[sniffer] Re: New proactive false positive prevention initiatives
Hey Pete, Is there a hook to use Sniffer in SmarterMail 6? I just had to move to SmarterMail rather than pay over $3k to upgrade iMail to run on a 64bit windows box. I'm using eWall at this point for Message Sniffer but may retire that with iMail. On Feb 4, 2010, at 1:57 PM, Pete McNeil wrote: Hello Sniffer Folks, I thought I would drop you a note to let you know some things we're doing behind the scenes to improve filtering accuracy and prevent false positives. Unqualified false positive candidates: In partnership with our larger customers we have created a new system to proactively review captured messages that _might_ be unreported false positives (usually they are spam, but some aren't). Through this review process we are able to remove and modify pattern rules that cause occasional low-level false positives that would otherwise not be reported. This system is already allowing us to recode or remove dozens of rules per day to make them more accurate; and to update our rule coding practices and support systems to further improve our accuracy moving forward. Real-time rule / IP conflict analysis: Today we have completed a new false-positive early-warning system. This system monitors conflicts between IP reputations and pattern rule matches across the entire fleet of Message Sniffer installations in real-time. Any time a pattern match is in disagreement with a source IP's reputation that information is analyzed and pumped through a sophisticated collection of filters and data-mining tools. The resulting analysis is displayed in real-time in our spam-weather center so that our staff can respond immediately (24x365) if there is any sign of a bad rule. Since we launched this new system and operating protocols earlier today we have already had several events -- All of them turned out to be valid anti-spam rules capturing content from bot nets that had previously sent *berserkers to improve their IP reputations, or where some of the campaigns in question had leaked sufficiently to produce temporary positive IP reputations on some systems. This information itself is very interesting now that we can see it more clearly and we are already working on ways to identify these cases and reduce the leakage associated with them. As always your comments, ideas, and suggestions are both welcome and encouraged. Best, _M PS: *berserkers - Blackhats sometimes send messages that are random and/or carry no payload. These berserkers, sometimes sent by accident by broken bots or broken spam scripts, have the effect of improving the IP reputations of the systems that send them because there is no sufficient content to filter against. In addition these messages are often sent at such low rates that most adaptive filtering systems fail to respond to them--- if those systems were to be (conventionally) sensitized to the berserkers they would also significantly increase their false-positive rates. We call these berserkers based on the practice of old Norse warriors who, in an uncontrollable state (chaotic, berserk (in a fit of madness), and with the belief they are immune to weapons), would charge directly into the enemies ranks fearlessly attacking anything and everything (friend or foe). http://en.wikipedia.org/wiki/Berserker # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com Regards, Steve Guluk SGDesign (949) 661-9333
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Any plans on an eWall version? On Feb 2, 2009, at 9:49 AM, Pete McNeil wrote: Hello Sniffer Folks, We've noticed that folks often have trouble getting Clam AV (the free open source anti-virus scanner) working correctly on their mail servers, so we've created a free product to help solve that. ClamAID (Clam AV Assisted Install Device). http://www.armresearch.com/tools/arm/clamAID.jsp What ClamIAD does is collect all of the bits and pieces that make ClamAV work, configure them, install them, and get them running with your email / filtering platform. So far ClamAID supports IceWarp, Declude/IMail, and Declude/SmarterMail. We will add support for additional platforms as requested (time permitting). Please take a look, keep us posted on your progress, and tell your friends about ClamAID if it helps you. If you have any questions or run into problems then please let us know (support@). Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com Regards, Steve Guluk SGDesign (949) 661-9333
[sniffer] Re: eWall
On Feb 2, 2009, at 2:50 PM, Andy Schmidt wrote: Wo – how did I miss eWall all these years? I thought ASSP was the only game in Windows town, but I didn’t like the Sniffer integration and was worried about running on Perl. Sadly, the eWall web site is terrible – I don’t see any manual or installation guide or anything that allows me to evaluate the software’s suitability “on paper”. But from the little bit that the video-walk-through reveals when you stop the video at just the right moments to be able to catch the screens – THIS looks like an awesome application addressing many issues I’ve always wanted to address. Being a Designer I could not help but voice the same concerns to these folks when I first bought their program. $99 and no renewal fees... It revived my server that had iMail choking on the amounts of processing needed to handle the volumes of email passing through the server. I believe the manual is included in the download when testing the product if that helps. Regards, Steve Guluk SGDesign (949) 661-9333
[sniffer] Re: Sniffer Helper App? UPDATE
Hello, As an update, the developer (Alexander N. Telegin) spent a number of hours on my server and seems to have sorted the bugs out in eWall. At this time the program is running well and as advertised. It's a nice little light gateway client that has some easy to use scripting features and can really block a mass of unwanted mail before it even gets to the mail server. It ties to the newest Sniffer App quite easily also. Thanks for the alternate suggestions guys and gals. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Sniffer Helper App?
Hello, I run iMail 9.0 and would like a program that can do GeoIP to screen foreign countries before they even get to iMail. I used to use MXGuard (still have an active license) but my server could not handle the CPU draw. I moved to eWall which really has some great potential as it is a nice light gateway client that works with Sniffer but it also crashes and has a few other problems (this program also introduced me to GeoIP). Any other suggestions as I am beat after trying to get some decent spam relief as well as relief from an aging server. My server is an AMD 2.0 with Raid and 2 gigs of Ram It's faired well over the last couple years but the spam levels ramping up are starting to take their toll and I don't want to move to a new server just yet. eWalls got me spoiled on the GeoIP feature where it polls a DB for country info based on the incoming IP and can delete emails before they reach iMail. Any suggestions on what I should consider to help with spam and also use Sniffer. Is Declude worth while? Some other light gateway like eWall ? Thanks in advance for any suggestions, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Sniffer Helper App?
