  57  0   264373
LicenseID   20040510025437  Deee7003908b62023.SMD   10  50
Match   118825  52  1560157266
LicenseID   20040510025437  Deee7003908b62023.SMD   10  50
Final   118825  52  0   528566
LicenseID   20040510025445  Deee70041094e2024.SMD   10  20
Match   118825  52  1588160059
LicenseID   20040510025445  Deee70041094e2024.SMD   10  20
Final   118825  52  0   184759
LicenseID   20040510025508  Def05007c04c02027.SMD   10  81
Match   54070   52  884 924 70
LicenseID   20040510025508  Def05007c04c02027.SMD   10  81
Final   54070   52  0   617970
LicenseID   20040510025523  Def05007d04c02029.SMD   10  30
Match   54070   52  1103116862
LicenseID   20040510025523  Def05007d04c02029.SMD   10  30
Final   54070   52  0   274862
LicenseID   20040510025639  Def62008204c0202c.SMD   10  60
Match   40539   62  5135517867
LicenseID   20040510025639  Def62008204c0202c.SMD   10  60
Final   40539   62  0   579167

Bill

-Original Message-
From: Frederick Samarelli [mailto:[EMAIL PROTECTED] 
Sent: Sunday, May 09, 2004 7:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!


I am having problems getting it started from the command prompt.
- Original Message - 
From: "Landry William" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, May 09, 2004 10:30 PM
Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release!


>
> It seems to be working fine for me.  I have it running as a service, 
> per Matt's instructions using the W2K resource kit files, and it has 
> been running fine all day.
>
> Bill
>
> -Original Message-
> From: Frederick Samarelli [mailto:[EMAIL PROTECTED]
> Sent: Sunday, May 09, 2004 5:10 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!
>
>
> The persistent mode stopped working after installing new program.
>
> Revert back to old one and it works???
>
> Start xx.exe x persistent
>
> - Original Message -
> From: "Pete McNeil" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, May 10, 2004 4:59 AM
> Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!
>
>
> > At 11:36 AM 5/9/2004, you wrote:
> > >Pete.
> > >
> > >Should we be able to just replace our .exe file with this one
> >
> > Yes. It will act just like the current version.
> > The persistent server option doesn't take effect until you launch an 
> > instance in persistent mode. Until then (or if the persistent server
> fails)
> > the program will act exactly like version 2-2, except that you can 
> > still configure the log format if you wish.
> >
> > Most importantly the snf2check.exe utility is much improved with 
> > this new version.
> >
> > Hope this helps,
> > _M
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For 
> > information
> and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> >
>
>
> This E-Mail came from the Message Sniffer mailing list. For 
> information
and
> (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
> --
> 
-
> This message and any included attachments are from Siemens Medical
Solutions
> USA, Inc. and are intended only for the addressee(s).
> The information contained herein may include trade secrets or 
> privileged
or
> otherwise confidential information.  Unauthorized review, forwarding,
printing,
> copying, distributing, or using such information is s

RE: [sniffer] Message Sniffer Version 2-3 Official Release!

[Landry William]

Same here, but if you check your logs, I think you will find that it is
working.

Bill

-Original Message-
From: Frederick Samarelli [mailto:[EMAIL PROTECTED] 
Sent: Sunday, May 09, 2004 8:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!


When I do it the window pop-up is blank
- Original Message - 
From: "Landry William" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, May 09, 2004 10:59 PM
Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release!


>
> Fredrick, I stopped the Sniffer service and tested from the command 
> prompt
> with:
>
> Start xx.exe x persistent
>
> and this is working fine, as well.  These messages have come in since 
> starting sniffer persistence from the command prompt:
>
> LicenseID   20040510024905  Ded96001d093c201a.SMD   40  150
> Clean   0   0   03720   60
> LicenseID   20040510024908  Ded96003f080c201b.SMD   10  20
> Clean   0   0   0   149451
> LicenseID   20040510025416  Deecf003708b6201f.SMD   10  190
> Match   117330  57  3301331578
> LicenseID   20040510025416  Deecf003708b6201f.SMD   10  190
> Final   117330  57  0   661178
> LicenseID   20040510025417  Deecf003d094e2020.SMD   10  30
> Match   117330  57  2478249273
> LicenseID   20040510025417  Deecf003d094e2020.SMD   10  30
> Final   117330  57  0   264373
> LicenseID   20040510025437  Deee7003908b62023.SMD   10  50
> Match   118825  52  1560157266
> LicenseID   20040510025437  Deee7003908b62023.SMD   10  50
> Final   118825  52  0   528566
> LicenseID   20040510025445  Deee70041094e2024.SMD   10  20
> Match   118825  52  1588160059
> LicenseID   20040510025445  Deee70041094e2024.SMD   10  20
> Final   118825  52  0   184759
> LicenseID   20040510025508  Def05007c04c02027.SMD   10  81
> Match   54070   52  884 924 70
> LicenseID   20040510025508  Def05007c04c02027.SMD   10  81
> Final   54070   52  0   617970
> LicenseID   20040510025523  Def05007d04c02029.SMD   10  30
> Match   54070   52  1103116862
> LicenseID   20040510025523  Def05007d04c02029.SMD   10  30
> Final   54070   52  0   274862
> LicenseID   20040510025639  Def62008204c0202c.SMD   10  60
> Match   40539   62  5135517867
> LicenseID   20040510025639  Def62008204c0202c.SMD   10  60
> Final   40539   62  0   579167
>
> Bill
>
> -Original Message-
> From: Frederick Samarelli [mailto:[EMAIL PROTECTED]
> Sent: Sunday, May 09, 2004 7:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!
>
>
> I am having problems getting it started from the command prompt.
> - Original Message -
> From: "Landry William" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, May 09, 2004 10:30 PM
> Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release!
>
>
> >
> > It seems to be working fine for me.  I have it running as a service, 
> > per Matt's instructions using the W2K resource kit files, and it has 
> > been running fine all day.
> >
> > Bill
> >
> > -Original Message-
> > From: Frederick Samarelli [mailto:[EMAIL PROTECTED]
> > Sent: Sunday, May 09, 2004 5:10 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!
> >
> >
> > The persistent mode stopped working after installing new program.
> >
> > Revert back to old one and it works???
> >
> > Start xx.exe x persistent
> >
> > - Original Message -
> > From: "Pete McNeil" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, May 10, 2004 4:59 AM
> > Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!
> >
> >
> > > At 11:36 AM 5/9/2004, you wrote:
> > > >Pete.
> > > >
> > > >Should we be able to just replace our .exe file with this one
> > >
> > > Yes. It will act just like the current version.
> > > The persistent server option doesn't take effect until you launch 
> > > an instance in persistent mode. Until then (or if the persistent 
> > > server
> > fails)
> > > the program will act exactly like version 2-2, except that you can 
> > > still configure the log format if you wish.
>

RE: [sniffer] Message Sniffer Version 2-3 Official Release!

[Landry William]

Don't know, since I have not been running the persistence feature until
today, and I am running it as a service rather than executing it from the
command prompt.

Pete?

Bill

-Original Message-
From: Frederick Samarelli [mailto:[EMAIL PROTECTED] 
Sent: Sunday, May 09, 2004 8:11 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!


Is this by design
- Original Message - 
From: "Landry William" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, May 09, 2004 11:08 PM
Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release!


>
> Same here, but if you check your logs, I think you will find that it 
> is working.
>
> Bill
>
> -Original Message-
> From: Frederick Samarelli [mailto:[EMAIL PROTECTED]
> Sent: Sunday, May 09, 2004 8:04 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!
>
>
> When I do it the window pop-up is blank
> - Original Message -
> From: "Landry William" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, May 09, 2004 10:59 PM
> Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release!
>
>
> >
> > Fredrick, I stopped the Sniffer service and tested from the command 
> > prompt
> > with:
> >
> > Start xx.exe x persistent
> >
> > and this is working fine, as well.  These messages have come in 
> > since starting sniffer persistence from the command prompt:
> >
> > LicenseID   20040510024905  Ded96001d093c201a.SMD   40  150
> > Clean   0   0   03720   60
> > LicenseID   20040510024908  Ded96003f080c201b.SMD   10  20
> > Clean   0   0   0   149451
> > LicenseID   20040510025416  Deecf003708b6201f.SMD   10  190
> > Match   117330  57  3301331578
> > LicenseID   20040510025416  Deecf003708b6201f.SMD   10  190
> > Final   117330  57  0   661178
> > LicenseID   20040510025417  Deecf003d094e2020.SMD   10  30
> > Match   117330  57  2478249273
> > LicenseID   20040510025417  Deecf003d094e2020.SMD   10  30
> > Final   117330  57  0   264373
> > LicenseID   20040510025437  Deee7003908b62023.SMD   10  50
> > Match   118825  52  1560157266
> > LicenseID   20040510025437  Deee7003908b62023.SMD   10  50
> > Final   118825  52  0   528566
> > LicenseID   20040510025445  Deee70041094e2024.SMD   10  20
> > Match   118825  52  1588160059
> > LicenseID   20040510025445  Deee70041094e2024.SMD   10  20
> > Final   118825  52  0   184759
> > LicenseID   20040510025508  Def05007c04c02027.SMD   10  81
> > Match   54070   52  884 924 70
> > LicenseID   20040510025508  Def05007c04c02027.SMD   10  81
> > Final   54070   52  0   617970
> > LicenseID   20040510025523  Def05007d04c02029.SMD   10  30
> > Match   54070   52  1103116862
> > LicenseID   20040510025523  Def05007d04c02029.SMD   10  30
> > Final   54070   52  0   274862
> > LicenseID   20040510025639  Def62008204c0202c.SMD   10  60
> > Match   40539   62  5135517867
> > LicenseID   20040510025639  Def62008204c0202c.SMD   10  60
> > Final   40539   62  0   579167
> >
> > Bill
> >
> > -Original Message-
> > From: Frederick Samarelli [mailto:[EMAIL PROTECTED]
> > Sent: Sunday, May 09, 2004 7:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [sniffer] Message Sniffer Version 2-3 Official Release!
> >
> >
> > I am having problems getting it started from the command prompt.
> > - Original Message -
> > From: "Landry William" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Sunday, May 09, 2004 10:30 PM
> > Subject: RE: [sniffer] Message Sniffer Version 2-3 Official Release!
> >
> >
> > >
> > > It seems to be working fine for me.  I have it running as a 
> > > service, per Matt's instructions using the W2K resource kit files, 
> > > and it has been running fine all day.
> > >
> > > Bill
> > >
> > > -Original Message-
> > > From: Frederick Samarelli [mailto:[EMAIL PROTECTED]
> > > Sent: Sunday, May 09, 2004 5:10 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [sniffer] Message Sniffer Version 2-3 Official 
> > > Release!
> > >

[sniffer] Sniffer v2-3 "Persistent Instance" keeps stopping

[Landry William]

Title: Sniffer v2-3 "Persistent Instance" keeps stopping





Pete, I am running v2-3 as a service using utilities from the W2K resource kit.  When I start the service I see (masked rulebase ID):

    05/15/2004  11:30p  0 RuleBaseID-20040516063150x38214000-2436.SVR


And this will stay persistent for several hours, with just the time changing every ten minutes:


    Persistence: 600


But eventually the persistent SRV instance will disappear and not reappear until I cycle the Sniffer service.  Can you think of any reason why this might happening?  Is there something I should be looking for in the logs that might provide a clue?

Thanks,


Bill




---
This message and any included attachments are from Siemens Medical Solutions
USA, Inc. and are intended only for the addressee(s). 
The information contained herein may include trade secrets or privileged or
otherwise confidential information.  Unauthorized review, forwarding, printing,
copying, distributing, or using such information is strictly prohibited and may
be unlawful.  If you received this message in error, or have reason to believe
you are not authorized to receive it, please promptly delete this message and
notify the sender by e-mail with a copy to [EMAIL PROTECTED]

Thank you

RE: [sniffer] Sniffer v2-3 "Persistent Instance" keeps stopping

[Landry William]

Title: Message



Oops, 
my bad, I had inadvertently uncommented the "Lifetime"  
line.
 
Thanks,
 
Bill

  
  -Original Message-From: Pete McNeil 
  [mailto:[EMAIL PROTECTED] Sent: Sunday, May 16, 2004 5:07 
  AMTo: [EMAIL PROTECTED]Subject: Re: [sniffer] 
  Sniffer v2-3 "Persistent Instance" keeps stoppingAt 03:03 
  AM 5/16/2004, you wrote:
  Pete, I am running v2-3 as a service using utilities from the W2K 
resource kit.  When I start the service I see (masked rulebase 
ID):    05/15/2004  11:30p  0 
RuleBaseID-20040516063150x38214000-2436.SVR This is 
  right. The .SVR file with x38214000 will be the persistent instance. x38214000 
  is the quick-hash of "persistent".
  And this will stay persistent for several hours, with just the time 
changing every ten minutes: 
    Persistence: 600 This 
  is the default. I'm guessing you have this in your .cfg file since you mention 
  it.
  But eventually the persistent SRV instance will disappear and not 
reappear until I cycle the Sniffer service.  Can you think of any 
reason why this might happening?  Is there something I should be 
looking for in the logs that might provide a clue?Ours 
  has been running since the release without stopping and I have no other 
  reports at this time of any spontaneous exits - so the problem seems to be 
  unique. If not hopefully someone will let me know ;-).Check your 
  sniffer logs for any critical ERRORs that coincide with the stop.Most 
  likely though you should check your .cfg file to make sure that your Lifetime: 
  setting is commented out.# Lifetime: If it is not 
  commented out then the persistent instance will exit after  seconds. The 
  number in the .cfg file in the distribution is 36000 (10 hours) - it strikes 
  me that this might match up with your description of the problem. The 
  Lifetime: parameter is for folks who want to run the persistent instance in a 
  script that loops periodically - in that case the script would continuously 
  restart the engine - presumably after performing some kind of maintenance 
  task. This would not be appropriate for running a Win32 service.If you 
  don't find any critical errors in your sniffer logs then this seems like the 
  most likely scenario.Hope this 
helps,_M

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

RE: [sniffer] Declude configuration

[Landry William]

Here is a sample of what I use:
=
SNIFFER-TRAVEL  external 047
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   05  0
SNIFFER-INSURANCE   external 048
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   10  0
SNIFFER-AV-PUSH external 049
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   07  0
SNIFFER-WAREZ   external 050
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   10  0
SNIFFER-SPAMWAREexternal 051
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   10  0
SNIFFER-SNAKEOILexternal 052
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   12  0
SNIFFER-SCAMS   external 053
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   12  0
SNIFFER-PORNexternal 054
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   15  0
SNIFFER-MALWARE external 055
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   12  0
SNIFFER-ADVERTISING external 056
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   10  0
SNIFFER-SCHEMES external 057
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   12  0
SNIFFER-CREDIT  external 058
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   07  0
SNIFFER-GAMBLINGexternal 059
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   07  0
SNIFFER-GREYMAILexternal 060
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   05  0
SNIFFER-OBFUSCATION external 061
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   12  0
SNIFFER-EXPERIMENTALexternal 062
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   07  0
SNIFFER-GENERAL external 063
"M:\IMail\Declude\TPA\Sniffer\YourLicenseID.exe YourAuthCode"   10  0
=

Bill

-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 14, 2004 9:15 AM
To: [EMAIL PROTECTED]
Subject: [sniffer] Declude configuration


I am new to Sniffer, and have it up and running with the basic line looking
for a nonzero return code.

I would now like to start setting different weights for different return
codes.

Does some one have a example configuration I can use?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] "WHITE" Result Code

[Landry William]

Pete, would you consider assigning a specific result code, other than "0",
for tests that come back as "WHITE' versus "CLEAN"?  I would like to add a
negative weight in Declude for messages that are specifically whitelisted
versus just clean.  Thoughts?

Thanks,

Bill

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Gray Hosting Change Of Status - Request For Comments

[Landry William]

Pete, this proposed change seems to make sense to me.  Just let us know when
you plan to make the change.

Thanks,

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 24, 2004 12:36 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] Gray Hosting Change Of Status - Request For Comments


Hello Sniffer Folks,

  We are reviewing a number of statistics with an eye toward reducing
  false positives. We have already changed a number of our rule coding
  policies where our highest false positive rates are found.

  One of the proposed changes is controversial and I would very much
  like your input about this.

  The Gray hosting rule group currently has a Block-First,
  White-Rule-Later policy. Rules coded into this group are for the
  likes of Constant Contact.

  Some time ago when this policy was drafted the overwhelming
  consensus was that most content arriving from these services was
  unwanted advertisement spam - therefore it was reasonable to
  white-rule legitimate publications as they were identified,
  especially since a single white rule would be shared by all
  subscribers (thus reducing the work and FP load).

  A recent analysis has shown that the situation has changed somewhat
  significantly. In general the following seem true -

  * The gray hosting group typically tags just less than 2% of messages.

  * Of this 2%, approximately half of the hits would be false positives.

  * If this is true then any benefit generated by the group is negated
  by the risk.

  * Also, if a given system does find benefit from the group then that
  benefit would likely be very small.

  If these points stand up to your comments then the proposal is as
  follows:

  - Existing gray-hosting rules with any reported false positives will
  be removed from the system.

  - The remaining gray-hosting rules will be moved to the "ungrouped"
  group (result 63).

  - No special treatment will exist for future rules that might have
  been placed in the gray-hosting group and no special status will be
  maintained for previous members of the gray-hosting group.

  - Result code 60 will be reassigned at a later time.

  

  Please let us know what you think about this change. We want to be
  sure that we don't cause any trouble. We would like to implement
  this policy change as soon as possible depending upon your comments.

Thanks!
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] SpamAssassin Integration.

[Landry William]

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 

> I would like to post instructions and/or files on our web site that
> show exactly how (step-by-step) to integrate Message Sniffer with
> SpamAssassin. It seems this information is hard to find /
> understand and I would like to make it easier.
>
> If anyone has instructions like this or is interested in creating
> them then I would love to hear from you.

Pete, I've posted my integration instructions to this list in the past, and
can do so again, if desired.  However, aren't you tracking the progress of
SA 3.0 as it nears release so that Sniffer can function as an SA 3.0
plug-in?  Or is it SA 3.0 integration instructions that you are looking for?

Bill

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] IP Rules moving to Group 60

[Landry William]

Sounds good to me.

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 16, 2004 12:01 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] IP Rules moving to Group 60
Importance: High


Hello Sniffer Folks,

  We are planning to split the Experimental rule group into two parts.

  Experimental (Abstract), (62), will contain abstract heuristics.

  Experimental (Received [IP]), (60), will contain all IP rules.

