[sniffer] O365
This is not SNF specific, just a commentary: I've noticed an uptick in "user stolen" passwords from domains hosted at O365. At first I thought these O365 users were simply infected with botNet malware and spewing out spam to their contact lists, but I've become suspicious after working with several of these cases. The attacks are extremely targeted spearhead's (not list spews), using the users account username/password. An end user stolen password is nothing new, but the influx increase rate is alarming. My concern (suspicion) is that blackhats have exploited the intel/AMD chip memory flaw, and now potentially have the password of every O365 user (OMG!). While this keeps most of us here busy and in business, the herd migration mentality to cloud hosting may end very badly for those who choose that path. Just in my opinion. --Paul
[sniffer] Message size alert
Pete - and all, Just a general observation. We've noticed a large amount of spam messages over the past week that exceed 2MB in size (several thousand messages). Our filtering engines were set to skip messages over 2MB since we all knew that spammers would rarely waste their resources pumping large amounts of data. This is no longer the case (at least for us). Looks like the game has changed. Just a heads up! --Paul
[sniffer] Re: Bad Matrix errors
Yes, the errors have now stopped with the new update. The issue ran across all servers so I must have corrupted the last update at some point. Thanks for the speedy response! --Paul -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com]On Behalf Of Pete McNeil Sent: Monday, August 22, 2011 4:32 PM To: Message Sniffer Community Subject: [sniffer] Re: Bad Matrix errors On 8/22/2011 4:04 PM, Peer-to-Peer (Support) wrote: Hello SNF, I think something broke. I'm seeing a lot of Bad Matrix! warnings in my logs. Likely started about an hour ago. Running MDaemon mailserver. I note in your telemetry that you have a new rulebase since then. Have the errors stopped? _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] IPv6
Hi everyone, I've been thinking about the potential risk of IPv6 will have on filtering spam. I suspect RBL's (real time blacklists) may become obsolete once IPv6 arrives.?. From what I've learned, IPv6 has 340 undecillion (1 followed by 36 zeros) IP addresses. And devices can refresh every 24 hours. IPv4 only has 4.3 billion IP addresses. Pete: Grab a cup of coffee. The botNet's are coming... --Paul # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Volume spike Mon 9AM EST
Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Rulebase updates increased by 25%!!!
Thanks Pete, That would explain it. Maybe just my eyes playing tricks, but I swear my clock jumped ahead 1 hour as I was looking at the screen. Win2000 server. I re-installed some SNF files, using the current time-stamps. I'll report back if the issue persists. And/or at least we have something solid to work with if it continues. Thanks for your fast assistance. Regards, --Paul -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com]on Behalf Of Pete McNeil Sent: Monday, March 22, 2010 6:29 PM To: Message Sniffer Community Subject: [sniffer] Re: Rulebase updates increased by 25%!!! On 3/22/2010 4:59 PM, Peer-to-Peer (Support) wrote: Pete, We're only seeing an about 1 update every hour (or so) as well. I did some checking and sent you an email off list. It looks like the UTC clock on your server is about an hour in the future (compared to worldtimeserver.com) -- That's a guess, but based on the telemetry I see in your rulebase file timestamps it seems about right. If your update script isn't preserving the file timestamp from the delivery server and is pushing it into the future by an hour then your SNF node will not see the file on our server as newer until that hour has expired (at least). Two things... * The update script _should_ preserve the timestamp provided by the delivery server. * Even if that's not the case, if your UTC clock is correct then the timestamp of the new rulebase file would not be in the future. Please let us know the resolution on this. Please let us know if there is more we can do. Thanks! _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Updates down?
Our updates stopped around 4:45AM EST this morning (Sun 01-17-10) We see an error 'unable to connect' (using Curl). Continuing to investigate. Anyone else experiencing the same? --Paul # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Bad Matrix!
We saw the following error for about one hour this morning (6:30AM - 7:20AM EST). Assume it was a bad update, and once a new update arrived all corrected itself. Could this be a local issue, something that we may have been able to prevent, or something beyond our control. Sat 2009-07-18 07:10:19: SNF MessageScan: c:\mdaemon\queues\local\md50144568162.msg, Bad Matrix! Sat 2009-07-18 07:10:19: SNF Debug: EvaluationMatrix::OutOfRange Sat 2009-07-18 07:10:19: SNF MessageScan: c:\mdaemon\queues\local\md50144568163.msg, Bad Matrix! Sat 2009-07-18 07:10:19: SNF Debug: EvaluationMatrix::OutOfRange Sat 2009-07-18 07:10:19: SNF MessageScan: c:\mdaemon\queues\local\md50144568164.msg, Bad Matrix! Sat 2009-07-18 07:10:19: SNF Debug: EvaluationMatrix::OutOfRange Sat 2009-07-18 07:10:20: SNF MessageScan: c:\mdaemon\queues\local\md50144568165.msg, Bad Matrix! Sat 2009-07-18 07:10:20: SNF Debug: EvaluationMatrix::OutOfRange Sat 2009-07-18 07:10:20: SNF MessageScan: c:\mdaemon\queues\local\md50144568166.msg, Bad Matrix! Sat 2009-07-18 07:10:20: SNF Debug: EvaluationMatrix::OutOfRange Thanks! --PR # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Stampede - amazing!
