Re: [sniffer] Charset
On Aug 20, 2004, at 11:53 AM, Scott Fisher wrote: Language based spam - filtering is a tough nut. There are some very good language classifiers out there. SpamAssassin uses one which seems to be incredibly accurate given enough text. smime.p7s Description: S/MIME cryptographic signature
Re: [sniffer] Charset
On Aug 20, 2004, at 10:36 AM, Jorge Asch wrote: Well, since 100% of my users speak english/spanish I can safely bet that NONE of my mail should have strange character sets. So I can assume if they do, they must be spam. Be careful about that. I've gotten pure English email from folks in various parts of the world who's default character set was other than one I'd expect. Charset != Language. smime.p7s Description: S/MIME cryptographic signature
Re: Re[2]: [sniffer] German Spam?
On Jun 10, 2004, at 7:51 AM, Pete McNeil wrote: We are working through translations to create rules for these as they arrive. As always, please submit samples to spam@ if they get through. Not many have hit our spamtraps yet - but I'm sure they will. I'm getting hebrew spam. looks quite artistic when the mac displays those characters, but useless to me... I'll start forwarding them. I have a couple of email addresses that continually get junk sent to them, yet they *never* existed (in a domain that consists of exactly 4 email addresses, and was never issued before I owned it). If you want, I can forward those addresses to your traps. Just let me know. Vivek Khera, Ph.D. +1-301-869-4449 x806 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] test
On May 4, 2004, at 3:42 PM, Pete McNeil wrote: Every rulebase is potentially a different size & composition, plus sizes typically change with each update. I'm glad to hear all the positive reports on this. :-) I updated my perl program that does fail-safe (at least on unix-like systems) fetch to honor gzip if we get it (ie, it doesn't *assume* it gets gzipped content in case on day it is accidentally turned off). This updates my sample script on the sniffer web site. --cut here-- #! /usr/bin/perl -wT use strict; # fetch the updated rules file from SortMonster's web site and safely # update the local copy if it passes self-integrity test. keep one old # file as backup. # Time-stamp: "03 May 2004, 11:31:44 ([EMAIL PROTECTED])" # private license/key pair my ($license,$key) = qw(sample abcdef123456); # directory where to put the resulting file. snf2check should be there too my $dir = '.'; # credentials for remote site my ($login,$password) = qw(sniffer ki11sp8m); ### ### The rest should not require any changes. ### my $host = 'www.sortmonster.net:80'; # file to fetch my $url = "http://$host/Sniffer/Updates/${license}.snf";; # Ensure gzip can be found $ENV{PATH} = '/usr/bin:/usr/local/bin'; chdir($dir) or die "unable to change directory to $dir"; use LWP::UserAgent; use HTTP::Request::Common; my $tmpfile = "${license}.tmp.$$"; $SIG{INT} = $SIG{TERM} = sub { die "killed."; }; $SIG{__DIE__} = sub { unlink $tmpfile, "${tmpfile}.gz"; }; my $ua = new LWP::UserAgent or die "unable to create user agent"; $ua->credentials($host,'SortMonster',$login,$password); my $response = $ua->request(HEAD $url); die "Error while stating ", $response->request->uri, " -- ", $response->status_line, "\nAborting" unless $response->is_success; # check if newer than our copy... if ( -f "${license}.snf" ) { my $current_age = (stat "${license}.snf")[9]; if ($response->last_modified <= $current_age) { # remote file older, no point fetching it again exit(0); } } # now stick the result into a temp file $response = $ua->request(GET($url,'Accept-Encoding' => 'gzip'),$tmpfile); die "Error while getting ", $response->request->uri, " -- ", $response->status_line, "\nAborting" unless $response->is_success; # Check if file came in compressed, and uncompress it. if ($response->header('Content-Encoding') and $response->header('Content-Encoding') eq 'gzip') { rename $tmpfile, "${tmpfile}.gz" or die "rename failure: $!"; system ('gzip','-d','-q',"${tmpfile}.gz") == 0 or die "failure to execute gzip to uncompress: $!"; my $exitvalue = $? >> 8; my $sig = $? & 127; if ($exitvalue or $sig) { die "error running gzip decompression: exit $exitvalue\n"; } } system('./snf2check.exe',$tmpfile,$key) == 0 or die "failure to execute snf2check: $!"; my $exitvalue = $? >> 8; my $sig = $? & 127; if ($exitvalue or $sig) { die "error running snf2check: exit $exitvalue\n"; } else { # keep old file just in case... unlink "${license}.snf.old"; link "${license}.snf","${license}.snf.old"; rename $tmpfile, "${license}.snf"; } exit(0); --cut here-- smime.p7s Description: S/MIME cryptographic signature
Re: [sniffer] Spam storm?