  The change is designed to allow the IP rules to be isolated so they
  can be weighted differently. IP rules are more dynamic and therefore
  more likely to cause false positives.

  If there are no objections then this change will take place this
  afternoon at approximately 1800 EDT.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] Spam submissions

[Landry William]

Title: Spam submissions





Pete, I put together a little script that modifies the Q*.SMD file for identified spam messages that were held in my spam directory, but were not tagged by Sniffer, and can forward a copy of these messages to your spam@ address.  However, the messages will look like they came from the original sender and will also show the original recipient on the "To" line.  For example, queue-file Qff1e0159007addb3.SMD could originally look like (all sender and recipient domains masked):

==
Qf:\IMail\spool\Dff1e0159007addb3.SMD
Hmail.example.com
Iff1e0159007addb3
WF:\IMail\mail_example_com
E0,
S<[EMAIL PROTECTED]>
NRCPT TO:<[EMAIL PROTECTED]>
R<[EMAIL PROTECTED]>
NRCPT TO:<[EMAIL PROTECTED]>
R<[EMAIL PROTECTED]>
NRCPT TO:<[EMAIL PROTECTED]>
R<[EMAIL PROTECTED]>
==


But after my script is done, this queue-file would look like (all sender and recipient domains masked):
==
Qf:\IMail\spool\Dff1e0159007addb3.SMD
Hmail.example.com
Iff1e0159007addb3
WF:\IMail\mail_example_com
E0,
S<[EMAIL PROTECTED]>
NRCPT TO:<[EMAIL PROTECTED]>
R<[EMAIL PROTECTED]>
==


I strip out all of the recipients and replace them with your spam@ address.  Since this is just the envelope info that IMail uses to deliver the message, the message headers included in the D*.SMD file will remain intact, thus, the e-mail will something look like this when it arrives in your spam@ inbox:

From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]


But you will note the existence of one new envelope header like:


    for <[EMAIL PROTECTED]>


This script is not automated so it is not going to be sending you unconfirmed spam.  We will only forward messages that have been confirmed by one of our staff to be spam and that Sniffer did not tag.  This way I can forward specific messages that end up in my spam directory to you from a remote command line on the server, and you will receive the message in its original intended format, including sender and recipient information.  I will not start forwarding spam to your spam@ address until I hear that this process would be okay with you.

Thanks,


Bill




---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

RE: [sniffer] Spam submissions

[Landry William]

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]

LW> Pete, I put together a little script that modifies the Q*.SMD file
LW> for identified spam messages that were held in my spam directory,
LW> but were not tagged by Sniffer, and can forward a copy of these
LW> messages to your spam@ address.  However, the messages will look
LW> like they came from the original sender and will also show the
LW> original recipient on the "To" line.  For example, queue-file
LW> Qff1e0159007addb3.SMD could originally look like (all sender and
LW> recipient domains masked):



LW> This script is not automated so it is not going to be sending you
LW> unconfirmed spam.  We will only forward messages that have been
LW> confirmed by one of our staff to be spam and that Sniffer did not
LW> tag.  This way I can forward specific messages that end up in my
LW> spam directory to you from a remote command line on the server, and
LW> you will receive the message in its original intended format,
LW> including sender and recipient information.  I will not start
LW> forwarding spam to your spam@ address until I hear that this process
LW> would be okay with you.

This sounds great!

Thanks!
_M

PS: It is possible to create virtual spam traps on systems that use a
sufficient number of additional tests. Essentially, if the message would
normally be held or dropped based on the other tests and it still failed
Sniffer then it would be reasonable to automatically forward that to spam@
in the way you describe. In many cases this content is clean enough to be
processed with the same rules we use for normal spamtraps. We have been
considering the creation of a new class of processing for this kind of
virtual spamtrap.

=

Let me look into it a bit to see how I might be able to accomplish this.
I'll report back soon...

Bill

---
This message and any included attachments are from Siemens Medical Solutions
USA, Inc. and are intended only for the addressee(s). 
The information contained herein may include trade secrets or privileged or
otherwise confidential information.  Unauthorized review, forwarding, printing,
copying, distributing, or using such information is strictly prohibited and may
be unlawful.  If you received this message in error, or have reason to believe
you are not authorized to receive it, please promptly delete this message and
notify the sender by e-mail with a copy to [EMAIL PROTECTED]

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] FIN File

[Landry William]

It's an orphan, you can safely delete it.

Bill

-Original Message-
From: Keith Johnson [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 29, 2004 10:29 AM
To: [EMAIL PROTECTED]
Subject: [sniffer] FIN File


I found a .fin file in my sniffer directory and didn't know if anyone
knew what it was and how it is produced.  It is dated several days ago.
Thanks for the aid.

Keith

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[6]: [sniffer] Effectiveness (lately)

[Landry William]

That's strange, our Exchange server does not strip off any of the Declude
headers.

Bill

-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 29, 2004 11:52 AM
To: [EMAIL PROTECTED]
Subject: RE: Re[6]: [sniffer] Effectiveness (lately)


Should I continue to forward spam that is not caught then?

I problem I have, is on the gatewayed domains, which are running Exchange,
Exchange strips out the Header that Declude puts in, making it difficult to
see what happened and caught by what tests.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Thursday, July 29, 2004 10:52 AM
> To: John Tolmachoff (Lists)
> Subject: Re[6]: [sniffer] Effectiveness (lately)
> 
> On Thursday, July 29, 2004, 1:23:11 PM, John wrote:
> 
> JTL> Would the new attached fall under the same rule?
> 
> Yes. It looks like the same domain is involved.
> I've launched a compile of your rulebase - you should be updated very
> quickly.
> 
> In this case it seems that you started receiving these a few days
> before we got our first copy.
> 
> _M
> 
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Curious Postfix Install Problem.

[Landry William]

Haven't seen it here, but sounds like it could possibly be some kind of
permissions issue.  What account is the script running under, and what are
the permissions on the file?

In my master.cf file (user=snfilter):

snfilterunix-   n   n   -   10  pipe
flags=q user=snfilter argv=/var/spool/snfilter/sniffer
-f ${sender} ${recipient}

The sniffer script file permissions:

-r-x--1 snfilter root 3969 Jul 31 20:33 sniffer

Bill
-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 01, 2004 7:55 AM
To: [EMAIL PROTECTED]
Subject: [sniffer] Curious Postfix Install Problem.


Hello Sniffer Folks,

  I have come across a problem report that I can't simulate and I'm
  hoping one of you might have seen this and solved it. This is a new
  installation on Linux/Postfix.

  The report is:
  
  "With a new Postfix install, messages get scanned, and the sniffer
  log shows that they were tagged as spam, but no action is taken by
  the sniffer script.

  The script has been configured at different times to hold the
  message or to add the header information - neither action was taken
  even though the log shows that the message was scanned and
  identified as spam."

  Has anyone seen this before - I can't seem to make it happen on our
  test bed.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Surprising missed spam

[Landry William]

Pete, I started running the new code this morning, and so far, so good.
I'll let you know if I see anything strange.

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 14, 2004 8:56 AM
To: Agid, Corby
Subject: Re[2]: [sniffer] Surprising missed spam


On Tuesday, September 14, 2004, 11:41:48 AM, Corby wrote:

AC>  To which addresss should I send these?

AC> Also, I mis-stated the spam.  They were not plain text, but html, 
AC> but clearly have many "classic" spam attributes.  I will send them 
AC> along, but need to know where.

Please zip them and send them to support@

However, before you do this you might consider upgrading to the latest
interim release. We had another report like yours that was "apparently"
solved by the newest update (V2-3.0i2). It might be worth trying this first
to see if it solves the problem.

Please keep us posted.

Thanks,
_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] Increase in FPs

[Landry William]

Title: Increase in FPs





I have seen a fairly substantial increase on false positives today.  I have submitted several FPs to the false@ address.  Has there been a big change in the core rulebase today?  I wouldn't think that upgrading to the new code this morning would cause this, would it?

Bill




---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

RE: [sniffer] Increase in FPs

[Landry William]

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]

LW> I have seen a fairly substantial increase on false positives today. 
LW> I have submitted several FPs to the false@ address.  Has there been
LW> a big change in the core rulebase today?  I wouldn't think that
LW> upgrading to the new code this morning would cause this, would it?

> No, the upgrade should not have this effect.
It appears that a number of secondary services we reference have had
problems recently such as SORBS and SURBL. I've been pushing false
processing to mitigate the problems quickly, we are adjusting our tuning
parameters for candidate generation, and will continue to monitor conditions
closely.

Thanks for the quick updates Pete, I've already received my rulebase
updates.  As always, your quick support is very much appreciated!

Bill

---
This message and any included attachments are from Siemens Medical Solutions
USA, Inc. and are intended only for the addressee(s). 
The information contained herein may include trade secrets or privileged or
otherwise confidential information.  Unauthorized review, forwarding, printing,
copying, distributing, or using such information is strictly prohibited and may
be unlawful.  If you received this message in error, or have reason to believe
you are not authorized to receive it, please promptly delete this message and
notify the sender by e-mail with a copy to [EMAIL PROTECTED]

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Test ordering/precedence

[Landry William]

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 

I've actually been thinking very strongly of reorganizing the rule group IDs
recently. Especially in light of the new changes we've made with robots et
al. The accuracy of the Experimental IP group has gone up considerably - and
most of the false positives you've discussed should be eliminated over time
(bounces especially).

All that said, I think the first step to reordering the groups might be to
change the sequence of the 4 highest numbers as follows:

63: Experimental Received [IP]
62: Obfuscation
61: Experimental Abstract
60: General

This order is based on a least to most specific order. It turns out that the
majority of General rules are simply specific patterns that don't fit
existing rule groups; Experimental Abstract tend to be either abstracted
patterns from specific or general patterns - or automatically generated URI
candidates; Obfuscation are patterns that detect obfuscation techniques that
are not specific to any particular kind of spam, and since Received [IP]
rules only identify a source they are the most generalized (whether manually
or automatically generated).

According to a recent spam test quality analysis the accuracy and coverage
for these groups in this order follows like this:

63: Experimental Received [IP]SA = 0.81 Coverage =  7.63%
62: Obfuscation   SA = 1.00 Coverage =  2.58%
61: Experimental Abstract SA = 0.92 Coverage = 25.82%
60: General   SA = 0.81 Coverage =  1.82%

How would you feel about this order?

++

I'm not Matt, but I very much like this idea.  Please let us know when you
plan to make this change so we can adjust our tests accordingly.

Thanks!

Bill

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

[sniffer] Sniffer misses "NIGERIAN" type spams

[Landry William]

Title: Sniffer misses "NIGERIAN" type spams





Pete, I am wondering why Sniffer has such a problem detecting the so-called "NIGERIAN" types of spam.  It seems that I have been forwarding several of them daily to the spam@ address for weeks, but Sniffer still consistently misses them.  There must be some kind of pattern that Sniffer can trigger on to catch these types of spam.  It hasn't been a real problem for me since SpamAssassin always catches them, but for those that are not running SpamAssassin, they must see lots of these types of spam showing up in their inboxes daily.

Bill




---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

RE: [sniffer] New beta v2-3.0i4

[Landry William]

It works for me.

Bill

-Original Message-
From: Frederick Samarelli [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 12, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] New beta v2-3.0i4


Link not working
- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 12, 2004 11:55 AM
Subject: [sniffer] New beta v2-3.0i4


> Hello Sniffer Folks,
>
>  I have a new version of Message Sniffer ready for wide beta testing.
>
>  * This version has some tighter timing mechanisms for better
>  performance under heavy loads.
>
>  * This version has a new feature that will produce a .xhdr file
>  containing X-Header information that Message Sniffer would like to
>  emit into the message. Folks running *nix systems or otherwise
>  customizing sniffer will find this useful. Check the .cfg file for
>  details. NOTE: If you have sniffer generate a .xhdr file you must
>  delete it when you have finished processing your message.
>
>  You can find the beta distribution at:
>
> 
>

>
> Thanks,
> _M
>
> Pete McNeil (Madscientist)
> President, MicroNeil Research Corporation
> Chief SortMonster (www.sortmonster.com)
>
>
>
> This E-Mail came from the Message Sniffer mailing list. For information 
> and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] New test version 2-3.0i7

[Landry William]

This is from Pete's message of 10/14/2004, announcing Version 2-3.0i5 to the
Sniffer list:

  MDaemon users should see a significant improvement in performance.
  Please let me know if this is true. The reason is that since most
  MDaemon system integrate Message Sniffer through the content filter
  and the content filter in MDaemon is apparently single threaded. The
  performance tuning features of this version allow the client and
  persistent server instances to coordinate much more closely with
  regard to the available computing power in the system so that
  polling delays _should be_ reduced significantly. _IN THEORY_ the
  improved signaling between client and persistent server instances
  will allow "polling synchronization" such that the highest possible
  performance for the hardware and load conditions can be achieved.

I would guess that this is still true of Version 2-3.0i7
Bill

-Original Message-
From: Michiel Prins [mailto:[EMAIL PROTECTED]
Sent: Monday, October 18, 2004 2:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] New test version 2-3.0i7


Does this version have speed improvements over the previous official
release, when NOT using the persistent option (with Mdaemon)? 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: zondag 17 oktober 2004 21:39
To: [EMAIL PROTECTED]
Subject: [sniffer] New test version 2-3.0i7

Hello Sniffer Folks,

  Here is the latest interim/beta version. Everyone who is using an
  interim version is encouraged strongly to move to this one
  (2-3.0i7). This version fixes a "client recovery bug". The client
  recovery bug prevented client instances from recovering if something
  went wrong with the client-server process. Under normal
  circumstances the client will load the rulebase and process the
  message itself if it detects a problem with the result it should
  receive from a server instance. The bug would cause this to fail
  resulting in a "Fail Safe" return value - thus causing additional
  spam to get through.

  Though the problem with the recovery logic is fixed now, the main
  source of recovery cases is not yet resolved. At random intervals
  and to varying degrees on different systems, the client instance in
  a persistent server configuration will be unable to open the job
  file with it's result. The server instance does not report an error.
  Retrying the open operation after a delay does not result in
  success. I'm still working on that one. In any case, this version
  handles those cases.

 


  This version also includes new "Diagnostics" code which will produce
  a diagnostics file containing all of the major peer-server
  coordination events. The diagnostics can be turned on/off in the
  configuration file.

  Note that the configuration file has changed in this distribution.
  The changes are only additions, so your old .cfg file will work if
  you do not wish to use any of the new features.

  This version is backward compatible as a drop-in replacement.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation Chief SortMonster
(www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] 2-3.0i9 looks good to me... How about you?

[Landry William]

It's been running fine here on both of our server for the past few days.

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
Sent: Monday, October 25, 2004 4:33 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] 2-3.0i9 looks good to me... How about you?


Hello Sniffer Folks,

  I'd like to get an idea how many have tried the Release Candidate
  2-3.0i9 that was announced the end of last week. I've not heard of
  any issues, and our testing has all been positive (faster, more
  stable, new features work as expected...)

  Based on what I've seen so far I believe this version is ready to
  become the official 2-3.1 release... but I would like to get an idea
  of how many folks are using it successfully already (I've not heard
  any problem reports.)

  So, what do you all say? Is this one ready to go?!

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?

[Landry William]

Aren't you using the compression option to gzip your files before
downloading them?  This compresses a 14mb file down to about 4mb, which
greatly helps in the download times and reduces the bandwidth requirements
on the SortMonster end.  Also, are you downloading on some fixed schedule or
when update notifications are sent out?  If downloading by schedule, then
use the wget "-N" flag so that you only actually download the file if it has
changed:

-N,  --timestampingdon't re-retrieve files unless newer than local.

Bill

-Original Message-
From: Nick Justice [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 26, 2004 4:03 PM
To: [EMAIL PROTECTED]
Subject: RE: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?


Do we have a timetable for this new release Sorry cant afford
time to beta test!
I do get alarmed at the huge .snf file at around 14 meg for my
personal rule base.. Is this optimised in any way or will
continue to grow?

_Nick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, October 26, 2004 3:29 PM
To: Glenn Brooks
Subject: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about
you?


On Tuesday, October 26, 2004, 11:03:45 AM, Glenn wrote:

GB> can you send the link to this again



There you go,
_M




This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
[This E-mail scanned for viruses by Declude Version 1.81  using
the F-Prot Antivirus engine]


[This E-mail scanned for viruses by Declude Version 1.81  using the F-Prot
Antivirus engine]


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?

[Landry William]

Here is what I've been using for several months now, compiled from the
original Sniffer autosnf.cmd file and suggestions found on this list:
=
rem First, get the updated rules file from the web site.

wget -N http://www.sortmonster.net/Sniffer/Updates/rulebase.snf -O
rulebase.new.gz --header=Accept-Encoding:gzip --http-user=sniffer
--http-passwd=ki11sp8m -o snfupd.txt

rem Uncompress the rulebase file.

gzip -d -f rulebase.new.gz

rem If that worked, then there will be a sniffer.new file.

if exist rulebase.new goto Replace

rem If the above test fails, then we skip to the end of the file
rem and take no further action. Everything stays as it is.

goto Done

rem If the test didn't fail we'll replace our file.

:Replace

rem The check utility gets the ID from the name but it ignores the
rem extension so we'll rename it for the test.

rename rulebase.new rulebase.tst

rem Now we need to test the file and check our error level. If the
rem check fails we'll skip to the end

snf2check.exe rulebase.tst license-id
if errorlevel 1 goto Done

echo New File Tested GOOD!

rem If we didn't fail then we can go ahead and make the switch.

if exist rulebase.old del rulebase.old
rename rulebase.snf rulebase.old
rename rulebase.tst rulebase.snf

rem Handle any additional successful system updates here (before Done).

:Done

rem If things went well we're all ok.
rem If something went wrong then we'll do a bit of cleanup.

if exist rulebase.tst del rulebase.tst
=

Copy everything between the equal signs and paste it into your autosnf.cmd
file.  Rename "rulebase" everywhere in the script with your Sniffer rulebase
name and rename "license-id" to your actual Sniffer License ID.  Then you
can set it to check hourly via Task Scheduler and it will only download if
the file has changed, and if it has, it will send a request to the Sniffer
server to compress the file before downloading.

Also, watch for word-wrapping, the "wget" line should be one long line.  The
snfupd.txt file will allow you to check the status of each download attempt,
as it is created (overwriting the existing file) with each download attempt.

Bill

-Original Message-
From: Darrell ([EMAIL PROTECTED]) [mailto:[EMAIL PROTECTED]

Sent: Wednesday, October 27, 2004 6:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Re[2]: [sniffer] 2-3.0i9 looks good to me... How about you?