Not the same as you're describing below, but I can confirm we were slammed with NDR's last night. Classic joe-job (i.e. millions of messages sent out to unknown users using your return address). --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Thursday, August 28, 2008 5:13 AM To: Message Sniffer Community Subject: [sniffer] Stampede - amazing! Hello Sniffer Folks, I had been wondering why the blackhats had been pushing so hard for new bots these last few weeks. Then the other day I saw something very strange in the SNF telemetry. A storm came in that seemed to stop all other traffic. For more than an hour I really thought something was broken -- but I wasn't sure I'd really seen it. Just a short time ago our SortMonster on duty (Mitchell Skull) called all-hands for a new spam storm. This was another of the new penis spams. We coded the rules quickly and as they went out I saw it again: T rates fell to zero on many systems and close to that on all of the others. This means that virtually all of the IPs were brand-new. At the same time traffic spiked on all systems and capture rates went off-scale high as the new rules tagged virtually every message. This is not an entirely new tactic by the blackhats-- I've talked about it before. It is essentially a high-amplitude burst - where a new campaign is pre-tested against all known filters and then launched on a large number of new bots that are unknown to IP reputation systems. What is new is the purity of these recent events. When we've seen them before they were mixed in with a lot of other traffic from other bot nets and even other campaigns from the same bot net. While there was still a trickle of this activity, the purity of this burst was astounding. This was a stampede where essentially all visible bots started running in a single new direction. T rates have recovered now by and large -- so the new bots are already largely recognized by GBUdb, but the wild swing in telemetry across the network was amazing to watch -- as is the new telemetry showing dramatically increased traffic and capture rates indicating a nearly pure stream of spam from this new herd. Theories, comments, and observations welcome. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FW: Memory Usage of MessageSniffer 3
Just following-up: We've been running the upper limit at 100mb for 3 weeks now and have not seen any further St9bad_alloc errors. At 150mb we were seeing the St9bad_alloc error daily. Regards, --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Friday, August 01, 2008 12:40 PM To: Message Sniffer Community Subject: [sniffer] Re: FW: Memory Usage of MessageSniffer 3 Hello Peer-to-Peer, Friday, August 1, 2008, 10:49:52 AM, you wrote: snip/ I also have a scheduled reboot every night since we did confirm w/ Arvel at MDaemon there is a memory leak in MDaemon.exe (if heavily utilizing their Gateway feature). Have yet to hear anything from AltN regarding a fix on the MDaemon.exe leak. In any case, do you think lowering the upper limit will help the St9bad_alloc error, or am I fishing in the wrong area. That will help your memory leak issue because it will leave more room for the leak to expand before causing allocation failures. You shouldn't see a significant drop-off in GBUdb performance after you reduce your upper RAM limit because your message rates are low enough that GBUdb should be able to function quite well with fewer entries-- Also there is a shared memory effect that emerges from the interaction of GBUdb nodes and the cloud... When records are condensed they are more likely to be bounced off the cloud and get new data so what you might loose in fewer records you will gain in more frequent reflections. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: FW: Memory Usage of MessageSniffer 3
H sorry, just before posting my question last night I lowered the upper limit to 100MB which is why you're now seeing more normal numbers on your end. Six servers were at 150MB last night and today the numbers are 1/2 of the size. Here's an example from server#1 (LAST NIGHT) gbudb size bytes=159383552/ records count=781184/ utilization percent=97.3916/ /gbudb Here's an example from server#1 (TODAY) gbudb size bytes=75497472/ records count=300560/ utilization percent=91.2028/ /gbudb I lowered the upper limit because since installing 3.0, I'm now seeing a dramatic increase of the St9bad_alloc (out of memory error) on a daily basis again. As you know when that error occurs, all mail is allowed to pass none filtered, so my server reboots automatically when the St9bad_alloc error occurs. I also have a scheduled reboot every night since we did confirm w/ Arvel at MDaemon there is a memory leak in MDaemon.exe (if heavily utilizing their Gateway feature). Have yet to hear anything from AltN regarding a fix on the MDaemon.exe leak. In any case, do you think lowering the upper limit will help the St9bad_alloc error, or am I fishing in the wrong area. Thanks, --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Friday, August 01, 2008 10:04 AM To: Message Sniffer Community Subject: [sniffer] Re: FW: Memory Usage of MessageSniffer 3 Hello Peer-to-Peer, Thursday, July 31, 2008, 10:05:15 PM, you wrote: Would it be correct to say the higher we can increase the size-trigger 'megabytes' value, the better filtering results (accuracy) we will achieve? In other words, would it be beneficial for us to purchase more memory on our server (say an additional 2GB), then increase the 'megabytes' value to 400 or 800? Several of our servers are hitting the upper limit (159,383,552) 150 MB I don't think so. A quick look at your telemetry indicates that your systems are typically rebooted once per day. This is actually preempting your daily condensation. One result of this is that many of your GBUdb nodes only condense when they reach their size limit. From what I can see, when this happens a significant portion of your GBUdb data is dropped. For example, several of the systems I looked at have not condensed in months. Here is some data from one of them: timers run started=20080801081753 elapsed=19637/ sync latest=20080801134415 elapsed=55/ save latest=20080801131823 elapsed=1607/ condense latest=20080406160144 elapsed=10100606/ /timers gbudb size bytes=50331648/ records count=214313/ utilization percent=91.1357/ /gbudb This one has not condensed since 200804 most likely due to restarts that prevented the daily condensation timer from expiring. If this is the case with your other systems as well, it is likely that they are occasionally condensing when they reach their size threshold, but if they were allowed to condense daily they would never reach that limit. In that case, adding additional memory for GBUdb would probably not improve performance significantly. The default settings are conservative even for very large message loads. for example our spamtrap processing systems typically handle 3000-4000 msg/minute continuously and typically have timer GBUdb telemetry like this: timers run started=20080717205939 elapsed=1270156/ sync latest=20080801134844 elapsed=11/ save latest=20080801134721 elapsed=94/ condense latest=20080801132958 elapsed=1137/ /timers gbudb size bytes=117440512/ records count=568867/ utilization percent=99.6626/ /gbudb Note that this SNF node has not been restarted since 20080717 and that it's last condensation was in the early hours today-- most likely due to it's daily timer. Note also that it's GBUdb size is only 117 MBytes. It is unlikely that this system will reach 150Mbytes before the day is finished. Since most systems we see are handling traffic rates significantly smaller than 4.75M/day it is safe to assume that most systems would also be unlikely to reach their default GBUdb size limit during any single day... So, the default of 150 MBytes is likely more than sufficient for most production systems. --- All that said, if you want to intentionally run larger GBUdb data sets on your systems there is no harm in that. Your system will be more aware of habitual bot IPs etc at the expense of memory. Since all GBUdb nodes receive reflections on IP encounters within one minute, it is likely that the benefit would be the ability to reject the first message from a bad IP more frequently... Subsequent messages from bad IPs would likely be rejected by all GBUdb nodes based on reflected data. It is likely that increasing the amount of RAM you assign to your GBUdb nodes will have diminishing returns past the defaults currently set... but it might be fun to try it and see :-) --- If you are looking for better capture rates you may be able to achieve those more readily by adjusting your GBUdb envelopes.