On Jul 1, 2008, at 12:25 PM, Rob McEwen wrote: Steve, Do you have the ability to add into your current filtering additional RBLs and/or URI blacklists? I have some good suggestions there! Rob McEwen Rob, If I move away from eWall I will be left with just iMail till I find something else (purpose of my email). iMail has URL blacklists. eWall has URI Blacklists but I'm still looking for that perfect client to put in-front of my mail server (software based). So you probably have some good suggestions but I still need to get that program that can appreciate them. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: It's official. SNF Version 3.0 is Ready!
Pete are there new log files as I do not see them in my working sniffer dir...? I'm using the integrated model with eWall. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: It's official. SNF Version 3.0 is Ready!
Nevermind.. Got it working and see the new XML logs. On Jun 27, 2008, at 12:25 PM, Steve Guluk wrote: Pete are there new log files as I do not see them in my working sniffer dir...? I'm using the integrated model with eWall. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade
Pete, So still in Beta right? Not being a beta tester I'll patiently wait till you go Golden Master. Just wanted to make sure this was not the GM version On Oct 17, 2007, at 3:57 PM, Pete McNeil wrote: Hello Sniffer folks, Please find the latest SNF V2-9 distribution files here: http://kb.armresearch.com/index.php? title=Message_Sniffer.GettingStarted.Distributions#NEW_SNF_V2-9_Wide_B eta If you are running a previous version of SNF V2-9, please upgrade as soon as possible. The newest version includes some bug fixes. From the change log: 20071017 - SNF2-9b1.5.exe Added a missing #include directive to the networking.hpp file. The missing #include was not a factor on Linux and Windows systems but caused compiler errors on BSD systems. Corrected a bug in the GBUdb White Range code where any message with a white range source IP was being forced to the white result code. The engine now (correctly) only forces the result and records the event when a black pattern rule was matched and the White Range IP causes that scan result to be overturned. If the scan result was not a black pattern match then the original scan result is allowed to pass through. Corrected a bug in the Header Analysis filter chain module that would cause the first header in the message to be ignored in some cases. Corrected an XML log format problem so that s/ elements are correctly open ended s or closed (empty) s/ according to whether they have subordinate elements. Adjusted the GBUdb header info format. The order of the Confidence figure and Probabilty figure is now the same as in the XML log files (C then P). The confidence and probability figures are now preceeded with c= and p= respectively so that it's easy to tell which is which. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to sniffer- [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Best renewal price and service on Sniffer?
Hello, I was informed some time back that I needed to renew my subscription to Sniffer soon. I sent an email to [EMAIL PROTECTED] on May 3rd and never got a response back. Today is the last day on my subscription. Does anyone have any suggestions on where to renew, at the best price? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Best renewal price and service on Sniffer?
Thanks for the replies... Got it sorted out. On May 18, 2007, at 7:33 AM, Computer House Support wrote: Dear Steve, I have replied to you off-list regarding our discounted renewal services for Mesage Sniffer. Thank you, Michael Stein Computer House 609 652-5100 [EMAIL PROTECTED] - Original Message - From: Steve Guluk To: Message Sniffer Community Sent: Friday, May 18, 2007 10:26 AM Subject: [sniffer] Best renewal price and service on Sniffer? Hello, I was informed some time back that I needed to renew my subscription to Sniffer soon. I sent an email to [EMAIL PROTECTED] on May 3rd and never got a response back. Today is the last day on my subscription. Does anyone have any suggestions on where to renew, at the best price? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: Blocking emails with Cyrillic characters (I-Mail v8.22)
Thanks Eric, I hope you do not mind my posting this to the sniffer list so others may voice their suggestions as well as take your suggestions into account. On Dec 13, 2006, at 12:59 PM, E. H. ((Eric)) Fletcher wrote: Steve: I wonder whether a set of I-Mail rules that blocked all of the small island states with TLD's as well as Russia and Korea and anything else you wanted to include might not be effective. Assuming you host more than one domain, the rule base could be copied in by domain and modified if necessary for a domain that wanted to be able to receive the material. You could even take it to the user level if necessary. I've been playing with a few tests and have found it quite effective against new spam versions that the rule base has not yet encountered. It isn't at all effective against e-mail coming from an IP in Russia that masquerades with some other HELO or TLD but I'm surprised by how much of it is easily detected on that basis. It's also possible to block it out with huge IP blocks of course, as you can map them, but that is done for the I-Mail system as a whole so not easily implemented or tailored at the domain level. Best regards, Eric Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose?On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. Regards, Steve GulukSGDesign(949) 661-9333ICQ: 7230769
Re: [sniffer]Numeric spam
On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose?On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:I started seeing these messages Monday (yesterday) morning EDT. The fromand to are the same (ie you sent it to yourself). I am tagging it butthere is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are?Random numbers for no apparent reason...?Regards, Steve GulukSGDesign(949) 661-9333ICQ: 7230769
[sniffer] False Positive - RESEND
Hello, Could you please tell me what would cause an email to fail rule # 831417 This was a good email flagged this morning and deleted. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] False Positive
Hello, Could you please tell me what would cause an email to fail rule # 831417 This was a good email flagged this morning and deleted. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam keeps getting through...
On Oct 10, 2005, at 3:56 PM, Pete McNeil wrote: Though this appears to be one campaign, there are several new domains every hour or so and several new variations on their obfuscation techniques nearly as often. We continue to add rules for all of these variations around the clock - including some predictive heuristics which are actually working for quite a bit of the traffic. Can't there be a rule written that matches the exact size of the included .gif? I've seen these (if we're talking about the same ones) and the attached gif file is always the same. Just an idea. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