Does anyone have a little dissertation on how they have this setup.

Darrell

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Imail

[Landry William]

Yep, we reported a but to Ipswitch several months ago, as well, and followed
up several times since then, and although they have release IMail patches
since we reported this, they have not fixed the issue.  It has to do with
passwords not being case sensitive when using SQL as you user database.  It
was introduced in one of their more recent 8.xx patches, so it seems like it
should be a pretty simple fix, but no such luck...

Bill

-Original Message-
From: Computer House Support [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 28, 2004 11:44 AM
To: [EMAIL PROTECTED]
Subject: [sniffer] Imail


Hello Sniffer folks,

Want to know why I have not renewed my Ipswitch Support Agreement?

Here is their response to a serious bug that I reported. (Which has yet to 
be fixed).


Mike,
Our Development Team has looked into this issue and has verified it as a 
defect that was introduced in Imail v8.1.  Changes to this functionality 
would take an extended period of time; this is the reason we do not have any

current plans to address this.

Best Regards,
Daniel J Whitaker
Messaging Support Team
Ipswitch, Inc.



Michael Stein
Computer House
www.computerhouse.com
(609) 652-3222



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[5]: [sniffer] Version 2-3.1 Official Release

[Landry William]

It should be included in the zip/gzip file you downloaded.

Bill

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 28, 2004 3:28 PM
To: Pete McNeil
Subject: Re[5]: [sniffer] Version 2-3.1 Official Release


Hi,

I have no .cfg in the sniffer directory.  Would it be located anywhere
else?

I'm really behind here...can you get me up to speed as to what the .cfg
file does and what changes I would want to make to it if I decide to use
it?

Thanks,
Andrew Baldwin

[EMAIL PROTECTED]
http://www.thumpernet.com 
315-282-0020

Thursday, October 28, 2004, 5:38:20 PM, you wrote:

> On Thursday, October 28, 2004, 5:20:43 PM, Scott wrote:

SF>> Does the cfg file need to be renamed with your license id also?

> Yes, sorry I missed that step.
> The program identifies all of it's important files by the license ID,
> so yes, the .cfg file must also be named for the license ID as in
> [licensid.cfg].

> Thanks for the catch!
> _M




> This E-Mail came from the Message Sniffer mailing list. For
> information and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Rulebase download script

[Landry William]

Sure, executing the script via the e-mail notification would work fine.
However, in that case you will not really need to test that the rulebase
file has changed, so you could remove the "-N" switch from the wget line.

Bill

-Original Message-
From: Sheldon Koehler [mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 30, 2004 5:08 PM
To: [EMAIL PROTECTED]
Subject: Re: [sniffer] Rulebase download script


> You will need to rename the script file from ".txt" to ".cmd" in order 
> to use (used ".txt" in order to bypass filter rules and virus 
> scanners).  You can then schedule the script to run via "Scheduled 
> Tasks"

Bill,

Can it also be run from the Imail command via email notifications?

Sheldon


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Rulebase download script

[Landry William]

Title: Message



Andrew, the compression of the rulebase files is not an issue 
on the Sniffer server end, because it is working fine for me.  My 
uncompressed rulebase files are about 14mb, but compress down to just under 4mb 
before the download.  I am use using GNU Wget 1.9.1, so you might try this 
version or see if there is an updated version of the wget that you are 
using.
 
Bill

  
  -Original Message-From: Colbeck, Andrew 
  [mailto:[EMAIL PROTECTED] Sent: Saturday, October 30, 2004 5:25 
  PMTo: '[EMAIL PROTECTED]'Subject: RE: [sniffer] 
  Rulebase download script
  Bill, you the man!
   
  I 
  was just polishing my own script based on comments made by you and Bonno at 
  the end of the week!  My modest efforts are attached as a .txt 
  file.
   
  A 
  few comments from my own efforts:
   
  The 
  wget compress option to save me and Pete some bandwidth isn't working for 
  me.  I don't know if the problems lies in my Win32 wget or in Pete's 
  webserver options.  If it's Pete's server, then your gzip is happy to 
  find no compressed file, and return you the original 
  format.
   
  My 
  script checks the result file (your snfupd.txt) and skips the replace step if 
  the download was skipped or errored out.
   
  My 
  script rotates the Sniffer log before quitting.
   
  I'm 
  including it for posterity, and to help the folks in the cheap seats.  I 
  haven't bothered with variables.
   
  Andrew 8)
   
  p.s. 
  Instead of Scheduled Tasks, I use the "AT" command from the command line so 
  that the update runs as the SYSTEM account; I'd rather have multiple AT 
  commands than remember to change the password on an account and all of it's 
  Scheduled Tasks.
  

-Original Message-From: Landry William 
[mailto:[EMAIL PROTECTED] Sent: Saturday, October 30, 
2004 4:48 PMTo: '[EMAIL PROTECTED]'Subject: 
[sniffer] Rulebase download script
Attached is an updated rulebase download script 
for Windows environments that includes variable usage, better comments, gzip 
compression via wget, new file testing before download, and the ability to 
e-mail yourself the script results, if desired.  This script has been 
compiled from suggestions to this list and from my own script.
You will need to rename the script file from 
".txt" to ".cmd" in order to use (used ".txt" in order to bypass filter 
rules and virus scanners).  You can then schedule the script to run via 
"Scheduled Tasks"
Enjoy! 
Bill 
<> 


  
  
---This 
  message and any included attachments are from Siemens Medical 
  Solutions USA, Inc. and are intended only for the addressee(s). 
  The information contained herein may include trade secrets or 
  privileged or otherwise confidential information. Unauthorized 
  review, forwarding, printing, copying, distributing, or using such 
  information is strictly prohibited and may be unlawful. If you 
  received this message in error, or have reason to believe you are 
  not authorized to receive it, please promptly delete this message and 
  notify the sender by e-mail with a copy to 
  [EMAIL PROTECTED] Thank 
  you

---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool

[Landry William]

Hmmm, that's strange, since I use SrvAny, as well.  And it has worked with
all Sniffer updates since the first persistent version was released.  Also,
my "Parameters" registry entry does not look anything like yours:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]
Application:REG_SZ:m:\imail\declude\tpa\sniffer\LicenseID.exe AuthCode
persistent

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Sunday, October 31, 2004 10:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool


Hi,

I had set up the previous version of Sniffer in persistent mode using the
Win2k Server Resource Kit tool "SrvAny" (I don't like to install "forth"
party utilities on my production machines, if Microsoft tools are readily
available).

In the NEW Sniffer version I noticed that my log files were not rotating.
Upon further investigation it became clear, that Sniffer was no longer
running in persistent mode since the upgrade (thus ignoring the "rotate"
command). The clue was a missing "*.persistent.stat" file.

After some experimenting I determined that the problem was that (at least on
MY machine) Sniffer now requires the explicit specification of a an
application working directory.

Here is my updated SrvAny configuration:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]

"Application"="D:\\IMAIL\\Sniffer\\Win32\\MyLicenseKey.exe"
"AppParameters"="MyAuthorizationCode persistent"
"AppDirectory"="D:\\IMAIL\\Sniffer\\Win32"

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andy Schmidt
Sent: Sunday, October 31, 2004 09:19 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] LogRotate no longer working?


Hi,

After 10/28 the log files have not been rotation.  I even logged into the
server and executed the "send-rotate" - but the current log files just
continues to grow:

10/24/2004  11:00p   1,324,321 x.log.20041025040052
10/25/2004  05:44a   1,303,683 x.log.20041025104510
10/25/2004  01:37p   1,711,062 x.log.20041025183751
10/25/2004  08:25p   1,403,988 x.log.20041026012528
10/26/2004  03:19a   1,100,582 x.log.20041026082022
10/26/2004  11:17a   2,158,910 x.log.20041026161756
10/26/2004  07:11p   1,999,926 x.log.20041027001129
10/27/2004  01:53a   1,619,614 x.log.20041027065310
10/27/2004  09:52a   1,689,744 x.log.20041027145244
10/27/2004  04:41p   1,591,043 x.log.20041027214159
10/28/2004  01:11a   1,598,140 x.log.20041028061150
10/28/2004  07:22a   1,137,471 x.log.20041028122216
10/28/2004  02:27p   1,518,661 x.log.20041028192727

10/31/2004  09:09p  16,790,875 x.log


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool

[Landry William]

No, nothing was typed into the Services window.  The Sniffer service was
installed using the SrvAny W2K ResKit guidelines and the service starts
automatically when the server is rebooted.

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Sunday, October 31, 2004 11:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool


I suspect you typed your application startup parameters into the services
control panel window?  

That's one way to do it - although the SrvAny documentation seemed to imply,
that these startup parameters (if typed into the Control Panel window, would
only apply to manual starts, not automatic starts.

Of course, mine is Windows 2000 Server Resource Kit - yours may be
different.

And, I assume you have checked your sniffer folder to confirm a presence of
the persistent.stat file with the very current time-stamp?


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Monday, November 01, 2004 02:15 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool



Hmmm, that's strange, since I use SrvAny, as well.  And it has worked with
all Sniffer updates since the first persistent version was released.  Also,
my "Parameters" registry entry does not look anything like yours:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]
Application:REG_SZ:m:\imail\declude\tpa\sniffer\LicenseID.exe AuthCode
persistent

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Sunday, October 31, 2004 10:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool


Hi,

I had set up the previous version of Sniffer in persistent mode using the
Win2k Server Resource Kit tool "SrvAny" (I don't like to install "forth"
party utilities on my production machines, if Microsoft tools are readily
available).

In the NEW Sniffer version I noticed that my log files were not rotating.
Upon further investigation it became clear, that Sniffer was no longer
running in persistent mode since the upgrade (thus ignoring the "rotate"
command). The clue was a missing "*.persistent.stat" file.

After some experimenting I determined that the problem was that (at least on
MY machine) Sniffer now requires the explicit specification of a an
application working directory.

Here is my updated SrvAny configuration:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]

"Application"="D:\\IMAIL\\Sniffer\\Win32\\MyLicenseKey.exe"
"AppParameters"="MyAuthorizationCode persistent"
"AppDirectory"="D:\\IMAIL\\Sniffer\\Win32"

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andy Schmidt
Sent: Sunday, October 31, 2004 09:19 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] LogRotate no longer working?


Hi,

After 10/28 the log files have not been rotation.  I even logged into the
server and executed the "send-rotate" - but the current log files just
continues to grow:

10/24/2004  11:00p   1,324,321 x.log.20041025040052
10/25/2004  05:44a   1,303,683 x.log.20041025104510
10/25/2004  01:37p   1,711,062 x.log.20041025183751
10/25/2004  08:25p   1,403,988 x.log.20041026012528
10/26/2004  03:19a   1,100,582 x.log.20041026082022
10/26/2004  11:17a   2,158,910 x.log.20041026161756
10/26/2004  07:11p   1,999,926 x.log.20041027001129
10/27/2004  01:53a   1,619,614 x.log.20041027065310
10/27/2004  09:52a   1,689,744 x.log.20041027145244
10/27/2004  04:41p   1,591,043 x.log.20041027214159
10/28/2004  01:11a   1,598,140 x.log.20041028061150
10/28/2004  07:22a   1,137,471 x.log.20041028122216
10/28/2004  02:27p   1,518,661 x.log.20041028192727

10/31/2004  09:09p  16,790,875 x.log


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or

RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool

[Landry William]

Oh, and yes, "net start" shows the Sniffer service running and I have a
LicenseID.persistent.stat fine on both of my IMail/Declude/Sniffer servers
and it is periodically updated (cat or type the file and you will see that
the data it contains updates every second, I believe).

Bill
-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Sunday, October 31, 2004 11:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool


I suspect you typed your application startup parameters into the services
control panel window?  

That's one way to do it - although the SrvAny documentation seemed to imply,
that these startup parameters (if typed into the Control Panel window, would
only apply to manual starts, not automatic starts.

Of course, mine is Windows 2000 Server Resource Kit - yours may be
different.

And, I assume you have checked your sniffer folder to confirm a presence of
the persistent.stat file with the very current time-stamp?


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Monday, November 01, 2004 02:15 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool



Hmmm, that's strange, since I use SrvAny, as well.  And it has worked with
all Sniffer updates since the first persistent version was released.  Also,
my "Parameters" registry entry does not look anything like yours:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]
Application:REG_SZ:m:\imail\declude\tpa\sniffer\LicenseID.exe AuthCode
persistent

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Sunday, October 31, 2004 10:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool


Hi,

I had set up the previous version of Sniffer in persistent mode using the
Win2k Server Resource Kit tool "SrvAny" (I don't like to install "forth"
party utilities on my production machines, if Microsoft tools are readily
available).

In the NEW Sniffer version I noticed that my log files were not rotating.
Upon further investigation it became clear, that Sniffer was no longer
running in persistent mode since the upgrade (thus ignoring the "rotate"
command). The clue was a missing "*.persistent.stat" file.

After some experimenting I determined that the problem was that (at least on
MY machine) Sniffer now requires the explicit specification of a an
application working directory.

Here is my updated SrvAny configuration:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]

"Application"="D:\\IMAIL\\Sniffer\\Win32\\MyLicenseKey.exe"
"AppParameters"="MyAuthorizationCode persistent"
"AppDirectory"="D:\\IMAIL\\Sniffer\\Win32"

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andy Schmidt
Sent: Sunday, October 31, 2004 09:19 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] LogRotate no longer working?


Hi,

After 10/28 the log files have not been rotation.  I even logged into the
server and executed the "send-rotate" - but the current log files just
continues to grow:

10/24/2004  11:00p   1,324,321 x.log.20041025040052
10/25/2004  05:44a   1,303,683 x.log.20041025104510
10/25/2004  01:37p   1,711,062 x.log.20041025183751
10/25/2004  08:25p   1,403,988 x.log.20041026012528
10/26/2004  03:19a   1,100,582 x.log.20041026082022
10/26/2004  11:17a   2,158,910 x.log.20041026161756
10/26/2004  07:11p   1,999,926 x.log.20041027001129
10/27/2004  01:53a   1,619,614 x.log.20041027065310
10/27/2004  09:52a   1,689,744 x.log.20041027145244
10/27/2004  04:41p   1,591,043 x.log.20041027214159
10/28/2004  01:11a   1,598,140 x.log.20041028061150
10/28/2004  07:22a   1,137,471 x.log.20041028122216
10/28/2004  02:27p   1,518,661 x.log.20041028192727

10/31/2004  09:09p  16,790,875 x.log


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. an

RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool

[Landry William]

Tlist shows:

3784 srvany.exe
4248 LisenseID.exe

And I always have a persistent .SRV running in the Sniffer directory that
matches the PID that tlist displays and never changes, except for the
refresh date/time every 10 minutes:

11/01/2004  07:14a  0 LicenseID-20041028071407xAAF83996-4248.SVR

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 01, 2004 5:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool


Hi,

>> Oh, and yes, "net start" shows the Sniffer service running <<

That can be misleading.  The "Sniffer" service shows running, because
srvany.exe is executing!  (Check your task manager, you'll see an instance
of srvany.exe - that's why it shows running.).

It showed running on my end all the time.  However in my case, on start,
srvany.exe launched my sniffer.exe - which then promptly ended because it
didn't have the necessary files.  Yet, the "Sniffer" (srvany.exe) service
kept showing running (and technically, it was).

>> and I have a LicenseID.persistent.stat <<

That's the only true measure - then you should be alright!


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Monday, November 01, 2004 03:32 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool



Oh, and yes, "net start" shows the Sniffer service running and I have a
LicenseID.persistent.stat fine on both of my IMail/Declude/Sniffer servers
and it is periodically updated (cat or type the file and you will see that
the data it contains updates every second, I believe).

Bill
-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Sunday, October 31, 2004 11:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool


I suspect you typed your application startup parameters into the services
control panel window?  

That's one way to do it - although the SrvAny documentation seemed to imply,
that these startup parameters (if typed into the Control Panel window, would
only apply to manual starts, not automatic starts.

Of course, mine is Windows 2000 Server Resource Kit - yours may be
different.

And, I assume you have checked your sniffer folder to confirm a presence of
the persistent.stat file with the very current time-stamp?


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Monday, November 01, 2004 02:15 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool



Hmmm, that's strange, since I use SrvAny, as well.  And it has worked with
all Sniffer updates since the first persistent version was released.  Also,
my "Parameters" registry entry does not look anything like yours:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]
Application:REG_SZ:m:\imail\declude\tpa\sniffer\LicenseID.exe AuthCode
persistent

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Sunday, October 31, 2004 10:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Persistent Server setup with SrvAny Resource Kit tool


Hi,

I had set up the previous version of Sniffer in persistent mode using the
Win2k Server Resource Kit tool "SrvAny" (I don't like to install "forth"
party utilities on my production machines, if Microsoft tools are readily
available).

In the NEW Sniffer version I noticed that my log files were not rotating.
Upon further investigation it became clear, that Sniffer was no longer
running in persistent mode since the upgrade (thus ignoring the "rotate"
command). The clue was a missing "*.persistent.stat" file.

After some experimenting I determined that the problem was that (at least on
MY machine) Sniffer now requires the explicit specification of a an
application working directory.

Here is my updated SrvAny configuration:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]

"Application"="D:\\IMAIL\\Sniffer\\Win32\\MyLicenseKey.exe"
"AppParameters"="MyAuthorizationCode persistent"
"AppDirectory"="D:\\IMAIL\\Sniffer\\Win32"

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andy Schmidt
Sent: Sunday, October 31, 2004 09:19 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] LogRotate no longer working?


Hi,

After 10/28 th

RE: [sniffer] Your Sniffer Setup

[Landry William]

See http://support.microsoft.com/default.aspx?scid=kb;en-us;137890 for
simplified instructions.

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 01, 2004 6:26 AM
To: 'Keith Johnson'
Subject: RE: [sniffer] Your Sniffer Setup


Hi Keith,

It's pretty straightforward:

A) Download the Windows 2000 Server Resource Kit utilities.
B) Locate the path to srvany.exe.
C) run: 
   instsrv Sniffer c:\path-to-resource-kit\srvany.exe 

   "Sniffer" is just the name that will appear in the services applet later

D) Start RegEedit and add the following entries to the new "Sniffer" service
you just created:

Add a new Parameters subkey in the following registry location: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer

Add new subkeys to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters

as follows:

Application: REG_SZ: C:\Your.Path.to.your\sniffer-license-code.exe
AppParameters: REG_SZ: sniffer-license-code.exe your-authorization-code
AppDirectory: REG_SZ: C:\Your.Path.to.sniffer\

E) Start the "Service" Control Panel application, and START the service.
Soon, you should see a *.Persistant.stat file in your sniffer folder.  Once
that appears, you are running in persistent mode.