[sniffer] Re: FW: Memory Usage of MessageSniffer 3
Would it be correct to say the higher we can increase the size-trigger 'megabytes' value, the better filtering results (accuracy) we will achieve? In other words, would it be beneficial for us to purchase more memory on our server (say an additional 2GB), then increase the 'megabytes' value to 400 or 800? Several of our servers are hitting the upper limit (159,383,552) 150 MB Thanks, --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Wednesday, July 30, 2008 8:23 AM To: Message Sniffer Community Subject: [sniffer] Re: FW: Memory Usage of MessageSniffer 3 Hello Ian, The new (V3) SNF does use more ram than the old SNF (V2). GBUdb adds records over time as it learns new IP data. The amount of RAM that will be used by GBUdb depends on how quickly it is learning new IPs and how frequently the database is condensed. You can set an upper limit on the size of GBUdb in the configuration file: condense minimum-seconds-between='600' time-trigger on-off='on' seconds='86400'/ posts-trigger on-off='off' posts='120'/ records-trigger on-off='off' records='60'/ size-trigger on-off='on' megabytes='150'/ /condense By default GBUdb will condense once per day or when it reaches 150 MBytes. Roughly twice as much RAM is needed for the condensing process since the GBUdb data must be copied to a new location. Condensing the GBUdb data is relatively expensive, so if sufficient RAM is not released by the first pass GBUdb will condense again every 10 minutes (600 seconds above) until GBUdb is below the size limit you have set. I recommend you determine how much ram you want to make available for SNF and then set your size-trigger/ to 40% of that size. This should leave room for GBUdb to condense and for the rest of SNF to fit inside your memory limit. You can monitor your GBUdb status in your status.minute or status.second reports. Here is some sample data from one of our spamtrap processors. It has been stable for months so this should be indicative of what you would see on a busy machine that's been up for a while: gbudb size bytes=142606336/ records count=650314/ utilization percent=95.8431/ /gbudb For information on reading your status reports: http://www.armresearch.com/support/articles/software/snfServer/logFiles/stat usLogs.jsp Hope this helps, _M Tuesday, July 29, 2008, 10:31:23 PM, you wrote: This is from one of our engineers. Anybody else had this sort of issue? Ian -Original Message- Does the new sniffer stuff have a higher memory requirement than the old? Sebastian pointed out to me today that a number of our gate servers were using a ton of swap space. Restarting snfctrl frees up a few hundred megs. Our newer gate servers (all with 2 or more GB of RAM) seem to be doing alright, but we have 16 gates at IAD with 1 GB of RAM that are being affected by this. It looks like the memory usage increases progressively over the course of a couple days, so I don't know if it's a memory leak or what. Is there anything we should do or add a snfctrl restart to our nightly cron jobs and just live with it for now? # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] MD - Headers in body
Hello, Is there any common cause for the SNF headers to appear in the body of an email? We're running MDaemon. We have a customer using a webform to receive their sales-orders via email. When the message arrives in the customers mailbox the SNF headers appear at the top of the message body, and the webform itself shows-up as webcode in the body. I assume it's the way the webform was created or being sent. Sorry I have limited details, but any suggestions? Thanks, --Paul # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Upgraded Rulebase Delivery System
All appears to be working correctly here :-) --PTP -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Saturday, July 12, 2008 4:34 AM To: Message Sniffer Community Subject: [sniffer] Upgraded Rulebase Delivery System Hello Sniffer Folks, Early this morning we completed significant upgrades to our rulebase delivery system yielding a 10 fold increase in available bandwidth and a 5 fold increase in delivery transaction rates. Please let us know if you observe any negative or positive effects. From observations and theory rulebases should be delivered more quickly and more frequently. I will continue to monitor the system closely for any aberrations. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Slow economy - More Spam
(theory): We're predicating an up-tick in spam over the coming months due to the (Global) economy which is dramatically slowing. Small businesses are feeling the pinch and business owners are beginning to panic (as you would naturally expect). So to make up for lost revenue they will advertise, heavily (just like chasing your money at the casino). An attractive way to advertise would be email (or so they think). Batten down the hatches. --PTP # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Source distribution corrected re: snf2check utility
Check to be certain your .snf rulebase is in the Mdaemon\SNF folder --PTP -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of David Pearson Sent: Thursday, April 24, 2008 2:47 PM To: Message Sniffer Community Subject: [sniffer] Re: Source distribution corrected re: snf2check utility Sorry - meant this version: SNFv2-9rc5.23.6 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Pearson Sent: Thursday, April 24, 2008 2:43 PM To: Message Sniffer Community Subject: [sniffer] Re: Source distribution corrected re: snf2check utility Pete, I'm using Mdaemon and my plugin is messing up today. I went ahead and installed the new v2.9rc. I made sure to put my licenseid and auth number in the identity.xml file. Nothing changed because I did a copy and paste. Now when I start MDaemon I receive an error that says: Unable to authenticate rulebase Here's what the plug-ins section tells me: Thu 2008-04-24 14:35:24: Attempting to load 'SNF' plugin Thu 2008-04-24 14:35:24: * ConfigFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * StartupFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * ShutdownFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * PreMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * PostMessageFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * SMTPMessageFunc: [EMAIL PROTECTED] (Ok, ready to use) Thu 2008-04-24 14:35:24: * SMTPMessageFunc2: (NULL) Thu 2008-04-24 14:35:24: * SMTPMessageFunc3: (NULL) Thu 2008-04-24 14:35:24: * DomainPOPMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * MultiPOPMessageFunc: (NULL) Thu 2008-04-24 14:35:24: * Result: success (plugin DLL loaded in slot 0) Thu 2008-04-24 14:35:24: -- Thu 2008-04-24 14:35:24: SNF plugin is starting up Thu 2008-04-24 14:35:26: -- Thu 2008-04-24 14:35:44: SNF IPScan: c:\mdaemon\temp\md506.tmp, Engine Not Ready! Thu 2008-04-24 14:35:46: SNF MessageScan: c:\mdaemon\remoteq\md50001065387.msg, Engine Not Ready! Thu 2008-04-24 14:36:04: SNF IPScan: c:\mdaemon\temp\md508.tmp, Engine Not Ready! Thu 2008-04-24 14:36:05: SNF IPScan: c:\mdaemon\temp\md509.tmp, Engine Not Ready! Not sure what I'm doing wrong. Any ideas? Thanks, David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, April 21, 2008 6:37 PM To: Message Sniffer Community Subject: [sniffer] Source distribution corrected re: snf2check utility Hello Sniffer Folks, The source distribution of the SNF2-9 beta/rc has been corrected. The previous build of the source distribution was missing a compile script. The new build -- just uploaded -- contains a compile script and some minor modifications to the source code so that it can be built in the SNF2Check directory. NO OTHER MODIFICATIONS WERE MADE ;-) Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: .pdf Attachments