On Mar 26, 2004, at 7:42 AM, Russ Uhte (Lists) wrote: downloads are coming from. However, I too have noticed really slow download speeds. I use wget, and I've never had a single problem, other than occasionally it is extremely slow sometimes. Once it does actually download, it's always a "clean" download. I haven't seen a single instance of the error_bad_matrix. I haven't been monitoring my d/l speeds, but the last few weeks or so I get about 3 to 4 check failures from snf2check. My pipe is a quite underutilized 100Mbit at a uunet co-lo (Pete, right near ya in Ashburn -- you should think about co-lo there :-) ) I don't recall getting those errors before the big network switch at microneil earlier this year. I've not seen a single bad matrix. But then I'm not on windows... so perhaps it is related to windows. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Error_Bad_Matrix
On Mar 25, 2004, at 8:10 PM, Pete McNeil wrote: ERROR_BAD_MATRIX is definitely a corrupted rulebase file. A manual download should solve the problem. Should not snf2check.exe detect this? If the sniffer can detect it, it seems that the checker should too. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Error_Bad_Matrix
On Mar 25, 2004, at 3:39 PM, Paul Lushinsky wrote: I decided to look in my log files for the past several days because of number of Error_Bad_Matrix related messages. I can't find this message in any of my log files until today starting with the update I auto downloaded at 8:15 this morning, and went until the update at noon. While I was look at the log file, another update notice came, so an update was done and the Error_Bad_Matrix message is back. I'm curious if the people who are seeing these messages are running snf2check.exe before making the rule files live. I do so, and have not seen a single instance of this error. Can you run snf2check.exe on the current bad matrix you have and see if it reports an error? This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] updater script for Linux
On Mar 8, 2004, at 3:20 PM, Bill Boebel wrote: Yes, I'd be interested in seeing your script. I'm going to take a look at the ones on the sniffer website this week and would like to try out yours too. Turns out mine is posted on the website already ;-) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] updater script for Linux
On Mar 5, 2004, at 11:05 PM, Bill Boebel wrote: Has anyone written a good Sniffer updater script for Linux which has the error checking like the one for Windows has? I posted one here the other week. I wrote it on FreeBSD, but it doesn't make any system specific assumptions (other than you're on a unix file system). It is completely safe to run at any time, and fails in a 100% safe way such that you always have a valid sniffer rule file in place. Let me know if you need a copy. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Bagle J & others
On Mar 3, 2004, at 12:44 PM, Madscientist wrote: We have adopted the current policy at least for the short term: 1 ) We block all potentially hazardous extensions including .zip. Can these "virus" rules be bypassed? We have real virus checking and don't want our spam checker doing any virus blocking. Thanks. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Autoupdating rule file
On Feb 12, 2004, at 8:58 AM, Timothy C. Bohen wrote: Anyone willing to send me a script that I can use? Sure, here's mine written in Perl. It knows enough to check the timestamps so it doesn't fetch files when unecessary, keeps a backup copy, and does everything in a safe manner such as to not leave your system in an unusable state at any time. It relies on the fact that the rename() function is atomic. I don't make that guarantee on non-unix systems. All you need to do is set the directory location for your rule file, and your license key information from Sniffer. It assumes snf2check.exe is in that same directory, and you have the Perl modules LWP::UserAgent and HTTP::Request::Common installed. --cut here-- #! /usr/bin/perl -wT use strict; # fetch the updated rules file from SortMonster's web site and safely # update the local copy if it passes self-integrity test. keep one old # file as backup. # Time-stamp: "23 October 2003, 11:10:36 ([EMAIL PROTECTED])" # private license/key pair my ($license,$key) = qw(abcdefg a1b2c3d4e5f6g7h8); # directory where to put the resulting file. snf2check should be there too my $dir = '/var/amavis/sniffer'; # credentials for remote site my ($login,$password) = qw(sniffer ki11sp8m); ### ### The rest should not require any changes. ### my $host = 'www.sortmonster.net:80'; # file to fetch my $url = "http://$host/Sniffer/Updates/${license}.snf";; $ENV{PATH} = ''; chdir($dir) or die "unable to change directory to $dir"; use LWP::UserAgent; use HTTP::Request::Common; my $tmpfile = "${license}.tmp.