F) Change the "Service" from manual start to automatic start.


Other list-members seem to have different ways to use SRVANY.exe - I
followed the instructions from the Resource Kit Tool Help that I was able to
find.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: Keith Johnson [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 01, 2004 08:54 AM
To: Andy Schmidt
Subject: Your Sniffer Setup


Andy,
I saw your posting on the Sniffer forum and wanted to contact you
regarding your Sniffer Persistent setup.  We push over 200K emails on 3
servers (Win2K SP4) and are still running Sniffer in the general sense.  I
noticed you were using SrvAny and the like, do you have any documentation
you don't mind sharing on your steps to get sniffer in a persistent mode?
Thanks for the aid and time.



---
Keith Johnson
Senior Network Engineer
Network Advocates, Inc.
9001 Shelbyville Road
Burhans Hall, Suite 260
Louisville, KY 40228
TEL: 502.992.5928
FAX: 502.412.1058


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Your Sniffer Setup

[Landry William]

Andy, these simplified instructions work just fine with Sniffer, as I can
certainly attest.

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Your Sniffer Setup


Hi Landry:

These simplified instructions only apply if the application needs no
parameters, as it only covers the "application" key:

  Value Name: Application
  Data Type : REG_SZ
  String : \

If there was a SnifferPersistent.exe that needed no further options, these
simplified instructions would work

For Sniffer however, you (supposedly) do need to pass along the authorizaton
code and the "persistent" option, which are defined in the AppParameters
value in the registry.

That's how the previous version worked for me.

Immediately upon upgrading to the latest version, Sniffer would no longer
find its directory when executed as a service, so I had to add the
AppDirectory key to set the working directory.

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Monday, November 01, 2004 11:03 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [sniffer] Your Sniffer Setup



See http://support.microsoft.com/default.aspx?scid=kb;en-us;137890 for
simplified instructions.

Bill


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Your Sniffer Setup

[Landry William]

Like I showed in my original response to this thread, everything is defined
on a single line: path, executable file, License ID, authentication code,
and "persistence":

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer\Parameters]
Application:REG_SZ:
m:\imail\declude\tpa\sniffer\LicenseID.exe AuthCode persistent

This is no different than if you execute the Sniffer persistence from a
command prompt, it is all done on a single line as shown above.

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 11:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] Your Sniffer Setup


Hi Bill,

Thanks. That's curious. I'm not at all doubting your experiences - I'm just
trying to reconcile the KB article (which says to ONLY define the path,
program name and extension) with the Sniffer documentation (which says, you
must define the "persistent" option and your authorization code).

Somewhere documentation and your experience does not match - so (for my
better understanding, and for providing proper instructions to others), I'm
trying to figure out what is actually correct

If based on that knowledge base article all you've defined is:

Value Name: Application
  Data Type : REG_SZ
  String : \

e.g.

c:\Imail\Sniffer\Win32\yoursnifferlicense.exe

then where/how did you define your authorization code and the "persistent"
option?

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Monday, November 01, 2004 01:23 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [sniffer] Your Sniffer Setup



Andy, these simplified instructions work just fine with Sniffer, as I can
certainly attest.

Bill


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] How are folks doing with the latest version?

[Landry William]

So far so good...

Bill
-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
Sent: Friday, November 19, 2004 12:28 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] How are folks doing with the latest version?


Hello Sniffer Folks,

   I am curious to know how many folks have been using Version
   2-3.1i2. I have not heard any problem reports, so I'm assuming it's
   going well with you as it is on our systems... or, perhaps, nobody
   has tried it yet??

   I would like to move this interim to the official version. If I can
   get a "show of hands" on how many folks are using the new version
   successfully then I would really appreciate it.

Thanks!
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] How are folks doing with the latest version?

[Landry William]

See http://www.sortmonster.com/MessageSniffer/Installation/HowTo.html

Bill

-Original Message-
From: Michael E. Cummins [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 21, 2004 11:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [sniffer] How are folks doing with the latest version?


I don't think I have updated anything except my rule base in over a year.
How do I update the rest of message sniffer?

-- Michael Cummins




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: 19 November 2004 21:28
To: [EMAIL PROTECTED]
Subject: [sniffer] How are folks doing with the latest version?

Hello Sniffer Folks,

   I am curious to know how many folks have been using Version
   2-3.1i2. I have not heard any problem reports, so I'm assuming it's
   going well with you as it is on our systems... or, perhaps, nobody
   has tried it yet??

   I would like to move this interim to the official version. If I can
   get a "show of hands" on how many folks are using the new version
   successfully then I would really appreciate it.

Thanks!
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] How are folks doing with the latest version?

[Landry William]

Sure, fire away...  ;-)

-Original Message-
From: Karen Perry [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 22, 2004 5:22 PM
To: [EMAIL PROTECTED]
Subject: Re: Re[2]: [sniffer] How are folks doing with the latest version?


ready for a news item yet?


-- Original Message --
From: Pete McNeil <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Mon, 22 Nov 2004 12:00:58 -0500

>On Monday, November 22, 2004, 1:37:36 AM, Anti-Spam wrote:
>
>AS> Though I didn't manage to run the mdaemon plugin module, with
the old way
>AS> seems to be running fine
>
>Thanks to everyone for all of the reports.
>
>We will be re-publishing interim version 2-3.1i2 as the Full
Release
>version 2-3.2 later today.
>
>_M
>
>
>
>
>This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
 




__
Systems Support and Hosting Services by MicroNeil Research


 
   

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] New Version 2-3.2 has been officially released.

[Landry William]

No problems experienced here on either of our servers.

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 23, 2004 6:12 AM
To: System Administrator
Subject: Re[2]: [sniffer] New Version 2-3.2 has been officially released.


On Tuesday, November 23, 2004, 6:33:13 AM, System wrote:

SA> on 11/23/04 6:08 AM, Bonno Bloksma wrote:

>> Just to let you know. We had a problem after updating to 2.3.2 this 
>> morning



>> All I did was replace the 2.3.1 exe with the 2.3.2 exe (of course 
>> with the correct id name).

SA> Bonno,

SA> Thanks for the report. I was just about to do the upgrade but now I 
SA> think I'll hold off until I hear from Pete (or you) about the 
SA> situation.

I have no indications of a problem and I have just re-verified my testing.
Please give this a try and report any success, errors, or problems.

In my testing the build information from the distribution and on my test
server are:

build - v2-3.2 Nov 23 2004 01:21:33

You can get the build information by running the sniffer executable on the
command line without any parameters.

Thanks,
_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Recent SPAM

[Landry William]

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
On Tuesday, November 30, 2004, 1:36:13 PM, Andrew wrote:

CA> Pete, could you recap for us how to set up a "Declude project" to
forward
CA> non-sniffer-detected spam to a custom spamtrap address at SortMonster?
CA> Perhaps two versions, one for normal spamtrap, and one for spam that
meets
CA> our chosen weight yet didn't trigger sniffer?
>
> I know that there are a few systems out there that have experimented
> with this, but I don't have the details on how to do it and they might
> require some very system specific configurations. It would be best if
> someone who has done this could document it for us and then we will be
> pleased to post the instructions on our site for future reference.
> 
CA> I can piece together snippets myself, and I know there's a good spamtrap
CA> writeup on your website, but a cookbook would be timely!
> 
> I agree. Sorry I don't have that information right now.
> 
CA> I've been thinking about this as I've found spam that was triggering the
CA> CMDSPACE test in Declude, but didn't trigger SpamCop or Sniffer (my two
most
CA> reliable and frequently triggered tests).
> 
> This kind of "virtual spam trap" is a very interesting idea. I'm not
> sure that there are any configurations that are mature enough to be
> generalized... but I hope so.
> 
> If I understand you correctly, you are looking for a Declude
> configuration that forwards messages to a spamtrap address if they
> were considered spam by your Declude installation but did not fail a
> specific test - such as SNF.
> 
> There is no direct way to do this, at least not that I am aware of,
> but I know there are a couple people who have been working on it.

If I understand correctly, here is what I do to forward mail that passes my
spam delete threshold but does not fail any sniffer rule group tests (I
recently posted this to the Declude JunkMail list):
==
The first thing you need to do before setting up auto-forwarding of messages
to SortMonster is to ask them to setup a special spam-trap account for you
that you can forward these messages to (they will assign you a specific
e-mail address to use).

In your global.cfg, setup a specific weight test for special handling of
messages over a certain weight:

WEIGHT-SPAMBOX  weight   x x 36 0

In your $declude$.junkmail file, create a new ROUTETO action for this weight
test:

WEIGHT-SPAMBOX  ROUTETO [EMAIL PROTECTED] (this is a local account on your
IMail server)

The configuration of the IMail "spambox" account is as follows:

1. Create the "spambox" e-mail account
2.  Create two inbound filter rules for this account
a. Click "Add" on the "Inbound Rules" tab
i) Select Rule: "If Header Text"
ii) Select "Contains" radial button
III) Search Text: SNIFFER
iv) Check "Match Case"
v) Click "Ok"
vi) Select the "Delete" radial button
b. Click "Add" again on the "Inbound Rules" tab
i) Select Rule: "If Header Text"
ii) Select "Does not Contain" radial button
III) Search Text: SNIFFER
iv) Check "Match Case"
v) Click "Ok"
vi) Select the "Forward" radial button
vii) Enter the special e-mail address SortMonster assigns to you in
the "Address" field
c. Click "Apply"

All messages forwarded to this "spambox" account by Declude JunkMail that
contain the work "SNIFFER" in the headers will be deleted.  All messages
that do not contain a the word "SNIFFER" in the headers will be forwarded to
the special e-mail address assigned to you by SortMonster.
=

> As for sharing spamtraps with us in general, we are shifting in a new
> direction lately. Rather than having systems forward spamtraps to us
> as we have in the past, we now have our robots go and get spamtrap
> data from ordinary pop3 accounts. If you have a spamtrap on your
> system that you would like to share then please let us know the
> server, login, and password, and how the spamtrap was created so that
> we can rate it in our system. Sharing a spamtrap like this can
> accelerate our response to new spam that arrives on your system.

Pete, would you rather that I now drop these e-mails into a local POP
account instead of forwarding them to the special e-mail account you setup
for me?

Bill

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTE

RE: Re[5]: [sniffer] Recent SPAM

[Landry William]

Wow, I like the new direction you're moving towards!  This will provide a
much more scalable, secure, and robust service due to its distributed
nature.  Keep up the good work!

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 30, 2004 8:37 PM
To: Jonathan
Subject: Re[5]: [sniffer] Recent SPAM


On Tuesday, November 30, 2004, 10:15:18 PM, Jonathan wrote:

J> I'm not quite sure I understand why you're going this direction.  
J> Obviously you have your reasons, and ultimately that's your business 
J> .. but .. :)

J> Isn't it a whole lot more efficient for things to be forwarded 
J> directly to you the moment our systems receive them? It seems like if 
J> your systems have to probe a pop3 box ever couple of minutes or more, 
J> it just takes that much longer to replicate through the system, and 
J> that much longer to come back into our rulebase. The only logic I can 
J> come up with, is maybe your "pop bot" will stop DL'ing the message, 
J> if it's already in the rulebase, thus saving a little bandwidth? Even 
J> so, it seems like that would far be outweighed by the bandwidth it 
J> takes to pop the boxes frequently.

I'm happy to explain.

As we expand we are dividing our operations across a divers set of networks
and points of presence. Also, the sheer volume of data that we are handling
is growing significantly.

If we have all spamtraps directed to a given domain, then the easiest way to
do that is for one central point to receive all of the incoming data. This
means that there must be some centralized processor that must be large
enough to manage all of that data, and that location must be public.

By moving to a pop3 strategy, we can have our robots collect the data from
diverse, anonymous locations anywhere on the 'net. These nodes can then be
somewhat protected because they don't have to accept any connections that
aren't from our own trusted networks, and they will always have complete
control over their load since they are initiating and controlling the
transactions.

This makes it more difficult for these systems to be attacked and so
critical components of our infrastructure will be able to operate without
too much interference. It is also much easier to expand, move, modify, and
decommission these processors as needed since they only answer to us.

On the contrary - if we give out addresses where spam should be sent then
that means there must be a server there to receive the messages - and that
makes it a target. It also complicates the maintenance process because
something must always be there to answer incoming connections.

--- I suspect this explanation will raise some other questions so I will let
out a bit more info about our future direction - with the disclaimer that I
am not specifying any time-line :-) -- I want to avoid setting any
unrealistic expectations. Here goes ---

The production schedule has been adjusted and so a number of features have
been lowered in their priority so that we can focus on moving to the Version
3 rulebase format. (We actually have plans through version 5 for Message
Sniffer, we just don't talk about them much...)

The version 3 rulebase format significantly reduces the processing costs for
re-folding the token matrix, reduces the size of the matrix significantly
(maybe as much as 70%), and uses a structure that is more readily modified
incrementally.

Once we have everyone moved to version 3x using this new rulebase format we
will begin working on automated real-time update mechanisms. When these
features are in place, SNF nodes will generally not download complete
rulebases but will instead receive SMTP messages carrying encrypted XML
packets that include incremental updates. These updates will be generated in
real time as the rulebase is adjusted, and eventually as rules are generated
by trusted peer nodes in the network.

The effect of this will be to virtually eliminate the delays that are
imposed by update scheduling along with most of the bandwidth requirements
of the current model. If everything goes as planned, it will be common for
new rules to be in place on client systems within a few hundred seconds of
their creation.

Here again, the update packets will be sent from widely distributed and
potentially random anonymous systems throughout the 'net. Since these
systems will only be transmitting updates, and since these updates will be
transmitted in-band (SMTP), they will be similarly protected from most
abuse.

These first two steps insulate the critical operations of detecting new spam
and distributing new rulebase updates while simplifying the task of
expanding this system to serve our growing customer base.

Eventually all of our critical operations will be carried out on a widely
distributed, largely anonymous network of systems that only respond to our
known trusted networks... to other networks they will simply be invisible
(incoming packets from un-trusted networks will generally be nul r

RE: [sniffer] Test ordering/precedence

[Landry William]

Here's what my Sniffer global.cfg entries for look like:

SNIFFER-TRAVEL  external 047 "M:\Sniffer\LicenseID.exe AuthCode" 07 0
SNIFFER-INSURANCE   external 048 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-AV-PUSH external 049 "M:\Sniffer\LicenseID.exe AuthCode" 10 0
SNIFFER-WAREZ   external 050 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-SPAMWAREexternal 051 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-SNAKEOILexternal 052 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-SCAMS   external 053 "M:\Sniffer\LicenseID.exe AuthCode" 17 0
SNIFFER-PORNexternal 054 "M:\Sniffer\LicenseID.exe AuthCode" 17 0
SNIFFER-MALWARE external 055 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-ADVERTISING external 056 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-SCHEMES external 057 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-CREDIT  external 058 "M:\Sniffer\LicenseID.exe AuthCode" 10 0
SNIFFER-GAMBLINGexternal 059 "M:\Sniffer\LicenseID.exe AuthCode" 10 0
SNIFFER-GENERAL external 060 "M:\Sniffer\LicenseID.exe AuthCode" 12 0
SNIFFER-SPAMexternal 061 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-OBFUSCATION external 062 "M:\Sniffer\LicenseID.exe AuthCode" 15 0
SNIFFER-IP-RULESexternal 063 "M:\Sniffer\LicenseID.exe AuthCode" 12 0

You will need to use your LicenseID and AuthCode, and want to adjust the
weights to meet your own needs and requirements.

Bill
-Original Message-
From: Serge [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 02, 2004 6:41 PM
To: [EMAIL PROTECTED]
Subject: Re:[sniffer] Test ordering/precedence


Where can i find examples of using "exit codes" to assign different weights 
depending on groupes, when using sniffer with declude/imail ? TIA




- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Jim Matuska" <[EMAIL PROTECTED]>
Sent: Thursday, December 02, 2004 9:59 PM
Subject: Re[2]: [sniffer] Test ordering/precedence


> On Thursday, December 2, 2004, 4:15:43 PM, Jim wrote:
>
> JM> Pete,
> JM> We have rules setup in declude based upon sniffer return codes 60 
> JM> and
> 62 to
> JM> mark all messages with those tests as spam, however we do not have 
> JM> any
> 61 or
> JM> 62 return codes setup.  Can you briefly explain what each of these
> groups
> JM> includes and a false positive rate for each.
>
> The false positive rates for all of these rule groups have fallen 
> dramatically over the past 8 months and at this point they are all 
> comparable. Different systems see different rates, but all rates are 
> low.
>
> Group 63 - Experimental Received [IP] - contains rules that match 
> Receive headers by IP. These are now largely generated by robots which 
> monitor inbound spamtrap and usertrap data and then test those 
> sources. This group used to provide the second largest rate of false 
> positives. The rate now is roughly the same as any other group.
>
> Group 62 - Obfuscation - contains rules built to detect obfuscation 
> techniques. Internally this group breaks down into a number of 
> sub-groups which detect unnecessary URL encoding, HEX encoding, and 
> HTML obfuscation patterns.
>
> Group 61 - Experimental Abstract - contains rules that are designed to 
> recognize data patterns and structures found in spam. For example 
> errors in headers combined with message structures,  misspellings, 
> unusual uses for table and HTML structures or message segments, and 
> other abstract patterns that result from the use of scripting engines 
> to generate polymorphic spam.
>
> Note: Group 60 was Gray-Hosting many months ago. That group was 
> retired and then reused. Now it is being renumbered again.
>
> Group 60 - General (Ungrouped) - contains many of the same kinds of 
> rules found in other groups, but particularly those which cannot be 
> accurately categorized there. For example, fake diploma spam. These 
> rules are largely text segments, domains, URI/URL segments, and 
> structures (much like those found in group 61).
>
> Hope this helps,
> _M
>
>
>
> This E-Mail came from the Message Sniffer mailing list. For 
> information
> and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly del

RE: [sniffer] Sniffer rulebase download server down?

[Landry William]

Title: RE: Sniffer rulebase download server down?





Oops, never mind, I see the error of my ways...  :-/


Bill


 -Original Message-
From:   Landry William  
Sent:   Friday, December 03, 2004 1:50 PM
To: [EMAIL PROTECTED]
Subject:    Sniffer rulebase download server down?


Pete, I am no longer able to download my rulebase files on either of our Sniffer servers.  When I execute my download script, I immediately get:

gzip: LicenseID.new.gz: unexpected end of file


Is the rulebase download server down?  Thanks for looking into this...


Bill




---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

[sniffer] Sniffer rulebase download server down?