Yes, we're getting tons of these too. Michael Stein Computer House - Original Message - From: Greg Coffey [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Thursday, June 28, 2007 10:20 AM Subject: [sniffer] .pdf Attachments What is with all the .pdf attachments in spam? I haven't noticed this trend previously. Are they infected or what is the scheme? # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Appriver issue
For those of us in the dark about this, can someone explain who Appriver is, and what is has to do with Message Sniffer? Thank you, Michael Stein Computer House - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Friday, May 18, 2007 6:45 AM Subject: [sniffer] Re: Downloads are not working I sent a message earlier to this list but I'm not sure if it went through. We've been hit by this Appriver issue and it is still going on as far as I can tell. One of our users, call him [EMAIL PROTECTED] sent a message to about 70 people. And this message has been bounced 20 or 30,000 times and counting. At first I thought it was this Exchange issue we experienced last year where a single message was sent over and over. But then I saw that all the headers of the bounced emails contained calls to appriver.com and when I checked here I found this thread. In the end, the only thing I could do was completely remove that user's account and it appears to be OK. But who knows? Things appeared to be OK from 7pm until 1am PST when it all started up again. Anyone have any information on this? Thanks Kevin Pete McNeil wrote: Hello Matt, Thursday, May 17, 2007, 2:22:56 PM, you wrote: Appriver, who is somehow involved with Sniffer, is having a ridicolous problem with sending messages over and over again (once every few seconds). They pulled their contact information from their site but didn't take down their servers. I suspect this is putting strain on them and if Sniffer uses their bandwidth for downloads, that could explain things. I'm not sure what the actual issue is (I will get that data later), however I've just been informed that it should be resolved in the next 20 minutes or so. Our rulebase server is on the same network so it is effected. BTW - they did not take down their contact information. It is right where it always has been. _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Best renewal price and service on Sniffer?
Dear Steve, I have replied to you off-list regarding our discounted renewal services for Mesage Sniffer. Thank you, Michael Stein Computer House 609 652-5100 [EMAIL PROTECTED] - Original Message - From: Steve Guluk To: Message Sniffer Community Sent: Friday, May 18, 2007 10:26 AM Subject: [sniffer] Best renewal price and service on Sniffer? Hello, I was informed some time back that I needed to renew my subscription to Sniffer soon. I sent an email to [EMAIL PROTECTED] on May 3rd and never got a response back. Today is the last day on my subscription. Does anyone have any suggestions on where to renew, at the best price? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] Re: SPAM Storm?
Is it me, or is there an unbelievable spam storm going on this afternoon?? # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: DNSBL
Dear Alberto, Have you run your task manager to see what service is using the CPU? Michael Stein Computer House - Original Message - From: Alberto Santoni [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, February 28, 2007 1:19 PM Subject: [sniffer] DNSBL Hello does someone have heavy problems with the DNSBLs? I have Imail server 2006.1 + mxguard + messagesniffer and it is since about a week that my server has almost always the CPU at 100%. I have stopped the check for all DNSBL but nothing has changed! Any idea? Alberto # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] ORDB.org shutting down
ORDB.org announced today (12/18/06) they will be shutting down (12/31/06). The folks at AltN.com (MDaemon) sent out announcements to all their customers and would like to pass this along to anyone who checks that RBL. The site will disappear in 13 days. You can visit ordb.org for details. --Paul # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Blocking emails with Cyrillic characters
Here Here! I second the motion. It would be great to be able to block these. We use the Declude Country Filter which does a good job, but these Russian or Arabic E-mails don't always originate in the subject country. Thanks Steve for the good suggestion. Michael Stein Computer House - Original Message - From: Steve Guluk To: Message Sniffer Community Sent: Wednesday, December 13, 2006 3:42 PM Subject: [sniffer] Blocking emails with Cyrillic characters Hello Comrades, Could we get a rule that looks for various common Russian words (or Cyrillic characters) and then gives them a spam value? Do you sell much Sniffer Product to Russia? If not, rules that focus on common russian words would be great for blocking much of the spam that makes it's way past Sniffer. You could always create a way for people that want Russian emails to exclude this rule. No? Not that I know all the details of how you guys create your rules but a rule looking for common Cyrillic characters could catch all spam formatted in Russian as well as other languages that use similar characters. Otherwise you should hire some coders that understand these languages as I get a heap of spam that passes Sniffer by using what looks like Russian or Cyrillic characters. I run iMail 8.22 so if anyone has any other ideas that could block these please post your suggestions, I guess we could create a phrase list from some of the Cyrillic spams..? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer] MDaemon 9.5 Gateways
MDaemon 9.5 hidden warning: If anyone is using the 'Gateway' features in MDaemon and plan to upgrade to 9.5, be aware you will now be required to purchase a user license equal to the number of Gateways. 9.5 no longer offers unlimited gateways :( --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Yahoo! Email Delivery
It looks like they are grey listing you. That's the return code our grey listing system uses. On our servers that grey list, the first time you try to deliver email from a new address we return the 451 code. You must retry again after 60 seconds, within 24 hours, and your mail will be accepted. Then that email address is white listed for 24hours. I don't recommend grey listing, it will delay email delivery for hours, and some servers will not try back. We use it in particular circumstances. Paul Fuhrmeister [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan HickmanSent: Thursday, October 26, 2006 9:20 AMTo: Message Sniffer CommunitySubject: [sniffer] Yahoo! Email Delivery We are still getting this error from Yahoo! servers when attempting to send email to people on their domain: Reason: Remote host said: 451 Message temporarily deferred - 4.16.50 I recall others encountering this difficulty. What did you do or what did Yahoo! tell you was the cause? It seems like every message sent to yahoo.com is being bounced with that message. I cannot contact their abuse or support departments because those emails bounce with the same error. Jonathan HickmanCape Lookout Internet Services[EMAIL PROTECTED]
[sniffer] high spam
we seem to be having a drastic increase the last couple of hours or so - it's now 12:30 EST - anyone else seeing the same ?
