Re: [sniffer] Charset

2004-08-20 Thread Vivek Khera 
On Aug 20, 2004, at 11:53 AM, Scott Fisher wrote:
Language based spam - filtering is a tough nut.
There are some very good language classifiers out there.  SpamAssassin 
uses one which seems to be incredibly accurate given enough text.



smime.p7s
Description: S/MIME cryptographic signature

Re: [sniffer] Charset

2004-08-20 Thread Vivek Khera 
On Aug 20, 2004, at 10:36 AM, Jorge Asch wrote:
Well, since 100% of my users speak english/spanish I can safely bet 
that NONE of my mail should have strange character sets. So I can 
assume if they do, they must be spam.
Be careful about that.  I've gotten pure English email from folks in 
various parts of the world who's default character set was other than 
one I'd expect.  Charset != Language.



smime.p7s
Description: S/MIME cryptographic signature

Re: Re[2]: [sniffer] German Spam?

2004-06-10 Thread Vivek Khera 
On Jun 10, 2004, at 7:51 AM, Pete McNeil wrote:
We are working through translations to create rules for these as they
arrive. As always, please submit samples to spam@ if they get through.
Not many have hit our spamtraps yet - but I'm sure they will.
I'm getting hebrew spam.  looks quite artistic when the mac displays 
those characters, but useless to me...

I'll start forwarding them.
I have a couple of email addresses that continually get junk sent to 
them, yet they  *never* existed (in a domain that consists of exactly 4 
email addresses, and was never issued before I owned it).  If you want, 
I can forward those addresses to your traps.  Just let me know.

Vivek Khera, Ph.D.
+1-301-869-4449 x806
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] test

2004-05-04 Thread Vivek Khera 
On May 4, 2004, at 3:42 PM, Pete McNeil wrote:
Every rulebase is potentially a different size & composition, plus 
sizes typically change with each update. I'm glad to hear all the 
positive reports on this. :-)

I updated my perl program that does fail-safe (at least on unix-like 
systems) fetch to honor gzip if we get it (ie, it doesn't *assume* it 
gets gzipped content in case on day it is accidentally turned off).  
This updates my sample script on the sniffer web site.

--cut here--
#! /usr/bin/perl -wT
use strict;
# fetch the updated rules file from SortMonster's web site and safely
# update the local copy if it passes self-integrity test.  keep one old
# file as backup.
# Time-stamp: "03 May 2004, 11:31:44 ([EMAIL PROTECTED])"
# private license/key pair
my ($license,$key) = qw(sample abcdef123456);
# directory where to put the resulting file.  snf2check should be there 
too
my $dir = '.';

# credentials for remote site
my ($login,$password) = qw(sniffer ki11sp8m);
###
### The rest should not require any changes.
###
my $host = 'www.sortmonster.net:80';
# file to fetch
my $url = "http://$host/Sniffer/Updates/${license}.snf";;
# Ensure gzip can be found
$ENV{PATH} = '/usr/bin:/usr/local/bin';
chdir($dir) or die "unable to change directory to $dir";
use LWP::UserAgent;
use HTTP::Request::Common;
my $tmpfile = "${license}.tmp.$$";
$SIG{INT} = $SIG{TERM} = sub { die "killed."; };
$SIG{__DIE__} = sub { unlink $tmpfile, "${tmpfile}.gz"; };
my $ua = new LWP::UserAgent or die "unable to create user agent";
$ua->credentials($host,'SortMonster',$login,$password);
my $response = $ua->request(HEAD $url);
die "Error while stating ", $response->request->uri,
  " -- ", $response->status_line, "\nAborting"
  unless $response->is_success;
# check if newer than our copy...
if ( -f "${license}.snf" ) {
  my $current_age = (stat "${license}.snf")[9];
  if ($response->last_modified <= $current_age) {
# remote file older, no point fetching it again
exit(0);
  }
}
# now stick the result into a temp file
$response = $ua->request(GET($url,'Accept-Encoding' => 
'gzip'),$tmpfile);
die "Error while getting ", $response->request->uri,
  " -- ", $response->status_line, "\nAborting"
  unless $response->is_success;

# Check if file came in compressed, and uncompress it.
if ($response->header('Content-Encoding')
and $response->header('Content-Encoding') eq 'gzip') {
  rename $tmpfile, "${tmpfile}.gz" or die "rename failure: $!";
  system ('gzip','-d','-q',"${tmpfile}.gz") == 0
or die "failure to execute gzip to uncompress: $!";
  my $exitvalue = $? >> 8;
  my $sig = $? & 127;
  if ($exitvalue or $sig) {
die "error running gzip decompression: exit $exitvalue\n";
  }
}
system('./snf2check.exe',$tmpfile,$key) == 0
  or die "failure to execute snf2check: $!";
my $exitvalue = $? >> 8;
my $sig = $? & 127;
if ($exitvalue or $sig) {
  die "error running snf2check: exit $exitvalue\n";
} else {
  # keep old file just in case...
  unlink "${license}.snf.old";
  link "${license}.snf","${license}.snf.old";
  rename $tmpfile, "${license}.snf";
}
exit(0);
--cut here--


smime.p7s
Description: S/MIME cryptographic signature

Re: [sniffer] Spam storm?