[Landry William]

Title: Sniffer rulebase download server down?





Pete, I am no longer able to download my rulebase files on either of our Sniffer servers.  When I execute my download script, I immediately get:

gzip: LicenseID.new.gz: unexpected end of file


Is the rulebase download server down?  Thanks for looking into this...


Bill




---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

RE: [sniffer] New Version 2-3.2 has been officially released.

[Landry William]

About half-way down the page at:

http://www.sortmonster.com/MessageSniffer/Try-It.html

Or the direct link at:

http://www.sortmonster.com/MessageSniffer/sniffer-2-3.2.tar.gz

Bill

-Original Message-
From: Mark E. Smith [mailto:[EMAIL PROTECTED]
Sent: Monday, December 06, 2004 12:18 PM
To: [EMAIL PROTECTED]
Subject: [sniffer] New Version 2-3.2 has been officially released.


Pete,
Just downloaded the most recent version and the command line build
information says:

Build - v2-3.1 Oct 26 2004 22:03:06

I downloaded it twice from the help page.

Is there another link?




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Change in coding policies

[Landry William]

Title: Message



-Original Message-From: 
Chris Ulrich [mailto:[EMAIL PROTECTED]]> 
OK, being a new (and very happy) customer ...>>>   
For example, we will be introducing rules that watch for 
bounces>>   that contain large numbers of failed addresses - 
indicating a>>   probable dictionary attack / joe-job 
...>> What is a joe-job?  Spam from Billy 
Bob?http://catb.org/~esr/jargon/html/J/joe-job.html> Send coffee...

---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

RE: [sniffer] Sniffer Updates

[Landry William]

Are folks taking advantage of the "wget" compression option before
downloading their rulebase updates?  If the slow download speeds are a
bandwidth saturation issue on the Sniffer end, this would certainly cut down
on the bandwidth requirements on their end and increase the download times
for everyone.

Also, I've got to ask, if the downloads are happening "behind the scenes",
by an automated or triggered download, why the concern about speeds, as long
as your downloads are successful?

Bill

-Original Message-
From: Jim Matuska [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 27, 2004 9:22 AM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] Sniffer Updates


I too am seeing really slow speeds, I'm running an update now and it is only

downloading at about 3k/sec.  Pretty bad considering we have 2 T1's and a 
DS3 none of which have much traffic on them this morning.

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message - 
From: "Russ Uhte" <[EMAIL PROTECTED]>
To: 
Sent: Monday, December 27, 2004 8:45 AM
Subject: Re: [sniffer] Sniffer Updates


> Kevin Stanford wrote:
>> Our updates seem to be taking a very long time. I am 85% updated and 
>> the
>> ETA shows 07:00. Is it me?
>
> I see stuff like this come and go...  Our updates are (finally) 
> triggered
> from the email notifications...  Below is a snippet of the last update 
> that shows exactly what speeds we saw, which ran at 10:45 EST this 
> morning...  Every once in a while, I will see it slow down to about 8KB/s,

> but rarely slower than that...
>
> Thanks,
> Russ
>
> (This will probably wrap and look real ugly, but the last number is 
> the
> average download speed for that part of the download...)
>
>
> 0K .. .. .. .. ..  0% 
> 110.38
> KB/s
>50K .. .. .. .. ..  1% 160.26 
> KB/s
>   100K .. .. .. .. ..  2% 71.12 
> KB/s
>   150K .. .. .. .. ..  3% 110.13 
> KB/s
>   200K .. .. .. .. ..  4% 118.76 
> KB/s
>   250K .. .. .. .. ..  5% 145.35 
> KB/s
>   300K .. .. .. .. ..  6% 168.35 
> KB/s
>   350K .. .. .. .. ..  7% 168.35 
> KB/s
>   400K .. .. .. .. ..  8% 168.35 
> KB/s
>   450K .. .. .. .. ..  9% 160.26 
> KB/s
>   500K .. .. .. .. .. 10% 159.74 
> KB/s
>   550K .. .. .. .. .. 11% 188.68 
> KB/s
>   600K .. .. .. .. .. 12% 177.30 
> KB/s
>   650K .. .. .. .. .. 13% 168.35 
> KB/s
>   700K .. .. .. .. .. 14% 177.94 
> KB/s
>   750K .. .. .. .. .. 15% 168.35 
> KB/s
>   800K .. .. .. .. .. 16% 177.94 
> KB/s
>   850K .. .. .. .. .. 17% 168.35 
> KB/s
>   900K .. .. .. .. .. 18% 168.35 
> KB/s
>   950K .. .. .. .. .. 19% 168.35 
> KB/s
>  1000K .. .. .. .. .. 20% 168.92 
> KB/s
>  1050K .. .. .. .. .. 21% 159.74 
> KB/s
>  1100K .. .. .. .. .. 22% 168.35 
> KB/s
>  1150K .. .. .. .. .. 23% 177.94 
> KB/s
>  1200K .. .. .. .. .. 24% 177.94 
> KB/s
>  1250K .. .. .. .. .. 25% 159.74 
> KB/s
>  1300K .. .. .. .. .. 26% 177.94 
> KB/s
>  1350K .. .. .. .. .. 27% 168.35 
> KB/s
>  1400K .. .. .. .. .. 28% 168.35 
> KB/s
>  1450K .. .. .. .. .. 29% 168.35 
> KB/s
>  1500K .. .. .. .. .. 30% 168.35 
> KB/s
>  1550K .. .. .. .. .. 31% 177.94 
> KB/s
>  1600K .. .. .. .. .. 32% 168.35 
> KB/s
>  1650K .. .. .. .. .. 33% 168.35 
> KB/s
>  1700K .. .. .. .. .. 34% 168.92 
> KB/s
>  1750K .. .. .. .. .. 35% 168.35 
> KB/s
>  1800K .. .. .. .. .. 36% 159.74 
> KB/s
>  1850K .. .. .. .. .. 37% 177.94 
> KB/s
>  1900K .. .. .. .. .. 38% 91.41 
>

RE: Re[2]: [sniffer] Sniffer Updates

[Landry William]

Title: Re: Re[2]: [sniffer] Sniffer Updates



See http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html for
some sample scripts.
 
Bill

  -Original Message-From: Jim Matuska
  [mailto:[EMAIL PROTECTED]Sent: Monday, December 27, 2004 10:51
  AMTo: sniffer@SortMonster.comSubject: Re: Re[2]:
  [sniffer] Sniffer Updates
  Does anyone have any good instructions on how to
  modify your update scripts to use gzip?  
   
  Jim Matuska Jr.Computer Tech2, CCNANez
  Perce TribeInformation Systems[EMAIL PROTECTED]
  
- Original Message - 
From:
Tom Baker |
Netsmith Inc 
To: sniffer@SortMonster.com 
Sent: Monday, December 27, 2004 10:43
AM
Subject: Re: Re[2]: [sniffer] Sniffer
Updates

Automate harassment reminders to those of us not using it.
:)I think I'll go enable gzip
tonight-Original Message-From: [EMAIL PROTECTED]
<[EMAIL PROTECTED]>To:
Landry William <sniffer@SortMonster.com>Sent:
Mon Dec 27 12:36:06 2004Subject: Re[2]: [sniffer] Sniffer
UpdatesOn Monday, December 27, 2004, 12:46:19 PM, Landry
wrote:LW> Are folks taking advantage of the "wget"
compression option beforeLW> downloading their rulebase
updates?  If the slow download speeds are aLW> bandwidth
saturation issue on the Sniffer end, this would certainly cut downLW>
on the bandwidth requirements on their end and increase the download
timesLW> for everyone.LW> Also, I've got to ask, if the
downloads are happening "behind the scenes",LW> by an automated or
triggered download, why the concern about speeds, as longLW> as your
downloads are successful?>From what I've seen in the logs, only
about 5% of folks are takingadvantage of gzip right now.Also, I
did some incantations on the log (grep, awk, uniq etc) andcame up with
just under half of our customers downloading theirrulebase between 1200
and 1300 today. That's between 2 and 3 times asmany as should have done
it ;-) -- so the backlog is explainable.This kind of thing happens
for lots of reasons and there are a lot ofways to mitigate the
problem.A big one on the list - certainly - is using the gzip
capability. Withonly 5% of folks using this and average compression
ratios well above50% there is plenty of room to "make a big dent" in
this._MThis E-Mail came from the Message Sniffer
mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

RE: [sniffer] Conditional Sniffer Updates

[Landry William]

"Curl" is an awesome application that we also use for automating downloads.
"Wget" also supports conditional downloads based on time/date stamp when
using the -N switch.  In ether case, please also use the compression support
built into each application, the sniffer rulebase files can be compressed
down to about 25% of their normal size before the download by using these
switches.

Here is an example of how to use wget to check for rulebase updates and if a
new file exists, request file compression before the file is downloaded:

wget -N http://www.sortmonster.net/Sniffer/Updates/LicenseID.snf -O
LicenseID.new.gz --header=Accept-Encoding:gzip --http-user=sniffer
--http-passwd=ki11sp8m

Bill

-Original Message-
From: Andy Schmidt [mailto:[EMAIL PROTECTED]
Sent: Monday, December 27, 2004 11:20 AM
To: sniffer@SortMonster.com
Subject: [sniffer] Conditional Sniffer Updates


Hi,

The one thing I have not seen mentioned is the ability to do CONDITIONAL
downloads - which is crucial for "timed" downloads when most of the time
there may not even BE a more current .SNF file.

Just like your browser, the HTTP Request for your latest .SNF file should
ALWAYS provide the "date/time" stamp of your CURRENTLY active .SNF file.
This way, the server will compare both dates and a download will occur ONLY,
if there is LATER .SNF file on the server.  (This is how your web browser
controls, whether it needs to download new pages/images from sites you
visited before.)

Here is how CURL is used to do conditional downloads:

curl http://www.sortmonster.net/Sniffer/Updates/[mylicensecode].snf -o
[mylicensecode].snf.new -s -S -R -z [mylicensecode].snf -u
[mywebuserid]:[mywebpassword] 

The "-o" option defines the output file.
The "-R" option makes sure that the output file will inherit the timestamp
from the Sniffer Server (if one is downloaded at all).
The "-z" option sends the timestamp of the CURRENT SNF file to the server
(in the GET request!)

Since my local .SNF file has the same timestamp as the SERVER, and since
every new GET request will allow the server to recognize if/that there may
me no LATER .SNF file, I am only downloading when a new file is actually
present!


Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Monday, December 27, 2004 12:50 PM
To: Russ Uhte
Subject: Re[2]: [sniffer] Sniffer Updates


On Monday, December 27, 2004, 11:45:59 AM, Russ wrote:

RU> Kevin Stanford wrote:
>> Our updates seem to be taking a very long time. I am 85% updated and 
>> the ETA shows 07:00. Is it me?

RU> I see stuff like this come and go...  Our updates are (finally)
RU> triggered from the email notifications...  Below is a snippet of the
RU> last update that shows exactly what speeds we saw, which ran at 10:45
RU> EST this morning...  Every once in a while, I will see it slow down to
RU> about 8KB/s, but rarely slower than that...

There are going to be random events like this for a while - as long as some
folks still download based on a schedule rather than responding to update
notifications.

What happens is that sometimes a group of systems will "agree" to all
download their rulebase files at the same time - when that happens our
bandwidth gets saturated and things go slowly. (We are working on this in a
number of ways.)

Most of the time there is plenty of bandwidth, and if everyone always
downloaded only when there was an update notification then there would
always be plenty (our system paces updates to make sure this is the case as
much as possible).

We are in a transitional period where existing connectivity contracts
prevent us from moving without incurring a significant cost (a cost we would
rather not pass on to our customers). Over the next 6-9 months we will make
the transition to a new rulebase format and distribution method and we will
also be migrating to new hosting facilities (already running in case we
encounter a serious DL problem).

Since rulebase downloads should always be automated in some way, the
occasional slow download should not be a problem. We will continue to
monitor the situation closely - and we appreciate the reports we get.

The things that you can do to help are:

1. If you haven't already, please upgrade your scripting so that your
automated downloads are triggered from our update notifications.

2. If you are not going to use update notifications please be sure to use
the staggered schedule we've posted here:

http://www.sortmonster.com/MessageSniffer/Help/LogsHelp.html#When

3. AVOID using accelerated download software! This is the kind of software
that downloads large files by opening multiple connections to the same
server. Almost all of the "slowdowns" we experience have been associated
with someone download

RE: [sniffer] Sniffer Downloads

[Landry William]

Russ, why go through all of the additional steps?  I just pointed my program
alias directly to my snfupd.cmd file and it works just fine.

Bill

-Original Message-
From: Russ Uhte [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 28, 2004 12:33 PM
To: Daniel Ivey
Cc: sniffer@SortMonster.com
Subject: Re: [sniffer] Sniffer Downloads


Daniel Ivey wrote:
> Russ,
> 
>   My name is Daniel Ivey with GCR Company.  I am interested in your
use 
> of the program alias for the Sniffer updates.  Could you please email 
> me with more information about the program alias, WGET that is used 
> and what type of OS is on your server?  We currently use NT4 SP6a.  
> The more details the better, as I am a bit rusty at programming and 
> scripts.  Thanks in advance.

I'm also copying the list just because someone else my find the info 
useful.  This is running on a windows 2000 server.

I won't claim to be a "scripter or programmer" either, and this is going 
to be the quick and dirty because I'm getting ready to take off for the 
day :)

Download the update script 
http://www.sortmonster.com/MessageSniffer/Help/UserScripts/david_snifferUpda
teMethod.zip 
this file actually has the code that has to be copied and pasted in a 
new document... I called the document snfupd.vbs, and change the 
.snf to "your licsence id.snf", change the line that says 
Shell.Run to "path to your sniffer directory\snfupd.cmd"

you'll also need to comment out the lines of ... with a '

Now download the cmd file which does the actual updating from 
http://www.sortmonster.com/MessageSniffer/Help/UserScripts/Bill_Landry_snfup
d.zip 
and here are the changes I made:

1.  changed LiscenseID to my licsenceid
2.  changed AuthCode to my AuthCode
3.  changed IMailDir to my IMailDir
4.  changed SnifferDir to my SnifferDir
5.  changed MailTo to my email address
6.  changed FromDom to my domain
7.  I removed the -N from the wget command because it will always be new 
because you're doing it from a trigger.
8.  I removed the rem in front of the command that sends out notifications

Then create a batch file, I created on in c:\batch\ called snfupd.bat 
with the following lines, note that you may have to change the drive and 
path to suit your environment:
d:
cd d:\Imail\Declude\Sniffer
cscript snfupd.vbs %1

Make sure you have the snfupd.vbs and snfupd.cmd, snf2check.exe and the 
wget.exe files all in the sniffer directory, then in Imail create a new 
alias, type is program, the command to run is c:\batch\snfupd.bat, and 
then test it by forwarding a couple of the notifications to that alias 
address.  Once you know it's working, notify [EMAIL PROTECTED] to 
change your notification address.

If you have any questions let me know.  I'll be happy to help just as 
quickly as I can.

Thanks,
Russ

---
[This E-mail scanned for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Downloads are slow...

[Landry William]

Title: Message



Good
idea, Matt.  I'll put together a draft and submit it to the list for review
later today.  I'll also include the open-source gzip file so that
everything is contained in one package (instructions, download script, and gzip
file).
 
Bill

  
  -Original Message-From: Matt
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 11:45
  AMTo: sniffer@SortMonster.comSubject: Re: [sniffer]
  Downloads are slow...Yep.  Despite the fact that one
  could design a process to work properly with the -N option (also leaving the
  old file for comparison), since this is generally scheduled by users on the
  hour, it would still produce a run on the bandwidth at the top of some or even
  every hour.  Enforcing a time bracket is not realistic.Using the
  program alias is the best way all around for now, and I believe that this
  should be promoted as the only option for IMail users at least.  It
  appears that Pete times his notifications so that it doesn't produce backups,
  and I assume that notifications are sent immediately upon publishing the new
  customized rulebases, so it is also the fastest method to achieving an
  update.The code is there, but I just think that it can be better
  variablized to adjust for different directories and codes, so it fits
  appropriately in everyone's config.  Packing this together with gzip and
  including that in the default setup would also be seemingly preferable. 
  Throwing together a how-to that was written for the lowest common denominator
  would enhance the ease of use for many (pictures are nice where appropriate),
  and would help with reducing support.MattWoody G
  Fussell wrote:
  Why do you not use a "program alias" and only download when you receive
notification that a new rule base is available? If everyone used gzip and
only downloaded when notified the bandwidth could be controlled by
staggering the notifications.

Woody Fussell
Wilbur Smith Associates


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Jim Matuska
Sent: Tuesday, December 28, 2004 12:49 PM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] Downloads are slow...

I agree that something needs to be done about the update scripts that are
inadvertently downloading the full rulebase all the time.  I didn't even
know it but we were doing this until I went through our update script again
this morning and found it didn't have the -N option in Wget, so we were
downloading the entire rulebase whether we needed it or not.  The gzip
compression is cool, and I will likely implement it soon, but I think the
major problem is everyone that is using scripts that keep downloading the
same file over and over again tying up the bandwidth.

I would recommend 2 things to help alleviate this problem:
1.  Monitor connections to rulebase downloads to see who is downloading the
rulebase everytime they connect on a schedule to determine who has their
scripts setup wrong, and contact them to correct it.  It took me under a
minute to add the -N option to wget, it should be a no brainer.

2.  Correct the scripts posted on the Sniffer website to include date
checking, and possibly gzip compression, I used one of those scripts for our

system and assumed it would be setup correctly, but it was not.

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]

- Original Message -
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Monday, December 27, 2004 10:03 PM
Subject: Re: [sniffer] Downloads are slow...


  
I agree entirely.  If bandwidth has become an issue, it would be resolved
with a focus on producing very tight and easily customizable scripts (a
variables section in the top of the scripts).  I believe that going the
VBScript route might be the best way to go, or at least I believe that more

  
of us can hack a more involved VBScript than a batch or CMD file.
Enforcing compressed downloads and checking for timestamps prior to
downloading should be done in these scripts as well.

Right now the script examples assume a familiarity with scripting, and
while local participants can mostly handle that stuff, the non-vocal ones
are most likely to not even be aware of the issues or how to fix them, and

  
might have scripted timed downloads because it is definitely the easiest
way to go.  This is probably the majority of the customer base.  There is
an impression for instance with Declude's user base that +80% use
primarily the default config which most of us know is severely lacking in
comparison to the potential that exists by tweaking the settings.

With better script examples and a careful step-by-step readme promoted in
a mailing to your customers, I believe that this issue could go away, or
at least theoretically it should.