[sniffer] Re: Declude header not modified correctly
David Waller wrote: they don't respond to support emails from this registered user... Dear David, I am curious to know if you have an active Service Agreement with Declude? Among the hundreds of vendors that I deal with, I found their support to be one of the best. I seldom wait more than an hour for a response. Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Declude header not modified correctly
Dear Sniffer Folks, As I mentioned in a previous post, we have been very happy with the response from Declude Tech Support. Feel free to use this E-mail address if you need help: [EMAIL PROTECTED] Linda has been very good at responding, and she has given permission for me to post her address here. Michael SteinComputer House - Original Message - From: Herb Guenther To: Message Sniffer Community Sent: Wednesday, October 25, 2006 10:06 AM Subject: [sniffer] Re: Declude header not modified correctly I have an active SA, I sent in some service requests and got a ticket number by return email, never a follow up. Then called in and a chap named Chris Asaro fixed the settings on our account so that I could download the correct version and was quite helpful with that. However, that does not solve the problem and all emails of examples and requests for status since 10/18/06 have gone unanswered.So, basically their answer was install the latest version, and beyond that nothing, not even a reply or a we are working on it and will have something to try on X. Out users are seeing hundreds of spam messages unmarked in their email boxes a day, and of course want to know why when it is identified as spam they are still getting it. I personally know that this has been an issue for at least a year. If I were a spammer I would sure code my emails to exploit this.Anyway, have used Declude for about 5 years as I recall and getting kind of to the end of the line.I also spent some time yet again on their web site, and do not see a discussion board or anything to discuss this issue there vs here.HerbDarin Cox wrote: I have an active SA. I've sent support requests twice in the past few months to support@ and have gotten no response. Darin. - Original Message - From: "Computer House Support" [EMAIL PROTECTED] To: "Message Sniffer Community" sniffer@sortmonster.com Sent: Wednesday, October 25, 2006 9:11 AM Subject: [sniffer] Re: Declude header not modified correctly David Waller wrote: they don't respond to support emails from this registered user... Dear David, I am curious to know if you have an active Service Agreement with Declude? Among the hundreds of vendors that I deal with, I found their support to be one of the best. I seldom wait more than an hour for a response. Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: SPAM Problems
David, What sort of database does OFR use adn do you know if the expiration of address's can be edited? thanks dodd - Original Message - From: David Waller [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, October 23, 2006 6:14 AM Subject: [sniffer] Re: SPAM Problems Filippo, We had a similar problem. Due to the huge volumes of spam we found our mail server becoming less able to deal with email. Imail/Declude/Sniffer is expensive in processor terms when processing email and we found the best was to pre-process mail filtering using Greylisting (we used Vamsoft in IIS SMTP but others exist). This has dramatically reduced the load on our server and seems to stop the bulk of spammers and mail harvesters Hope this helps. David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: 23 October 2006 10:18 To: Message Sniffer Community Subject: [sniffer] SPAM Problems Hello Pete, since friday our mail server is overwhelmed by a very lot of spam messages. Because of this the spool of my IMail Server gets full and it actually get stuck. Do you have any hint that can help me to fix this problem? Filippo Palmili # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: SPAM Problems
We also use ORF by VamSoft on IIS to pre-process. We do not use the grey listing. We tried it, and it is great at eliminating spam, but it can delay mail for hours, which is a problems for most email users. Instead of grey listing, we have found ORF's tar-pitting very effective. We set some tests at the ORF level, but don't block on them (because there is no weighting). We also have some spam trap email addresses. Fail a test or hit a spam trap and we tar-pit. Instead of sending us 100 spams a minute they can only send one per minute. We can pick up x-records with Declude and not have to re-run the tests on the iMail server, still using Declude to score the messages based on the prior tests. ORF even has a built-in interface for sniffer. It is simpler and preferable to process everything on the iMail server, but when you want to off-load processing to stretch your iMail / Declude investment, this arrangement can do the trick. Paul Fuhrmeister [EMAIL PROTECTED] -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Waller Sent: Monday, October 23, 2006 5:15 AM To: Message Sniffer Community Subject: [sniffer] Re: SPAM Problems Filippo, We had a similar problem. Due to the huge volumes of spam we found our mail server becoming less able to deal with email. Imail/Declude/Sniffer is expensive in processor terms when processing email and we found the best was to pre-process mail filtering using Greylisting (we used Vamsoft in IIS SMTP but others exist). This has dramatically reduced the load on our server and seems to stop the bulk of spammers and mail harvesters Hope this helps. David # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Version 2-3.5 Release -- Faster Engine
Thank you Pete, We have successfully upgraded to version 2-3.5 Michael Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, October 23, 2006 12:25 PM Subject: [sniffer] Version 2-3.5 Release -- Faster Engine Hello SNF Folks, The plan was to hold off until the next major release, however in light of recent increases in spam traffic we are pushing out a new version with our faster engine included. All other upgrades are will wait for the major release ;-) The scanning engine upgrade results in a 2x speed increase that hopefully will help with the higher volumes we are seeing now. Version 2-3.5 also rolls up 2-3.2i1 which included the timing and file locking upgrades. You can find version 2-3.5 here: http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Distributions Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: yahoo mail problems
Matrosity Hosting wrote: anyone getting mailthrough yet? It was suggested that we try this command: telenet mx1.mail.yahoo.com 25 I have found that this fails about 4 out of 5 times. If you keep trying it, it will eventually connect. I would sure like to know what this is. Anyone know? Michael SteinComputer House
[sniffer] Re: yahoo mail problems
oops I spelled Telnet wrong. Sorry - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Wednesday, October 18, 2006 7:50 PM Subject: [sniffer] Re: yahoo mail problems Matrosity Hosting wrote: anyone getting mailthrough yet? It was suggested that we try this command: telenet mx1.mail.yahoo.com 25 I have found that this fails about 4 out of 5 times. If you keep trying it, it will eventually connect. I would sure like to know what this is. Anyone know? Michael SteinComputer House