2004-03-26 Thread Vivek Khera 
On Mar 26, 2004, at 7:42 AM, Russ Uhte (Lists) wrote:

downloads are coming from.  However, I too have noticed really slow 
download speeds.  I use wget, and I've never had a single problem, 
other than occasionally it is extremely slow sometimes.  Once it does 
actually download, it's always a "clean" download.  I haven't seen a 
single instance of the error_bad_matrix.

I haven't been monitoring my d/l speeds, but the last few weeks or so I 
get about 3 to 4 check failures from snf2check.  My pipe is a quite 
underutilized 100Mbit at a uunet co-lo (Pete, right near ya in Ashburn 
-- you should think about co-lo there :-) )

I don't recall getting those errors before the big network switch at 
microneil earlier this year.

I've not seen a single bad matrix.  But then I'm not on windows... so 
perhaps it is related to windows.

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Error_Bad_Matrix

2004-03-26 Thread Vivek Khera 
On Mar 25, 2004, at 8:10 PM, Pete McNeil wrote:

 ERROR_BAD_MATRIX is definitely a corrupted rulebase file. A manual 
download should solve the problem.
Should not snf2check.exe detect this?  If the sniffer can detect it, it 
seems that the checker should too.

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Error_Bad_Matrix

2004-03-25 Thread Vivek Khera 
On Mar 25, 2004, at 3:39 PM, Paul Lushinsky wrote:

I decided to look in my log files for the past several days because of 
number of Error_Bad_Matrix related messages. I can't find this message 
in any of my log files until today starting with the update I auto 
downloaded at 8:15 this morning, and went until the update at noon. 
While I was look at the log file, another update notice came, so an 
update was done and the Error_Bad_Matrix message is back.



I'm curious if the people who are seeing these messages are running 
snf2check.exe before making the rule files live.  I do so, and have not 
seen a single instance of this error.

Can you run snf2check.exe on the current bad matrix you have and see if 
it reports an error?

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] updater script for Linux

2004-03-08 Thread Vivek Khera 
On Mar 8, 2004, at 3:20 PM, Bill Boebel wrote:

Yes, I'd be interested in seeing your script.  I'm going to take a 
look at
the ones on the sniffer website this week and would like to try out 
yours
too.

Turns out mine is posted on the website already ;-)



This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] updater script for Linux

2004-03-08 Thread Vivek Khera 
On Mar 5, 2004, at 11:05 PM, Bill Boebel wrote:

Has anyone written a good Sniffer updater script for Linux which has 
the
error checking like the one for Windows has?

I posted one here the other week.  I wrote it on FreeBSD, but it 
doesn't make any system specific assumptions (other than you're on a 
unix file system).  It is completely safe to run at any time, and fails 
in a 100% safe way such that you always have a valid sniffer rule file 
in place.  Let me know if you need a copy.

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Bagle J & others

2004-03-03 Thread Vivek Khera 
On Mar 3, 2004, at 12:44 PM, Madscientist wrote:

We have adopted the current policy at least for the short term:

1 ) We block all potentially hazardous extensions including .zip.

Can these "virus" rules be bypassed?  We have real virus checking and 
don't want our spam checker doing any virus blocking.  Thanks.

This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Autoupdating rule file

2004-02-12 Thread Vivek Khera 
On Feb 12, 2004, at 8:58 AM, Timothy C. Bohen wrote:

 
Anyone willing to send me a script that I can use?


Sure, here's mine written in Perl.  It knows enough to check the 
timestamps so it doesn't fetch files when unecessary, keeps a backup 
copy, and does everything in a safe manner such as to not leave your 
system in an unusable state at any time.  It relies on the fact that 
the rename() function is atomic.  I don't make that guarantee on 
non-unix systems.

All you need to do is set the directory location for your rule file, 
and your license key information from Sniffer.  It assumes 
snf2check.exe is in that same directory, and you have the Perl modules 
LWP::UserAgent and HTTP::Request::Common installed.