Personally, I have mine tied to the E-mails, I download the zipped
versions, I don't bother checking on the status, and 

RE: [sniffer] Downloads are slow...

[Landry William]

It's actually compared to your running .snf file, not the .new file, since
the file is renamed .new as part of the download with the "-O" switch.

Bill

-Original Message-
From: Darrell ([EMAIL PROTECTED]) [mailto:[EMAIL PROTECTED]

Sent: Tuesday, December 28, 2004 11:39 AM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] Downloads are slow...


Quick question if when you have a sucessful download if abcdef.new is 
renamed than what is wget comparing on the next run of the script? 

Darrell 


Jim Matuska writes: 

> So far it seems to be working, at least it doesn't seem to be 
> downloading
> the rulebase yet, I'll have to see if it does later when there is an 
> updated rulebase.  My script uses a copy at the end rather than a move.  
> It's listed below for reference.  Do you see any issues? 
> 
> wget -N http://www.sortmonster.net/Sniffer/Updates/fp0o4jye.snf -O
> abcdefg.new --http-user=* --http-passwd=*
> if exist abcdefg.new goto Replace
> goto Done
> :Replace
> rename abcdefg.new abcdefg.tst
> snf2check.exe abcdefg.tst abcdefg
> if errorlevel 1 goto Done
> echo New File Tested GOOD!
> if exist abcdefg.old del abcdefg.old
> rename abcdefg.snf abcdefg.old
> rename abcdefg.tst abcdefg.snf
> copy /V /Y abcdefg.snf C:\sniffer\abcdefg.snf
> :Done
> if exist abcdefg.tst del abcdefg.tst 
> 
> 
> Jim Matuska Jr.
> Computer Tech2, CCNA
> Nez Perce Tribe
> Information Systems
> [EMAIL PROTECTED]
> 
>  
> 
> - Original Message - From: "Pete McNeil"
> <[EMAIL PROTECTED]>
> To: "Jim Matuska" 
> Sent: Tuesday, December 28, 2004 11:12 AM
> Subject: Re[2]: [sniffer] Downloads are slow... 
> 
> 
>> On Tuesday, December 28, 2004, 12:49:21 PM, Jim wrote:
>> 
>> JM> I agree that something needs to be done about the update scripts 
>> JM> that
>> are
>> JM> inadvertently downloading the full rulebase all the time.  I 
>> JM> didn't
>> even
>> JM> know it but we were doing this until I went through our update 
>> JM> script
>> again
>> JM> this morning and found it didn't have the -N option in Wget, so 
>> JM> we
>> were
>> 
>> Watch out - you may still have not fixed it. One of the tricks with 
>> the -N option is that the file downloaded previously must still be in 
>> it's place for the comparison. If it has been moved then the -N will 
>> not matter.
>> 
>> This make things a little bit more complex since you can't download a 
>> rulebase file on top of the one that is running.
>> 
>> _M
>> 
>>  
>> 
>> 
>> This E-Mail came from the Message Sniffer mailing list. For 
>> information
>> and (un)subscription instructions go to 
>> http://www.sortmonster.com/MessageSniffer/Help/Help.html 
>> 
>  
> 
> This E-Mail came from the Message Sniffer mailing list. For 
> information
> and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
 


 
Check out http://www.invariantsystems.com for utilities for Declude And 
Imail.  IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log 
Parsers. 



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Sniffer Downloads

[Landry William]

Russ, one thing you will need to add to your snfupd.cmd file in order to
make sure the process runs from the correct location:
=
rem Move to your Sniffer drive and directory
rem (your Sniffer drive letter here)
c:
rem (your Sniffer directory path here)
cd\imail\declude\sniffer
=

Bill
-Original Message-
From: Russ Uhte [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 28, 2004 3:14 PM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] Sniffer Downloads


Good point...  I don't know why I didn't think of that...  As soon as I 
get in in the morning, I'm gonna change that...  That's also one of the 
reasons I posted to the list :)  I'm always trying to make things harder 
for myself ;)

Thanks,
Russ

Landry William wrote:
> Russ, why go through all of the additional steps?  I just pointed my 
> program alias directly to my snfupd.cmd file and it works just fine.
> 
> Bill
> 
> -Original Message-
> From: Russ Uhte [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, December 28, 2004 12:33 PM
> To: Daniel Ivey
> Cc: sniffer@SortMonster.com
> Subject: Re: [sniffer] Sniffer Downloads
> 
> 
> Daniel Ivey wrote:
> 
>>Russ,
>>
>>  My name is Daniel Ivey with GCR Company.  I am interested in your
> 
> use
> 
>>of the program alias for the Sniffer updates.  Could you please email
>>me with more information about the program alias, WGET that is used 
>>and what type of OS is on your server?  We currently use NT4 SP6a.  
>>The more details the better, as I am a bit rusty at programming and 
>>scripts.  Thanks in advance.
> 
> 
> I'm also copying the list just because someone else my find the info
> useful.  This is running on a windows 2000 server.
> 
> I won't claim to be a "scripter or programmer" either, and this is 
> going
> to be the quick and dirty because I'm getting ready to take off for the 
> day :)
> 
> Download the update script
>
http://www.sortmonster.com/MessageSniffer/Help/UserScripts/david_snifferUpda
> teMethod.zip 
> this file actually has the code that has to be copied and pasted in a 
> new document... I called the document snfupd.vbs, and change the 
> .snf to "your licsence id.snf", change the line that says 
> Shell.Run to "path to your sniffer directory\snfupd.cmd"
> 
> you'll also need to comment out the lines of ... with a '
> 
> Now download the cmd file which does the actual updating from
>
http://www.sortmonster.com/MessageSniffer/Help/UserScripts/Bill_Landry_snfup
> d.zip 
> and here are the changes I made:
> 
> 1.  changed LiscenseID to my licsenceid
> 2.  changed AuthCode to my AuthCode
> 3.  changed IMailDir to my IMailDir
> 4.  changed SnifferDir to my SnifferDir
> 5.  changed MailTo to my email address
> 6.  changed FromDom to my domain
> 7.  I removed the -N from the wget command because it will always be 
> new
> because you're doing it from a trigger.
> 8.  I removed the rem in front of the command that sends out notifications
> 
> Then create a batch file, I created on in c:\batch\ called snfupd.bat
> with the following lines, note that you may have to change the drive and 
> path to suit your environment:
> d:
> cd d:\Imail\Declude\Sniffer
> cscript snfupd.vbs %1
> 
> Make sure you have the snfupd.vbs and snfupd.cmd, snf2check.exe and 
> the
> wget.exe files all in the sniffer directory, then in Imail create a new 
> alias, type is program, the command to run is c:\batch\snfupd.bat, and 
> then test it by forwarding a couple of the notifications to that alias 
> address.  Once you know it's working, notify [EMAIL PROTECTED] to 
> change your notification address.
> 
> If you have any questions let me know.  I'll be happy to help just as
> quickly as I can.
> 
> Thanks,
> Russ
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For 
> information and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> --
> -
> This message and any included attachments are from Siemens Medical
Solutions 
> USA, Inc. and are intended only for the addressee(s).  
> The information contained herein may include trade secrets or privileged
or 
> otherwise confidential information.  Unauthorized review, forwarding,
printing, 
> copying, distributing, or using such information is strictly prohibited
and may 
> be unlawful.  If you received this message in error, or have reason to
believe 
> you are not authorized to receive it, please promptly delete this message

RE: [sniffer] Triggered rulebase update instructions

[Landry William]

Attached is an updated instructions file to fix some typos and missed
information.  I'll send out another update after receiving feedback from
others.

Bill



---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you==
Sniffer triggered rulebase update instructions
==
By [EMAIL PROTECTED]

These are instructions on how to setup triggered downloads of new rulebase 
files from
the Sniffer rulebase update e-mail notifications.

Included with this distribution are the open-source "wget" and "gzip" files.  
They are
needed to support the download and uncompression of rulebase files.

Step one:
=
Copy all files from this distribution into your "sniffer" directory.

Step two:
=
Edit the "snfupd.cmd" file (this is the rulebase download script).
1. Open the snfupd.cmd file in you sniffer directory with a text editor like 
"Notepad".
2. Edit all entries labeled "EDIT NEXT LINE" with your specific configuration 
information.
3. Save your changes.

Step three:
===
Create an IMail "Program Alias" account
1. Open the "IMail Administrator"
2. Select the domain to create the "program alias" account under
3. Click on "Aliases" under the chosen domain
4. Click on the "Add Alias..." button
5. Type in the "Alias ID" for this account (something like: snifferupdate),
   then click "Next"
6. Select "Program" as the alias type and click "Next"
7. Click "Browse..." and browse to the location of your "sniffer" directory
   and select "snfupd.cmd", then click "Next"
8. Click "Finish" and you're done setting up your Sniffer "Program Alias" 
account

Step four (optional):
=
Create a "Standard Alias" account (only necessary if you want to receive a copy
of the Sniffer update notifications).
1. Open the "IMail Administrator"
2. Select the domain to create the "standard alias" account under
3. Click on "Aliases" under the chosen domain
4. Click on the "Add Alias..." button
5. Type in the "Alias ID" for this account (something like: snfupd), then click 
"Next"
6. Select "Standard" as the alias type and click "Next"
7. Add the e-mail address that you would like the Sniffer update messages to be
   forwarded to.  Also add the "program alias" address you created in Step Three
   above.  This will send a copy of the update notification to all listed 
accounts,
   including the "program alias", which will trigger the new rulebase download.
8. Click "Finish" and you're done setting up your Sniffer "Standard Alias" 
account

Step five:
==
Test the new "program alias" account.
1. If you setup a "standard alias", as defined in "Step four" above, send a test
   message to your "standard alias" e-mail address.  This should trigger a copy 
of
   the test message to your e-mail forwarding address and set-off the rulebase 
download.
2. Check to see that you received a copy of the test message to your forwarding 
address.
3. Check to see that a rulebase download was triggered (check the timestamp of 
your
   rulebase file - you can also view the snfupd.txt file to see the complete 
status of
   the update.  Also, if you opted to receive the update results via e-mail 
(via the
   snfupd.cmd download script), check to see that you received the results 
e-mail.
4. If you skipped "Step four" above, send a test message to your "program 
alias" address
   and check to see if it triggered a rulebase download.

Step six:
=
Advise SortMonster of the new e-mail address to send update notifications to.
1. If you created a "standard alias" account as defined in "Step four", send an 
e-mail
   to Sniffer Support ([EMAIL PROTECTED]) and ask them to send your rulebase 
update
   notifications to your "standard alias" e-mail address.
2. If you skipped "Step four" above, ask Sniffer Support to send your rulebase 
update
   notifications to your "program alias" address.
3. Monitor to make sure your rulebase update e-mails are successfully 
triggering your
   rulebase downloads.


That's it...

RE: [sniffer] Triggered rulebase update instructions

[Landry William]

Title: Message



Thanks 
for all of the suggestions, Matt.  See my comments 
below:

  
  -Original Message-From: Matt 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 10:17 
  PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] 
  Triggered rulebase update instructionsBill,I 
  think that this is overwhelmingly much better (the whole thing), but I have a 
  few suggestions to add.
  
1) The commenting in the CMD file seemed a bit excessive and that made 
it a little hard to follow.  It might be nice to arrange all of the 
tweakable variables in a single section instead of separating each one out, 
and then block coding the main program with a standard amount of 
commenting.  I think that would make the script more readable for both 
programmers as well as beginners. 
I agree, it might make sense to move most of the instructional comments 
out of the script to a separate file that someone could review if they 
needed additional help.

  
2) I personally find it to be a bit messy to have everything running 
from within my Sniffer directory.  After all of the other CMD files, 
old rulebases, service related files, logs, etc., it's not obvious what is 
needed or not.  I would suggest coding this up with a default directory 
structure of using a subdirectory called "updates".  This would require 
a separation of variables for the updates directory and the destination 
directory I believe.
What do others think about this?  My goal was to keep things as 
simple as possible for the end user of the script.  However, if people 
think that a separate "updates" directory makes more sense, then I can make this 
change.

  
3) I think it would be a good idea to consider a different default 
directory structure.  With Sniffer evolving to support other platforms, 
IMail effectively abandoning us, and Declude moving to SmarterMail and 
possibly others, I could very well see Sniffer establishing a non-dependant 
directory structure.  I would suggest that the default recommendation 
become "C:\Sniffer", which might also necessitate a change in some of Pete's 
other documentation.  Keep in mind that it is confusion and convolution 
that contributes to the lack of efficient rulebase downloads and not the 
lack of resources or help.  IMO, things would benefit from 
standardization of this sort, and it should all be done with 
  purpose.
Yes, but this script was focused only on IMail users.  Does it make 
more sense to create different scripts for different platforms, or a single 
script with a platform specification variable?

  
4) Since this setup is targeted specifically at IMail, I would 
recommend that different packages be provided for different platforms, and 
these should probably be in separate zip's so that one doesn't get all sorts 
of extra stuff.  This could be "Rulebase_Updater_IMail.zip", but there 
should also be a Linux, MDaemon and SmarterMail updater added to the 
list.
I agree, but then why section 3 above?

  
5) I'm thinking that including the notification process within this 
script might be too much.  The primary goal is to get people to use the 
automated system and compressed files, and this adds complexity to the 
setup.  My thought here would be to create a "chaining" option that 
could be used to kick off any script, not necessarily IMail1.exe.  You 
could then include this separate notification script in the package and have 
it configured from within that file, leaving only the optional chaining 
command within the primary script and stripping out the rest of the 
stuff.  I do know that from interface design there is a basic tenet 
where you don't want to overwhelm the viewer/visitor, otherwise they retain 
even less than they would with a smaller group of things.  Programming 
is often at odds with this tenet, which is fine for programmers because the 
functionality necessitates complication, but the issue being addressed here 
is really ease of use for the lowest common denominator, and the primary 
goal is just the downloads.  You should consider that this whole thing 
will be used by people with very little administration experience, no 
programming experience, and in some cases, English will be a second language 
to them (or only translated by a tool of some 
sort).
Again, this script is focused only on IMail users.  If we follow 
your suggestion in section 4 above, then why move the e-mail report out of the 
basic script?

  
 Most of this stuff is 
somewhat minor taken in isolation from each other, but I believe that it 
could be a bit tighter in one way or another for a better result.  I'll 
volunteer my own services if you would like for me to provide examples of 
any one of these things, but I'll wait for your direction before doing 
so.  I think the most i

RE: [sniffer] Triggered rulebase update instructions

[Landry William]

Title: Message



John, 
since you have not implemented a trigger program alias yet, would you be willing 
to test the setup instructions and provide feedback?
 
Bill
 
-Original Message-From: 
John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: 
Tuesday, December 28, 2004 10:30 PMTo: 
sniffer@SortMonster.comSubject: RE: [sniffer] Triggered rulebase 
update instructions

  
  Matt, you think too 
  much.
   
  ;)
   
  (From one who needs 
  to implement better scripts, including a triggered script for 
  Sniffer.)
   
  
  John 
  Tolmachoff
  Engineer/Consultant/Owner
  eServices For 
  You
   
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, 
  December 28, 2004 
  10:17 
  PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Triggered rulebase 
  update instructions
   
  Bill,I think that this is overwhelmingly much 
  better (the whole thing), but I have a few suggestions to 
  add.
  1) The commenting in the CMD 
  file seemed a bit excessive and that made it a little hard to follow.  It 
  might be nice to arrange all of the tweakable variables in a single section 
  instead of separating each one out, and then block coding the main program 
  with a standard amount of commenting.  I think that would make the script 
  more readable for both programmers as well as beginners.2) I 
  personally find it to be a bit messy to have everything running from within my 
  Sniffer directory.  After all of the other CMD files, old rulebases, 
  service related files, logs, etc., it's not obvious what is needed or 
  not.  I would suggest coding this up with a default directory structure 
  of using a subdirectory called "updates".  This would require a 
  separation of variables for the updates directory and the destination 
  directory I believe.3) I think it would be a good idea to consider a 
  different default directory structure.  With Sniffer evolving to support 
  other platforms, IMail effectively abandoning us, and Declude moving to 
  SmarterMail and possibly others, I could very well see Sniffer establishing a 
  non-dependant directory structure.  I would suggest that the default 
  recommendation become "C:\Sniffer", which might also necessitate a change in 
  some of Pete's other documentation.  Keep in mind that it is confusion 
  and convolution that contributes to the lack of efficient rulebase downloads 
  and not the lack of resources or help.  IMO, things would benefit from 
  standardization of this sort, and it should all be done with 
  purpose.4) Since this setup is targeted specifically at IMail, I would 
  recommend that different packages be provided for different platforms, and 
  these should probably be in separate zip's so that one doesn't get all sorts 
  of extra stuff.  This could be "Rulebase_Updater_IMail.zip", but there 
  should also be a Linux, MDaemon and SmarterMail updater added to the 
  list.5) I'm thinking that including the notification process within 
  this script might be too much.  The primary goal is to get people to use 
  the automated system and compressed files, and this adds complexity to the 
  setup.  My thought here would be to create a "chaining" option that could 
  be used to kick off any script, not necessarily IMail1.exe.  You could 
  then include this separate notification script in the package and have it 
  configured from within that file, leaving only the optional chaining command 
  within the primary script and stripping out the rest of the stuff.  I do 
  know that from interface design there is a basic tenet where you don't want to 
  overwhelm the viewer/visitor, otherwise they retain even less than they would 
  with a smaller group of things.  Programming is often at odds with this 
  tenet, which is fine for programmers because the functionality necessitates 
  complication, but the issue being addressed here is really ease of use for the 
  lowest common denominator, and the primary goal is just the downloads.  
  You should consider that this whole thing will be used by people with very 
  little administration experience, no programming experience, and in some 
  cases, English will be a second language to them (or only translated by a tool 
  of some sort).
  Most of this stuff is somewhat minor taken in 
  isolation from each other, but I believe that it could be a bit tighter in one 
  way or another for a better result.  I'll volunteer my own services if 
  you would like for me to provide examples of any one of these things, but I'll 
  wait for your direction before doing so.  I think the most important 
  thing would be for Pete to provide some guidance for the preferred directory 
  structure (independent of the app), so that this could be used for the default 
  settings in this and other scripts.MattLandry William 
  wrote: Attached is an updated instructions file to fix some typos and missedinformation.  I'll send out another update after 

RE: [sniffer] Triggered rulebase update instructions

[Landry William]

Title: Message



I can 
send you the files, if they will pass your virus filters (.exe files).  
Otherwise, they are included in the Win32 UNIX Utilities download that you can 
find at http://unxutils.sourceforge.net/.  
Or you can find gzip at http://www.gzip.org/ and wget at http://www.gnu.org/software/wget/wget.html.
 