[sniffer] Re: FW: Retest (KMM38446283V14479L0KM)
The time and resources spent dealing with this add up to serious cash I'm thinking class action lawsuit :) - Original Message - From: Matrosity Hosting [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, October 18, 2006 8:36 PM Subject: [sniffer] FW: Retest (KMM38446283V14479L0KM) Whatever, yahoo. You can't just admit your system was hosed and actually still is. Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 -Original Message- From: Yahoo! Customer Support [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 18, 2006 7:39 PM To: [EMAIL PROTECTED] Subject: Re: Retest (KMM38446283V14479L0KM) Hello, Thank you for contacting Yahoo! Customer Care. We have investigated the issue described in your report and believe the problem has been resolved. We apologize for any inconvenience. Emails from the mail server(s) you are using have recently become deprioritized due to potential issues with its mailings. These deprioritizations were temporary but may be re-triggered if the sending IP profile continues to be poor. Typically, deprioritizations are triggered by bad individual sender or MAIL FROM profiles. To continue to receive prioritized delivery or if your servers are being delivered to Yahoo! Mail's Bulk Mail folder, please visit the following URL's for more information: http://help.yahoo.com/help/us/mail/spam/spam-18.html http://help.yahoo.com/help/us/mail/bulk/bulk-01.html If you are not the administrator for the mail server(s) affected, we encourage you to contact the administrator so they can address the possible issues regarding mailings from the mail server. If you notice any further difficulties with delivering to Yahoo! Mail accounts after this time, please let us know by replying to this email. Please provide the text of any error messages you may have received and a copy of the email (with the full headers). Also, by providing the specific IP address of the mail server that experienced the delivery issue, it will help us to troubleshoot the issue efficiently. Thank you again for contacting Yahoo! Customer Care. Regards, Raoul Yahoo! Customer Care http://www.yahoo.com/ 27129662 Original Message Follows: - Mail-Id: 1161088172-2180 Name: Bill Foresman IPs in the form 255.255.255.255 (separate multiple IP submissions by new lines): 69.8.234.8 Indicate the error message(s) you have received. 10:17 00:24 SMTP-(373302740f62) Trying yahoo.com (0) 10:17 00:24 SMTP-(278301774a27) Trying yahoo.com (0) 10:17 00:24 SMTP-(3b5b01fb0583) Trying yahoo.com (0) 10:17 00:24 SMTP-(31dc0257057c) Trying yahoo.com (0) 10:17 00:24 SMTP-(306301c6026c) Trying yahoo.com (0) 10:17 00:24 SMTP-(27c101704a84) Trying yahoo.com (0) 10:17 00:24 SMTP-(370f01ce0f1b) Trying yahoo.com (0) 10:17 00:24 SMTP-(367c02540dfe) Trying yahoo.com (0) 10:17 00:24 SMTP-(3215025705df) Trying yahoo.com (0) 10:17 00:24 SMTP-(37f301fe10c1) Trying yahoo.com (0) 10:17 00:24 SMTP-(2d3e016f53e1) Trying yahoo.com (0) 10:17 00:24 SMTP-(37e5027410aa) Trying yahoo.com (0) 10:17 00:24 SMTP-(39ad01de02b3) Trying yahoo.com (0) 10:17 00:24 SMTP-(2ea30212569a) Trying yahoo.com (0) 10:17 00:24 SMTP-(373302740f62) 451 Message temporarily deferred - 4.16.50 Optionally, add a comment to your submission. No clue why this is happening to us! I've checked multiple poen relay test and all come back negative. While Viewing: http://help.yahoo.com/help/us/mail/defer/defer-02.html Form Name: http://add2.dir.scd.yahoo.com/fast/help/us/mail/cgi_retest --- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] yahoo mail problems
Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems IÂ’m sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours nowthese are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 11:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
We have had this issue intermittently for the last 2 days only on one mail server. Tech Support wrote: I’m sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: yahoo mail problems
Now that I've looked into it further,yes! Our E-mails to Yahoo have also been bouncing back as undeliverable with the same error. I have sent out a few test messages and will report back when I have some more info. Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 11:52 AM Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 11:54 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems IÂ’m sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours nowthese are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
Heres what we have found so far Yahoo is grey listing but instead of running a centralized GL database each of their servers has its own A lookup for their MX shows Mx1.mail.yahoo.com Mx2.mail.yahoo.com Mx3.mail.yahoo.com So your server grabs one of these and does a lookup which returns a round robin response for mx1.mail.yahoo.com of 4.79.181.14 4.79.181.15 4.79.181.168 67.28.113.71 67.28.113.73 67.28.113.19 Each of which has a TTL of 1800 So your server tries one of these and gets deferred to try again. It waits and tries again but depending on your retry frequency TTL may have expired And so the process starts over with a new MX1.mail.yahoo.com server Not sure if this is all correct but it is the best we can figure out as of yet From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:11 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Now that I've looked into it further,yes! Our E-mails to Yahoo have also been bouncing back as undeliverable with the same error. I have sent out a few test messages and will report back when I have some more info. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 11:52 AM Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 11:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
This issue is occurring for us with the following platforms Windows with Imail, smartermail Mail enable Linux about ½ our cpanel servers Exchange servers at least 1/3 of them From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:27 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Are those of us having this problem all running an Imail server? Michael Stein Computer House - Original Message - From: Matrosity Hosting To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:08 PM Subject: [sniffer] Re: yahoo mail problems same here Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech Support Sent: Tuesday, October 17, 2006 11:52 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 11:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
Weird. I found that only certain domains on our server are having the problem. One domain can successfully send mail to [EMAIL PROTECTED]but when I try mail to this addressfrom my domain, it fails. The other error we are seeing is: rl-recv: connection reset Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:18 PM Subject: [sniffer] Re: yahoo mail problems This issue is occurring for us with the following platforms Windows with Imail, smartermail Mail enable Linux – about ½ our cpanel servers Exchange servers – at least 1/3 of them From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 12:27 PMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems Are those of us having this problem all running an Imail server? Michael SteinComputer House - Original Message - From: Matrosity Hosting To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:08 PM Subject: [sniffer] Re: yahoo mail problems same here Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech SupportSent: Tuesday, October 17, 2006 11:52 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 11:54 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems I’m sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours nowthese are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