$$"; $SIG{INT} = $SIG{TERM} = sub { die "killed."; }; $SIG{__DIE__} = sub { unlink $tmpfile; }; my $ua = new LWP::UserAgent or die "unable to create user agent"; $ua->credentials($host,'SortMonster',$login,$password); my $response = $ua->request(HTTP::Request::Common::HEAD($url)); die "Error while stating ", $response->request->uri, " -- ", $response->status_line, "\nAborting" unless $response->is_success; # check if newer than our copy... if ( -f "${license}.snf" ) { my $current_age = (stat "${license}.snf")[9]; if ($response->last_modified <= $current_age) { # remote file older, no point fetching it again exit(0); } } # now stick the result into a temp file $response = $ua->request(HTTP::Request::Common::GET($url),$tmpfile); die "Error while getting ", $response->request->uri, " -- ", $response->status_line, "\nAborting" unless $response->is_success; system('./snf2check.exe',$tmpfile,$key) == 0 or die "failure to execute snf2check: $!"; my $exitvalue = $? >> 8; my $sig = $? & 127; if ($exitvalue or $sig) { die "error running snf2check: exit $exitvalue\n"; } else { # keep old file just in case... unlink "${license}.snf.old"; link "${license}.snf","${license}.snf.old"; rename $tmpfile, "${license}.snf"; } exit(0); This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Error with Postfix/amavis-new/spamassassin
On Feb 9, 2004, at 3:03 PM, Tom Baker|Netsmith Inc wrote: Any idea what would be casing this? Could it be a permissions problem? Sniffer runs fine using the test.sh script. What happens if you run sniffer as the user under which amavisd runs? I just set up everything to run under the amavis user home directory, including all the sniffer files, all the virus checker files, etc. It appears from your output that sniffer exited on signal 13, which is broken pipe. that just seems funky to me. But my patch to spamassassin 2.6 has been running daily since about october sniffing thousands of messages without fail under amavisd-new. This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Making Sniffer an add-on for SpamAssassin
On Feb 1, 2004, at 2:08 AM, Pete McNeil wrote: The best way to implement sniffer in SA would be to plug it in as a module so that the rulebase could remain loaded until it changes. This would allow the vast majority of messages to be scanned in under 50ms by SA on most of the single processor systems we see today. As I understand it, this number would be "in the noise" compared to the normal loads imposed by SA so there is the potential here for a tremendous advantage. That was my original ticket with SA. I started to look at the above method of integration, but you had mentioned at that time that version 2 would be an overhaul, so I didn't pursue it more. Now that Sniffer 2 is out, I need to scrape up some tuit's to look at it again. The integration with Perl is not that diffucult. The way I see it is that with the use of SWIG to generate the interfaces, all we really need is some internal documentation outlining how the sniffer API works. From what I saw in the sniffer 1 source, the main() function needs to be split into the setup phases (the one-time setup and the per-message setup), the part that processes each message (read from file/stdin and run thru engine), the logging, and the result return. From where I sit, if the main() function was broken down into simple method calls that could be embedded into another C++ program (say, a persistent daemon), then those same calls can be mapped into a perl library pretty much trivally with SWIG. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-301-869-4449 x806 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/ This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html