Bill

  
  -Original Message-From: John Tolmachoff 
  (Lists) [mailto:[EMAIL PROTECTED] Sent: Wednesday, 
  December 29, 2004 12:23 AMTo: 
  sniffer@SortMonster.comSubject: RE: [sniffer] Triggered rulebase 
  update instructions
  
  Were might the wget 
  and gzip files be?
   
  
  John 
  Tolmachoff
  Engineer/Consultant/Owner
  eServices For 
  You
   
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landry WilliamSent: Tuesday, December 28, 2004 11:34 
  PMTo: 
  'sniffer@SortMonster.com'Subject: RE: [sniffer] Triggered rulebase 
  update instructions
   
  
  John, since you have 
  not implemented a trigger program alias yet, would you be willing to test the 
  setup instructions and provide feedback?
  
   
  
  Bill
  
   
  
  -Original 
  Message-From: John 
  Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 10:30 
  PMTo: 
  sniffer@SortMonster.comSubject: RE: [sniffer] Triggered rulebase 
  update instructions
  
Matt, you think 
too much.
 
;)
 
(From one who 
needs to implement better scripts, including a triggered script for 
Sniffer.)
 

John 
Tolmachoff
Engineer/Consultant/Owner
eServices For 
You
 

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of MattSent: Tuesday, December 28, 2004 10:17 
PMTo: 
sniffer@SortMonster.comSubject: Re: [sniffer] Triggered 
rulebase update instructions
 
Bill,I think that this is overwhelmingly 
much better (the whole thing), but I have a few suggestions to 
add.
1) The commenting in the 
CMD file seemed a bit excessive and that made it a little hard to 
follow.  It might be nice to arrange all of the tweakable variables in 
a single section instead of separating each one out, and then block coding 
the main program with a standard amount of commenting.  I think that 
would make the script more readable for both programmers as well as 
beginners.2) I personally find it to be a bit messy to have 
everything running from within my Sniffer directory.  After all of the 
other CMD files, old rulebases, service related files, logs, etc., it's not 
obvious what is needed or not.  I would suggest coding this up with a 
default directory structure of using a subdirectory called "updates".  
This would require a separation of variables for the updates directory and 
the destination directory I believe.3) I think it would be a good 
idea to consider a different default directory structure.  With Sniffer 
evolving to support other platforms, IMail effectively abandoning us, and 
Declude moving to SmarterMail and possibly others, I could very well see 
Sniffer establishing a non-dependant directory structure.  I would 
suggest that the default recommendation become "C:\Sniffer", which might 
also necessitate a change in some of Pete's other documentation.  Keep 
in mind that it is confusion and convolution that contributes to the lack of 
efficient rulebase downloads and not the lack of resources or help.  
IMO, things would benefit from standardization of this sort, and it should 
all be done with purpose.4) Since this setup is targeted 
specifically at IMail, I would recommend that different packages be provided 
for different platforms, and these should probably be in separate zip's so 
that one doesn't get all sorts of extra stuff.  This could be 
"Rulebase_Updater_IMail.zip", but there should also be a Linux, MDaemon and 
SmarterMail updater added to the list.5) I'm thinking that including 
the notification process within this script might be too much.  The 
primary goal is to get people to use the automated system and compressed 
files, and this adds complexity to the setup.  My thought here would be 
to create a "chaining" option that could be used to kick off any script, not 
necessarily IMail1.exe.  You could then include this separate 
notification script in the package and have it configured from within that 
file, leaving only the optional chaining command within the primary script 
and stripping out the rest of the stuff.  I do know that from interface 
design there is a basic tenet where you don't want to overwhelm the 
viewer/visitor, otherwise they retain even less than they would with a 
smaller group of things.  Programming is often at odds with this tenet, 
which is fine for programmers because the functionality necessitates 

RE: [sniffer] Triggered rulebase update instructions

[Landry William]

There are many ways to skin this cat.  For Declude JunkMail Pro users, you
could also setup a COPYTO action to notify the program alias.  However, the
dual alias setup appeared to be the simplest way for the novice mail admin
to get this working.  More experienced admins will have the ability to tweak
the scripts and setup their configurations to meet their own specific needs.
Again, I am attempting to make the process as simple as possible so that
anyone using IMail/Declude/Sniffer can setup triggered updates.  More
experienced users are always going to do things their own way.

Bill

-Original Message-
From: Woody G Fussell [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 29, 2004 7:57 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Triggered rulebase update instructions



Bill
This would apply to Imail users.

I suggest that rather than creating two aliases that you use only a program
alias. Trigger it using an inbound Imail subject rule to send a copy to the
alias. Everyone has a unique subject line based on your rule base ID
therefore you can create a unique rule to trigger the updates. The
uniqueness of the subject may reduce the frequency of spam triggering an
update.


Example subject rule

S~abcde123.snf Update:[EMAIL PROTECTED]


This eliminates having to contact sortmonster to change the address where
your updates are delivered (also allows flexibility to change your programs
alias name as necessary with out involving sortmonster)

You will also continue to receive the notifications where ever you were
getting them before.


Woody Fussell
Wilbur Smith Associates

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Tuesday, December 28, 2004 9:08 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Triggered rulebase update instructions


Attached is an updated instructions file to fix some typos and missed
information.  I'll send out another update after receiving feedback from
others.

Bill




---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding,
printing, 
copying, distributing, or using such information is strictly prohibited and
may 
be unlawful.  If you received this message in error, or have reason to
believe 
you are not authorized to receive it, please promptly delete this message
and 
notify the sender by e-mail with a copy to
[EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Triggered rulebase update instructions

[Landry William]

Documenting and troubleshooting rule creation/configuration I think would
only add to the complexity.  Also, many admins do not host their corporate
domains on IMail.  For example, SortMonster was sending my update
notifications to my corporate Exchange server, so I had to request a change
anyway.

Pete, what are your thoughts on this?  Would you rather not get a load of
requests to change notification e-mail addresses?

Bill

-Original Message-
From: Woody G Fussell [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 29, 2004 12:20 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Triggered rulebase update instructions


I agree on the simplicity, just thought it would be a bonus not to involve
sortmonster with the address changes.

Woody

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Wednesday, December 29, 2004 2:37 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Triggered rulebase update instructions


There are many ways to skin this cat.  For Declude JunkMail Pro users, you
could also setup a COPYTO action to notify the program alias.  However, the
dual alias setup appeared to be the simplest way for the novice mail admin
to get this working.  More experienced admins will have the ability to tweak
the scripts and setup their configurations to meet their own specific needs.
Again, I am attempting to make the process as simple as possible so that
anyone using IMail/Declude/Sniffer can setup triggered updates.  More
experienced users are always going to do things their own way.

Bill

-Original Message-
From: Woody G Fussell [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 29, 2004 7:57 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Triggered rulebase update instructions



Bill
This would apply to Imail users.

I suggest that rather than creating two aliases that you use only a program
alias. Trigger it using an inbound Imail subject rule to send a copy to the
alias. Everyone has a unique subject line based on your rule base ID
therefore you can create a unique rule to trigger the updates. The
uniqueness of the subject may reduce the frequency of spam triggering an
update.


Example subject rule

S~abcde123.snf Update:[EMAIL PROTECTED]


This eliminates having to contact sortmonster to change the address where
your updates are delivered (also allows flexibility to change your programs
alias name as necessary with out involving sortmonster)

You will also continue to receive the notifications where ever you were
getting them before.


Woody Fussell
Wilbur Smith Associates

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Tuesday, December 28, 2004 9:08 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Triggered rulebase update instructions


Attached is an updated instructions file to fix some typos and missed
information.  I'll send out another update after receiving feedback from
others.

Bill




---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding,
printing, 
copying, distributing, or using such information is strictly prohibited and
may 
be unlawful.  If you received this message in error, or have reason to
believe 
you are not authorized to receive it, please promptly delete this message
and 
notify the sender by e-mail with a copy to
[EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding,
printing, 
copying, distributing, or using such information is strictly prohibited and
may 
be unlawful.  If you received this message in error, or have reason to
believe 
you are not authorized to receive it, please promptly delete this message
and 
notify the sender by e-mail with a copy to
[EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---

RE: [sniffer] Hello - New to sniffer

[Landry William]

Bennie, I will send you my updated scripts and a couple of necessary
open-source utilities off-list (hopefully you can receive zipped executable
files - let me know if you don't receive my off-list message).

Also, as Pete mentioned, we have had some discussion on the list the past
couple of days about the best approach to managing scripts, so I would
appreciate feedback on your experience with implementing these scripts.

Bill

-Original Message-
From: Bennie [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 30, 2004 3:17 AM
To: sniffer@SortMonster.com
Subject: [sniffer] Hello - New to sniffer


Hello,

I am new to sniffer and was just wondering.  Are they any utilities that do 
automatic uploads of the log files?  Does everyone upload their log files to

sortmonster?  Is there a way to automaticly download the new rule base?

Bennie Culpepper
PepperLink


---
[This E-mail scanned for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Triggered rulebase update instructions

[Landry William]

Jeff, I sent Pete the revised scripts (including a logrotate/logupload
script) for review.  If all passes muster, I think he plans to post them to
the Sniffer web site for download.  With that said, if you can receive zip
archives containing executable files (.cmd & .exe), I would be willing to
send them to you off-list.

Let me know...

Bill

-Original Message-
From: Jeff Wojciechowski [mailto:[EMAIL PROTECTED]
Sent: Monday, January 03, 2005 2:35 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Triggered rulebase update instructions


Hello:

Was there a consensus reached on the script for automatic/triggered rule
base for windows boxes? If so, would someone be kind enough to send it my
way.

Any help would be greatly appreicated as I am new to sniffer.

Regards,

Jeff Wojciechowski
DK Systems
Miliserv.net


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Wednesday, December 29, 2004 2:46 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Triggered rulebase update instructions


Documenting and troubleshooting rule creation/configuration I think would
only add to the complexity.  Also, many admins do not host their corporate
domains on IMail.  For example, SortMonster was sending my update
notifications to my corporate Exchange server, so I had to request a change
anyway.

Pete, what are your thoughts on this?  Would you rather not get a load of
requests to change notification e-mail addresses?

Bill

-Original Message-
From: Woody G Fussell [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 29, 2004 12:20 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Triggered rulebase update instructions


I agree on the simplicity, just thought it would be a bonus not to involve
sortmonster with the address changes.

Woody

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Wednesday, December 29, 2004 2:37 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Triggered rulebase update instructions


There are many ways to skin this cat.  For Declude JunkMail Pro users, you
could also setup a COPYTO action to notify the program alias.  However, the
dual alias setup appeared to be the simplest way for the novice mail admin
to get this working.  More experienced admins will have the ability to tweak
the scripts and setup their configurations to meet their own specific needs.
Again, I am attempting to make the process as simple as possible so that
anyone using IMail/Declude/Sniffer can setup triggered updates.  More
experienced users are always going to do things their own way.

Bill

-Original Message-
From: Woody G Fussell [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 29, 2004 7:57 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Triggered rulebase update instructions



Bill
This would apply to Imail users.

I suggest that rather than creating two aliases that you use only a program
alias. Trigger it using an inbound Imail subject rule to send a copy to the
alias. Everyone has a unique subject line based on your rule base ID
therefore you can create a unique rule to trigger the updates. The
uniqueness of the subject may reduce the frequency of spam triggering an
update.


Example subject rule

S~abcde123.snf Update:[EMAIL PROTECTED]


This eliminates having to contact sortmonster to change the address where
your updates are delivered (also allows flexibility to change your programs
alias name as necessary with out involving sortmonster)

You will also continue to receive the notifications where ever you were
getting them before.


Woody Fussell
Wilbur Smith Associates

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Landry William
Sent: Tuesday, December 28, 2004 9:08 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Triggered rulebase update instructions


Attached is an updated instructions file to fix some typos and missed
information.  I'll send out another update after receiving feedback from
others.

Bill




---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding,
printing, 
copying, distributing, or using such information is strictly prohibited and
may 
be unlawful.  If you received this message in error, or have reason to
believe 
you are not authorized to receive it, please promptly delete this message
and 
notify the sender by e-mail with a copy to
[EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmo

RE: [sniffer] Weak rule removal work...

[Landry William]

Thanks Pete, these are the kind of proactive notification I wish some of our
other vendors followed.

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 04, 2005 1:35 PM
To: sniffer@SortMonster.com
Subject: [sniffer] Weak rule removal work...


Hello Sniffer Folks,

  I have been doing some work in the database today to make the rule
  strength analysis and weak rule removal process more efficient.
  Along the way I discovered an appreciable number of rules that had
  somehow been left with high strength numbers even though their
  recent activity values were zero. I have corrected this code.

  I expect that this will reduce the size of the rulebase files,
  though I am not yet certain how big the change will be. I am hopeful
  that the change will be large enough to yield a performance
  increase.

  There should be only positive impacts from the changes that I have
  made, but just in case I will be watching things very closely.

  Please let me know right away if you sense any drastic changes other
  than, perhaps, the size of the rulebase files.

  I've made arrangements to put everything back the way it was if need
  be ;-)

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] RuleBase ktk82hrr

[Landry William]

Yep, just checked mine rulebase too, went from 17mb to just under 25mb.
Things still appear to be functioning okay.

Bill

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 04, 2005 9:49 PM
To: Computer House Support
Subject: Re[2]: [sniffer] RuleBase ktk82hrr

On Wednesday, January 5, 2005, 12:41:34 AM, Computer wrote:

CHS> Correction, make that 23 meg!

Thanks for the heads up --- something is wrong, I'll figure it out.
You compiled with 231000 rules!

_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Tweaking our rule base

[Landry William]

I would suggest taking a look at Nerd's (http://countries.nerd.dk/more.html)
instead of Blackholes, they are much more comprehensive in their available
tests, and they can all be with a single lookup, rather than one per country
zone.

Bill

-Original Message-
From: Matt [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 06, 2005 1:50 PM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] Tweaking our rule base


If this person is using Declude, Mdaemon or SpamAssassin, they might 
want to consider just using the blackholes.us zones that list every 
known IP delegated to certain countries that are known to have spam 
problems (in addition to some providers as well).  This stuff can be set 
up as a simple IP4R tests and weighted accordingly in one's config.

http://www.blackholes.us/

Matt



Pete McNeil wrote:

>On Thursday, January 6, 2005, 3:42:21 PM, Jeff wrote:
>
>JW> Hi,
>
>JW> Whats the procedure for tweaking our rule base?  We would
>JW> like to catch anything from foreign domains. If thats not
>JW> possible, I  saw you had an option for catching the foreign
>JW> character sets.
>
>I can work with you to create aggressive black rules for your
>rulebase. I will contact you off-line soon to talk about this.
>
>Thanks,
>_M
>
>  
>
>
>
>This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
>
>  
>

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Still having problems

[Landry William]

This little script can give you a raw hit count per test:

egrep "Clean|Final" c:\path\to\sniffer\sniffer.log | gawk "{print $8}" |
usort | uniq -c | usort

Bill
-Original Message-
From: Kirk Mitchell [mailto:[EMAIL PROTECTED] 
Sent: Saturday, January 08, 2005 11:20 AM
To: sniffer@SortMonster.com
Subject: Re: Re[4]: [sniffer] Still having problems

At 01:50 PM 1/8/2005 -0500, Pete McNeil wrote:
>>>Here's one way
>>>
>>>http://www.sawmill.net/formats/Message_Sniffer.html
>
>KM>   That's the only one I found in the searching I've done. I'll 
>KM> probably give the trial version a shot but can't see paying $139 
>KM> for it. I was hoping maybe someone on the list had developed 
>KM> something, maybe a simple perl script or similar.
>
>I'm sure there are some things around.
>However, I suspect that most folks measure their email server or a 
>higher level AS/AV software's logs (such as Declude, or mxGuard) rather 
>than measuring Message Sniffer directly.
>
>What data do you want to summarize?

  Anything that could give me some hard numbers as to how effective the
filtering is working. # passed clean, # meeting x threshold, etc.


-- 
Kirk Mitchell-General Manager[EMAIL PROTECTED]
Keystone Connect Unlock Your World
Altoona, PA  814-941-5000   http://www.keyconn.net


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Spam Storm Alert...

[Landry William]

My only suggestion for QM is to disable "DNS Cache" and "Failed Domain
Skipping", both of these caused problems for me in the early 8.xx versions,
so I have just left them off.

As far a the thread settings, that really depends on how many messages you
process per day.  You may find some guidance in the IMail archive and/or the
IMail knowledge base.

Bill

-Original Message-
From: Glenn Ratliff [mailto:[EMAIL PROTECTED] 
Sent: Saturday, January 29, 2005 6:15 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Spam Storm Alert...

This is question is a little off subject, but do you have any
recommendations for Imail queue manager settings? We are running Sniffer
with declude 1.82 under Imail 8.15 and the server seems to bog down
sometimes.

Thanks,

Glenn

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Spam Storm Alert...

[Landry William]

Hmmm, a day and a half later this shows up on the list...???

Bill
-Original Message-
From: Landry William 
Sent: Saturday, January 29, 2005 6:51 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Spam Storm Alert...


My only suggestion for QM is to disable "DNS Cache" and "Failed Domain
Skipping", both of these caused problems for me in the early 8.xx versions,
so I have just left them off.

As far a the thread settings, that really depends on how many messages you
process per day.  You may find some guidance in the IMail archive and/or the
IMail knowledge base.

Bill

-Original Message-
From: Glenn Ratliff [mailto:[EMAIL PROTECTED]
Sent: Saturday, January 29, 2005 6:15 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Spam Storm Alert...

This is question is a little off subject, but do you have any
recommendations for Imail queue manager settings? We are running Sniffer
with declude 1.82 under Imail 8.15 and the server seems to bog down
sometimes.

Thanks,

Glenn


---
This message and any included attachments are from Siemens Medical Solutions
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or
otherwise confidential information.  Unauthorized review, forwarding,
printing, copying, distributing, or using such information is strictly
prohibited and may be unlawful.  If you received this message in error, or
have reason to believe you are not authorized to receive it, please promptly
delete this message and notify the sender by e-mail with a copy to
[EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Spam Storm Alert...

[Landry William]

Well, after a second look (reviewing the headers), it looks like the message
got hung-up in the convoluted mess of internal mail gateways that Siemens
maintains (which I have no control over).  Sorry for the noise...!

Bill

-Original Message-
From: Landry William 
Sent: Monday, January 31, 2005 9:19 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Spam Storm Alert...


Hmmm, a day and a half later this shows up on the list...???