Telnet to mx1.mail.yahoo.com on port 25 likewise try mx2 3 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:44 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Weird. I found that only certain domains on our server are having the problem. One domain can successfully send mail to [EMAIL PROTECTED]but when I try mail to this addressfrom my domain, it fails. The other error we are seeing is: rl-recv: connection reset Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:18 PM Subject: [sniffer] Re: yahoo mail problems This issue is occurring for us with the following platforms Windows with Imail, smartermail Mail enable Linux about ½ our cpanel servers Exchange servers at least 1/3 of them From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:27 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Are those of us having this problem all running an Imail server? Michael Stein Computer House - Original Message - From: Matrosity Hosting To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:08 PM Subject: [sniffer] Re: yahoo mail problems same here Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech Support Sent: Tuesday, October 17, 2006 11:52 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 11:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
We were thinking of that approach but we run dedicated dns servers that are extremely high traffic so we would have to setup dns on each server as adding the zone to our true dns would cause lookup issues for other yahoo services From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, October 17, 2006 12:38 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I had a similar problem with Hotmail once upon a time; the details were different, but the remedy was the same. I run a caching DNS server on my outbound DNS host, so I simply addeda DNS zone forYahoo.com on it, and populated only enough MX record information so that I could reliably get tojust a few hosts. The same dummy zone technique could be used here to consistently deliver mail to the same Yahoo! mail hosts and therefore their greylisting will work as they expect. If you try it and it works, please let us know. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech Support Sent: Tuesday, October 17, 2006 9:12 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Heres what we have found so far Yahoo is grey listing but instead of running a centralized GL database each of their servers has its own A lookup for their MX shows Mx1.mail.yahoo.com Mx2.mail.yahoo.com Mx3.mail.yahoo.com So your server grabs one of these and does a lookup which returns a round robin response for mx1.mail.yahoo.com of 4.79.181.14 4.79.181.15 4.79.181.168 67.28.113.71 67.28.113.73 67.28.113.19 Each of which has a TTL of 1800 So your server tries one of these and gets deferred to try again. It waits and tries again but depending on your retry frequency TTL may have expired And so the process starts over with a new MX1.mail.yahoo.com server Not sure if this is all correct but it is the best we can figure out as of yet From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:11 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Now that I've looked into it further,yes! Our E-mails to Yahoo have also been bouncing back as undeliverable with the same error. I have sent out a few test messages and will report back when I have some more info. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 11:52 AM Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 11:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
Thanks for the suggestion. I did the Telnet test to MX1 and it fails from the mail server, but connects ok from my web server. Any ideas? Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:34 PM Subject: [sniffer] Re: yahoo mail problems Telnet to mx1.mail.yahoo.com on port 25 – likewise try mx2 3 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 12:44 PMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems Weird. I found that only certain domains on our server are having the problem. One domain can successfully send mail to [EMAIL PROTECTED]but when I try mail to this addressfrom my domain, it fails. The other error we are seeing is: rl-recv: connection reset Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:18 PM Subject: [sniffer] Re: yahoo mail problems This issue is occurring for us with the following platforms Windows with Imail, smartermail Mail enable Linux – about ½ our cpanel servers Exchange servers – at least 1/3 of them From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 12:27 PMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems Are those of us having this problem all running an Imail server? Michael SteinComputer House - Original Message - From: Matrosity Hosting To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:08 PM Subject: [sniffer] Re: yahoo mail problems same here Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech SupportSent: Tuesday, October 17, 2006 11:52 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 11:54 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael SteinComputer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems I’m sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours nowthese are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: yahoo mail problems
Here is the error we are getting now on any mail to
Yahoo: Unexpected connection response
from server:
Out of curiosity, I ran "yahoo.com" through DNSREPORT.COM
and it said:
ERROR: I could not complete a connection to any of your mailservers!
So I guess I'll stop worrying about it and wait for them
to fix their problem. Agree?
Michael SteinComputer House
- Original Message -
From:
Tech
Support
To: Message Sniffer Community
Sent: Tuesday, October 17, 2006 1:47
PM
Subject: [sniffer] Re: yahoo mail
problems
ItÂ’s a variety
actually
MS
DNS
SimpleDNS
And bind on linux I
believe
From:
Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf
Of Jim Matuska Jr.Sent: Tuesday, October 17, 2006 1:49
PMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail
problems
Would you happen to
be running Microsoft DNS server? I ran into something similar a while
back with certain dns queries were corrupted for domains that used certain
extended dns queries. It turned out in our case that our firewalls were
removing the ends of the extended dns packets because they were over
limit. Have you made any firewall changes recently?
Jim Matuska
Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
From:
Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf
Of Computer House SupportSent: Tuesday, October 17, 2006 9:44
AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail
problems
Weird. I found that only
certain domains on our server are having the problem. One domain can
successfully send mail to [EMAIL PROTECTED]but when I try
mail to this addressfrom my domain, it
fails.