--cut here--
#! /usr/bin/perl -wT
use strict;
# fetch the updated rules file from SortMonster's web site and safely
# update the local copy if it passes self-integrity test.  keep one old
# file as backup.
# Time-stamp: "23 October 2003, 11:10:36 ([EMAIL PROTECTED])"

# private license/key pair
my ($license,$key) = qw(abcdefg a1b2c3d4e5f6g7h8);
# directory where to put the resulting file.  snf2check should be there 
too
my $dir = '/var/amavis/sniffer';

# credentials for remote site
my ($login,$password) = qw(sniffer ki11sp8m);
###
### The rest should not require any changes.
###
my $host = 'www.sortmonster.net:80';
# file to fetch
my $url = "http://$host/Sniffer/Updates/${license}.snf";;
$ENV{PATH} = '';

chdir($dir) or die "unable to change directory to $dir";

use LWP::UserAgent;
use HTTP::Request::Common;
my $tmpfile = "${license}.tmp.$$";

$SIG{INT} = $SIG{TERM} = sub { die "killed."; };
$SIG{__DIE__} = sub { unlink $tmpfile; };
my $ua = new LWP::UserAgent or die "unable to create user agent";

$ua->credentials($host,'SortMonster',$login,$password);

my $response = $ua->request(HTTP::Request::Common::HEAD($url));
die "Error while stating ", $response->request->uri,
  " -- ", $response->status_line, "\nAborting"
  unless $response->is_success;
# check if newer than our copy...
if ( -f "${license}.snf" ) {
  my $current_age = (stat "${license}.snf")[9];
  if ($response->last_modified <= $current_age) {
# remote file older, no point fetching it again
exit(0);
  }
}
# now stick the result into a temp file
$response = $ua->request(HTTP::Request::Common::GET($url),$tmpfile);
die "Error while getting ", $response->request->uri,
  " -- ", $response->status_line, "\nAborting"
  unless $response->is_success;
system('./snf2check.exe',$tmpfile,$key) == 0
  or die "failure to execute snf2check: $!";
my $exitvalue = $? >> 8;
my $sig = $? & 127;
if ($exitvalue or $sig) {
  die "error running snf2check: exit $exitvalue\n";
} else {
  # keep old file just in case...
  unlink "${license}.snf.old";
  link "${license}.snf","${license}.snf.old";
  rename $tmpfile, "${license}.snf";
}
exit(0);

This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Error with Postfix/amavis-new/spamassassin

2004-02-09 Thread Vivek Khera 
On Feb 9, 2004, at 3:03 PM, Tom Baker|Netsmith Inc wrote:

Any idea what would be casing this?  Could it be a permissions problem?
Sniffer runs fine using the test.sh script.
What happens if you run sniffer as the user under which amavisd runs?  
I just set up everything to run under the amavis user home directory, 
including all the sniffer files, all the virus checker files, etc.

It appears from your output that sniffer exited on signal 13, which is 
broken pipe.  that just seems funky to me.

But my patch to spamassassin 2.6 has been running daily since about 
october sniffing thousands of messages without fail under amavisd-new.

This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: [sniffer] Making Sniffer an add-on for SpamAssassin

2004-02-02 Thread Vivek Khera 
On Feb 1, 2004, at 2:08 AM, Pete McNeil wrote:

The best way to implement sniffer in SA would be to plug it in as a 
module so that the rulebase could remain loaded until it changes. This 
would allow the vast majority of messages to be scanned in under 50ms 
by SA on most of the single processor systems we see today. As I 
understand it, this number would be "in the noise" compared to the 
normal loads imposed by SA so there is the potential here for a 
tremendous advantage.

That was my original ticket with SA.  I started to look at the above 
method of integration, but you had mentioned at that time that version 
2 would be an overhaul, so I didn't pursue it more.  Now that Sniffer 2 
is out, I need to scrape up some tuit's to look at it again.

The integration with Perl is not that diffucult.  The way I see it is 
that with the use of SWIG to generate the interfaces, all we really 
need is some internal documentation outlining how the sniffer API 
works.  From what I saw in the sniffer 1 source, the main() function 
needs to be split into the setup phases (the one-time setup and the 
per-message setup), the part that processes each message (read from 
file/stdin and run thru engine), the logging, and the result return.

From where I sit, if the main() function was broken down into simple 
method calls that could be embedded into another C++ program (say, a 
persistent daemon), then those same calls can be mapped into a perl 
library pretty much trivally with SWIG.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.Khera Communications, Inc.
Internet: [EMAIL PROTECTED]   Rockville, MD  +1-301-869-4449 x806
AIM: vivekkhera Y!: vivek_khera   http://www.khera.org/~vivek/
This E-Mail came from the [EMAIL PROTECTED] mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html