Bill
-Original Message-
From: Landry William
Sent: Saturday, January 29, 2005 6:51 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Spam Storm Alert...


My only suggestion for QM is to disable "DNS Cache" and "Failed Domain
Skipping", both of these caused problems for me in the early 8.xx versions,
so I have just left them off.

As far a the thread settings, that really depends on how many messages you
process per day.  You may find some guidance in the IMail archive and/or the
IMail knowledge base.

Bill

-Original Message-
From: Glenn Ratliff [mailto:[EMAIL PROTECTED]
Sent: Saturday, January 29, 2005 6:15 PM
To: 'sniffer@SortMonster.com'
Subject: RE: [sniffer] Spam Storm Alert...

This is question is a little off subject, but do you have any
recommendations for Imail queue manager settings? We are running Sniffer
with declude 1.82 under Imail 8.15 and the server seems to bog down
sometimes.

Thanks,

Glenn


---
This message and any included attachments are from Siemens Medical Solutions
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or
otherwise confidential information.  Unauthorized review, forwarding,
printing, copying, distributing, or using such information is strictly
prohibited and may be unlawful.  If you received this message in error, or
have reason to believe you are not authorized to receive it, please promptly
delete this message and notify the sender by e-mail with a copy to
[EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding,
printing, 
copying, distributing, or using such information is strictly prohibited and
may 
be unlawful.  If you received this message in error, or have reason to
believe 
you are not authorized to receive it, please promptly delete this message
and 
notify the sender by e-mail with a copy to
[EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Auto Sniffer Updates

[Landry William]

Have you checked out ImailSnifferUpdateTools.zip? 
It contains detailed instructions and can be downloaded from http://www.sortmonster.com/MessageSniffer/Help/AutomatingUpdatesHelp.html
 
Bill


From: Glenn \ WCNet [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 15, 2005 12:43 PMTo:
sniffer@SortMonster.comSubject: [sniffer] Auto Sniffer
Updates

I've been doing Sniffer updates via a scheduled
task.  Am trying to get it working via a Program Alias in response to
update notifications.  The alias and .cmd file are in place,
but it won't activate via the notifications, even when I send a test
message to it.  I get a copy of the notification (or test message),
and I get an emailed report that the update ran, but my .snf file does NOT
change.  The update DOES work when the .cmd file is executed manually, so
the .cmd file apparently is not the problem.  Is there a trick on Program
Aliases that I'm missing?  Imail 7.15.
 
G.Z.

---This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s).  The information contained herein may include trade secrets or privileged or otherwise confidential information.  Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful.  If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you

RE: [sniffer] Auto Sniffer Updates

[Landry William]

Strange, the script does not leave any temp files in my spool directory.

Bill 

-Original Message-
From: George Kulman [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 15, 2005 2:55 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Auto Sniffer Updates

There seemed to be a problem with IMail running a cmd file and since the bat
file worked so I didn't bother checking further.

I did two other things which might be of interest to you:

I set the Alias that receives the notification email (in my case
[EMAIL PROTECTED]) as a standard alias that forwards the email to two
addresses.  One is my regular email address so that I actually receive a
copy of the notification message and the other is [EMAIL PROTECTED]
which is the Program Alias that triggers the .bat file.

A also added a line to Bill Landry's script to get rid of the tmp file that
IMail leaves behind when the script uses the IMail1 program to generate the
script results by email.  This goes after the script line which generates
the email:

 del %IMailDir%\spool\*.tmp

George

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Glenn \ WCNet
Sent: Wednesday, June 15, 2005 5:31 PM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] Auto Sniffer Updates

Well blow me down.  That did the trick, least-wise it does for triggering by
a test message!   I'll know for sure when the next notification arrives.
Thanks!!!

G.Z.


- Original Message -
From: "George Kulman" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, June 15, 2005 4:06 PM
Subject: RE: [sniffer] Auto Sniffer Updates


You might want to try the following which resolved this problem for me (a
while ago)

1.  The IMail program alias is:  c:\Sniffer\snfupd.bat
2.  I created a .bat file which is:
echo off
cd\ c:\sniffer
snfupd.cmd

All of my Sniffer programs and files are in the c:\sniffer folder
(directory) which isn't required but happens to be the way I chose to do it.

George

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Brad Morgan
Sent: Wednesday, June 15, 2005 4:54 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Auto Sniffer Updates

> That is what I'm using.  I tried editing the .cmd file to do away
> with the variables and hard-wire my parameters into it.  It works
> either way (before or after eliminating the variables) when executed
> manually.  It does not work via Program Alias -- my .snf file does
> not change when an update notification arrives.

> Procedure:  I send a test message to the update address.  I get back
> a copy of the test message, and a "S n i f f e r  update" notice
> indicating that an update occurred . . but, in fact, an update
> does NOT occur, the .snf file is still date/time stamped the same
> (I'm not using the -N option on WGET at this point, so a download
> should always occur).

My guess would be either a permissions problem or a path problem.
Verify that the account that runs the program alias has permissions
to all of the data locations and verify that you are not relying on
the PATH environment variable which may be different in each context.

Regards,

Brad Morgan
IT Manager
Horizon Interactive Inc.




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Auto Sniffer Updates

[Landry William]

Did you happen to comment out or not change either of the following
variables in your script to point to the correct drive\directory paths?:

SET SnifferDrive=c:
SET SnifferDir="c:\imail\declude\sniffer"

Which cause the calls to these variables later in the script's execution to
fail:

%SnifferDrive%
cd %SnifferDir%

If IMail cannot change to the proper script drive\directory location, then
that would cause the script's failure to run, and would account for why you
would need to execute a second batch file to get to the correct script file
location.

Bill 

-Original Message-
From: Glenn \ WCNet [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 15, 2005 2:31 PM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] Auto Sniffer Updates

Well blow me down.  That did the trick, least-wise it does for triggering by
a test message!   I'll know for sure when the next notification arrives.
Thanks!!!

G.Z.


- Original Message -
From: "George Kulman" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, June 15, 2005 4:06 PM
Subject: RE: [sniffer] Auto Sniffer Updates


You might want to try the following which resolved this problem for me (a
while ago)

1.  The IMail program alias is:  c:\Sniffer\snfupd.bat
2.  I created a .bat file which is:
echo off
cd\ c:\sniffer
snfupd.cmd

All of my Sniffer programs and files are in the c:\sniffer folder
(directory) which isn't required but happens to be the way I chose to do it.

George

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Brad Morgan
Sent: Wednesday, June 15, 2005 4:54 PM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Auto Sniffer Updates

> That is what I'm using.  I tried editing the .cmd file to do away
> with the variables and hard-wire my parameters into it.  It works
> either way (before or after eliminating the variables) when executed
> manually.  It does not work via Program Alias -- my .snf file does
> not change when an update notification arrives.

> Procedure:  I send a test message to the update address.  I get back
> a copy of the test message, and a "S n i f f e r  update" notice
> indicating that an update occurred . . but, in fact, an update
> does NOT occur, the .snf file is still date/time stamped the same
> (I'm not using the -N option on WGET at this point, so a download
> should always occur).

My guess would be either a permissions problem or a path problem.
Verify that the account that runs the program alias has permissions
to all of the data locations and verify that you are not relying on
the PATH environment variable which may be different in each context.

Regards,

Brad Morgan
IT Manager
Horizon Interactive Inc.




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Large amounts of spam still getting through

[Landry William]

We do exactly this at our Postfix gateways, it's called greylisting.  See
http://isg.ee.ethz.ch/tools/postgrey/.  You may want to consider setting up
a gateway in front of your IMail server that supports greylisting.

Bill

-Original Message-
From: Mike Nice [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 14, 2005 12:43 PM
To: sniffer@SortMonster.com
Subject: Re: [sniffer] Large amounts of spam still getting through

> getting much better at what they do.  When a spammer uses Geocities 
> links, hijacks real accounts on major providers to send spam through, 
> and changes their techniques every few hours, it makes it difficult 
> for Sniffer to proactively block them, and the delay between rulebase 
> updates means a delay in catching things that have been tagged.

  This brings to mind a technique with optional adaptive delay - enabled by
the user. Each mail is assigned a 'triplicate': (To_Email, From_Email, and
domain_of_sending_server).  Previously unknown triplicates are held for a
period of time before being examined for spam.  The delay is long enough
that SpamCop, Sniffer, and InvURIBL mailtraps see copies of the spam and
update the blacklists.

   This would be hard to do with the stock IMail, but possibly could be done
by Declude with the V3 architecture and a database.

   It still doesn't provide a good answer to the problem of spammers
hijacking a computer and sending spam through legitimate servers.


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[Landry, William (MED US)]

Agree wholeheartedly!
 
Bill


From: Dean Lawrence [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 27, 2005 2:18 PMTo: 
sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to 
renew at the old price!

You know, I just don't get where all of the doom and gloom comes from. Yes, 
it is a large percentage increase, but it's still only 2 bucks a day to run 
the best piece of software on my server. I'm sure that they have taken these 
comments into consideration and will try to give more advanced notice in the 
future. But, to start with the "Time to start looking for another solutions" 
talk is rediculous. Reading Michael's description of what is going on over there 
suggests that their business is exploding, not imploding. And to keep on top of 
it, they need to increase their cash flow, not to buy nicer cars. I think 
everyone needs to look at how much Sniffer saves you everyday instead of griping 
about how much it costs you. 
 
Just my 2 cents.
 
Dean 
On 12/27/05, Pete 
McNeil <[EMAIL PROTECTED]> 
wrote: 
Part 
  of the purpose for additional staff is to reach a goal of FPprocessing 
  measured in minutes to hours, never days as it is sometimes now. We also 
  have some automated tools on the drawing board that willhelp to mitigate 
  many FP cases on a self-serve basis. These will becoming in this next 
  year._MOn Tuesday, December 27, 2005, 4:00:59 PM, Darin wrote: 
  DC> Hi Michael,DC> How about false positive 
  processing?  That's our biggest headache, but itDC> would be 
  drastically reduced by faster processing than the 3-5 days weDC> 
  currently see.DC> Darin.DC> - Original Message 
  -DC> From: "Michael Murdoch" <[EMAIL PROTECTED]>DC> 
  To: < 
  sniffer@SortMonster.com>DC> Cc: "Pete McNeil" <[EMAIL PROTECTED]>DC> 
  Sent: Tuesday, December 27, 2005 2:13 PMDC> Subject: RE: [sniffer] Last 
  chance to renew at the old price! DC> Hi Folks,DC> 
  Actually, here is some more detail as to the reasons for the priceDC> 
  increase.  In addition, please bear in mind that that prices 
  haven'tDC> been raised in approximately 2 years and even with this 
  increase we are DC> priced very competitively.DC> The new 
  feature/benefits and more to come are as follows:DC> * In the past 
  6 months we have more than doubled the number of updatesDC> per day and 
  we will continue to increase our bandwidth and the speed of DC> our 
  updates.DC> * We have more than tripled our staff to improve our 
  monitoring,DC> support, and rule generation 
  capabilities.  Come January, we are againDC> doubling this 
  staff as the black-hats have gotten much more DC> sophisticated and 
  this has become a 24x7 battle.  Even Pete needs toDC> sleep 
  sometimes. :-)DC> * We are adding new R&D programs for AFF/419 
  spam and Malware mitigationDC> (many of the results from these projects 
  have already been implemented). DC> * During this next year as part 
  of our continuous improvement policy weDC> will continue to roll out 
  new features and enhancements such as fullyDC> automated reporting, 
  in-band real-time updates, an optimized message DC> processing 
  pipeline, image and file attachment tagging, advanced headerDC> 
  structure analysis, enhanced adaptive heuristics, improved machineDC> 
  learning systems, real-time wave-front threat detection, and many DC> 
  more...DC> It's important to recognize that many of our 
  improvements don't requireDC> new software to be installed on the 
  client side since they are deliveredDC> through rulebase enhancements. 
  Though this often causes our work to go DC> unnoticed, it is actually a 
  design feature since it means that yourDC> installation requires very 
  little maintenance. This translates toDC> lowered administration costs 
  and higher reliability.DC> As a result of this "reliability-first" 
  design strategy, it may notDC> always be obvious that our service is 
  constantly being improved andDC> enhanced - we never stand still 
  ;-)DC> We'd hate to see any of you go, but please do compare us 
  with other DC> services.DC> I'm sure that you'll find we're well 
  worth the money, but it's alwaysDC> good to keep your options open. In 
  fact, best practice these days forDC> spam filtering is to use a 
  blended approach that leverages many DC> services. We personally 
  encourage that for best results.DC> Please let me know if you have 
  any questions.  Thank you for yourDC> feedback and 
  business!DC> SincerelyDC> Michael Murdoch DC> The 
  Sniffer TeamDC> ARM Research Labs, LLCDC> Tel. 850-932-5338 
  x303DC> -Original Message-DC> From: [EMAIL PROTECTED] 
  DC> [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Fox, ThomasDC> Sent: Tuesday, December 27, 2005 1:03 
  PMDC> To: sniffer@SortMonster.comDC> 
  Subject: RE: [sniffer] Last chance to renew at the old price!DC> I 
  said the same thing, and the response was, basically,DC> "We haven't 
  raised the price in a long time, we need DC> the money, like it or lump 
  it.">> 

RE: Re[2]: [sniffer] Last chance to renew at the old price!

[Landry, William (MED US)]

Thomas, if your company cannot afford the rather small monetary increase,
and you are running that close to the edge, then maybe you should not be in
business.  I for one am glad to hear the SNF is adding resources and has
mapped out a list of future feature enhancements.  Please quit your gripping
or take it off list.

Bill 

-Original Message-
From: Fox, Thomas [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 27, 2005 2:40 PM
To: sniffer@SortMonster.com
Subject: RE: Re[2]: [sniffer] Last chance to renew at the old price!

Your interpretation of "a bit" as being 50+% is disingenuous at best, and
thievery at the worst.
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
> Sent: Tuesday, December 27, 2005 5:34 PM
> To: Fox, Thomas
> Subject: Re[2]: [sniffer] Last chance to renew at the old price!
> 
> On Tuesday, December 27, 2005, 5:14:13 PM, Thomas wrote:
> 
> >> -Original Message-
> >> From: [EMAIL PROTECTED] 
> >> [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch
> >>
> >> If you don't feel that's the case, then you
> >> are free to decide if you think otherwise.  Thanks and take care! 
> 
> FT> EASY FOX TRANSLATION:
> 
> FT> "Like it, or lump it."
> 
> Translated another way...
> 
> We could keep things as they are, stand still while spam generation
> technology advances rapidly, whither away, and die.
> 
> OR
> 
> We could charge a bit more, accelerate development and make sure that
> SNF stays out in front and even expands the gap.
> 
> I, for one, am not willing to make the first choice, and I doubt that
> it would be in anyone's best interests - except, perhaps, the
> blackhats.
> 
> _M
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For 
> information and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 

---
[This E-mail scanned for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] Bad Rule - 828931

[Landry, William (MED US)]

Don't know about the proper syntax for baregrep, but for the standard UNIX
grep for Win32, the following would give you an accurate count:

grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log

Bill 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of David Sullivan
Sent: Tuesday, February 07, 2006 4:12 PM
To: sniffer@SortMonster.com
Subject: Re[2]: [sniffer] Bad Rule - 828931

Hello Matt,

Tuesday, February 7, 2006, 6:27:25 PM, you wrote:

M> rule number, and I don't have the tools set up or the knowledge of 
M> grep yet to do a piped query of Sniffer's logs to extract the spool file
names.

http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I
always used ".*" to represent any number of characters, white space or non,
but that didn't seem to work with baregrep. That's why I was trying to
confirm with anyone on the list my regex of "Final\t828931"
was an accurate regex to find every message that 'finaled' on that rule. I'm
praying that I screwed up the expression and I don't have
22,055 messages held by that rule.

M> BTW, David, it is generally better not to hold or block on one single 
M> test, especially one that automates such listings (despite whatever 
M> safeguards there might be).

I know, shame on me. I guess I'm used to the days that we used to be able to
hold on sniffer alone. We have some safeguards in place now and are
transitioning our rule methodologies but hadn't gotten to this one yet as
this always seems to hit back-burner.

This is also why I'd really like to see the content of the rule to see how
it made it passed our safeguards.

--
Best regards,
 Davidmailto:[EMAIL PROTECTED]



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] problems!!!!

[Landry, William (MED US)]

I think a better solution or check-point might be to run any new rules (at
lease ones that may be questionable) though a corpus test of known spam and
ham to see how the new Sniffer rule functions.  This is how the SARE and SA
folks evaluate their new rules and determine an appropriate weight to apply
to the individual rules.

Thoughts?

Bill

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andy Schmidt
Sent: Wednesday, February 08, 2006 8:20 AM
To: sniffer@SortMonster.com
Subject: [sniffer] problems

Pete,

The only idea I came up with, would be to have ALL new rules go into a 6
hour "proving" category (=return code) before they are moved into their
"final" category.

By using Sniffer return codes, folks could decide to "trust" the established
rules and decide to "cross-check" any new rules by weighing them against
other sources/methods.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Message sniffer in FreeBSD & Postfix

[Landry, William (MED US)]

Sniffer can be integrated into amavisd-new via spamassassin.  SA will
capture the Sniffer score and add it to its total score and amavisd-new will
act on that score as it currently does with spamassassin integration.

Bill 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Craig Deal
Sent: Wednesday, February 08, 2006 8:49 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Message sniffer in FreeBSD & Postfix

> 
> Does not require spamassassin or amavis.  You can do it just with 
> postfix.
> 
> DustyC
> 

True, but he wanted it to work with amavisd-new. Less risk of a false
positive if its part of a weighted system.

Craig



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: [sniffer] Message sniffer in FreeBSD & Postfix

[Landry, William (MED US)]

Yep, but for someone not running IMail/Declude, the integration with
spamassassin and amavisd-new works great.

Bill

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of NetEase Operations Manager
Sent: Wednesday, February 08, 2006 8:45 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Message sniffer in FreeBSD & Postfix

Does not require spamassassin or amavis.  You can do it just with postfix.

DustyC

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Craig Deal
Sent: Wednesday, February 08, 2006 10:41 AM
To: sniffer@SortMonster.com
Subject: RE: [sniffer] Message sniffer in FreeBSD & Postfix

> Is there anyone else who would like to see Message Sniffer 
> incorporated into Amavis-new?  This would be a great addition to my 
> IMGate - Postfix mail gateway. Currently I use message sniffer on my 
> Imail box but would like to offload that server and do the "sniffing" 
> before the mail hits Imail.
> 

This is already available by using Sniffer with Spamassassin.

Craig




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html