The other error we are seeing
is: rl-recv: connection reset
Michael SteinComputer
House
- Original Message -
From: Tech
Support
To: Message
Sniffer Community
Sent:
Tuesday, October 17, 2006 12:18 PM
Subject:
[sniffer] Re: yahoo mail problems
This issue is
occurring for us with the following platforms
Windows with Imail,
smartermail Mail enable
Linux – about ½ our
cpanel servers
Exchange servers –
at least 1/3 of them
From:
Message Sniffer Community
[mailto:[EMAIL PROTECTED] On
Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 12:27
PMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail
problems
Are those of us having this
problem all running an Imail server?
Michael SteinComputer
House
- Original Message -
From: Matrosity
Hosting
To: Message Sniffer Community
Sent:
Tuesday, October 17, 2006 12:08 PM
Subject:
[sniffer] Re: yahoo mail problems
same
here
Bill Foresman
Matrosity
Hosting www.matrosity.com
850.656.2644
From:
Message Sniffer Community
[mailto:[EMAIL PROTECTED] On
Behalf Of Tech SupportSent: Tuesday, October 17, 2006 11:52
AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail
problems
Thanks, but were
not blacklisted and there are no entries other than message has been
deferred L
From:
Message Sniffer Community
[mailto:[EMAIL PROTECTED] On
Behalf Of Computer House SupportSent: Tuesday, October 17, 2006 11:54
AMTo: Message Sniffer CommunitySubject: [sniffer] Re: yahoo mail
problems
I would recommend checking
your mail server logs for a more detailed description of the bounce
error. You may find that it is a DNS or spam blacklist issue.
www.dnsstuff.com is a good
resource.
Michael SteinComputer
House
- Original Message -
From: Tech Support
To: Message Sniffer Community
Sent:
Tuesday, October 17, 2006 10:50 AM
Subject:
[sniffer] yahoo mail problems
IÂ’m sorry to post this here
but we are desperately looking for opinions quickly as this has becoming
a real issue to us and I could not think of any better place to find
truly technical mail server folks J
We seem to be having multiple mail servers on
multiple networks having issues sending to yahoo servers for going on 36
[sniffer] Re: yahoo mail problems
Not really much any of us can do unless someone has a friend who has a friend but its a problem none the less as yahoo also sells their services to host email commercially for any domain that will pay them From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 2:44 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Here is the error we are getting now on any mail to Yahoo: Unexpected connection response from server: Out of curiosity, I ran yahoo.com through DNSREPORT.COM and it said: ERROR: I could not complete a connection to any of your mailservers! So I guess I'll stop worrying about it and wait for them to fix their problem. Agree? Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 1:47 PM Subject: [sniffer] Re: yahoo mail problems Its a variety actually MS DNS SimpleDNS And bind on linux I believe From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jim Matuska Jr. Sent: Tuesday, October 17, 2006 1:49 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Would you happen to be running Microsoft DNS server? I ran into something similar a while back with certain dns queries were corrupted for domains that used certain extended dns queries. It turned out in our case that our firewalls were removing the ends of the extended dns packets because they were over limit. Have you made any firewall changes recently? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 9:44 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Weird. I found that only certain domains on our server are having the problem. One domain can successfully send mail to [EMAIL PROTECTED]but when I try mail to this addressfrom my domain, it fails. The other error we are seeing is: rl-recv: connection reset Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:18 PM Subject: [sniffer] Re: yahoo mail problems This issue is occurring for us with the following platforms Windows with Imail, smartermail Mail enable Linux about ½ our cpanel servers Exchange servers at least 1/3 of them From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:27 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Are those of us having this problem all running an Imail server? Michael Stein Computer House - Original Message - From: Matrosity Hosting To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:08 PM Subject: [sniffer] Re: yahoo mail problems same here Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech Support Sent: Tuesday, October 17, 2006 11:52 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 11:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: email
Dear Pete, I sent an E-mail to the Sniffer Community over an hour ago, and it has not yet been received by anyone. I noticed that 2pm was the last sniffer mail I got. Are these being held up for some reason? Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: yahoo mail problems
Not really chances are a few tries several seconds apart will yield the reverse on both servers From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 3:00 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Thanks for the suggestion. I did the Telnet test to MX1 and it fails from the mail server, but connects ok from my web server. Any ideas? Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:34 PM Subject: [sniffer] Re: yahoo mail problems Telnet to mx1.mail.yahoo.com on port 25 likewise try mx2 3 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:44 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Weird. I found that only certain domains on our server are having the problem. One domain can successfully send mail to [EMAIL PROTECTED]but when I try mail to this addressfrom my domain, it fails. The other error we are seeing is: rl-recv: connection reset Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:18 PM Subject: [sniffer] Re: yahoo mail problems This issue is occurring for us with the following platforms Windows with Imail, smartermail Mail enable Linux about ½ our cpanel servers Exchange servers at least 1/3 of them From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 12:27 PM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Are those of us having this problem all running an Imail server? Michael Stein Computer House - Original Message - From: Matrosity Hosting To: Message Sniffer Community Sent: Tuesday, October 17, 2006 12:08 PM Subject: [sniffer] Re: yahoo mail problems same here Bill Foresman Matrosity Hosting www.matrosity.com 850.656.2644 From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Tech Support Sent: Tuesday, October 17, 2006 11:52 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems Thanks, but were not blacklisted and there are no entries other than message has been deferred L From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, October 17, 2006 11:54 AM To: Message Sniffer Community Subject: [sniffer] Re: yahoo mail problems I would recommend checking your mail server logs for a more detailed description of the bounce error. You may find that it is a DNS or spam blacklist issue. www.dnsstuff.com is a good resource. Michael Stein Computer House - Original Message - From: Tech Support To: Message Sniffer Community Sent: Tuesday, October 17, 2006 10:50 AM Subject: [sniffer] yahoo mail problems Im sorry to post this here but we are desperately looking for opinions quickly as this has becoming a real issue to us and I could not think of any better place to find truly technical mail server folks J We seem to be having multiple mail servers on multiple networks having issues sending to yahoo servers for going on 36 hours now these are a variety of server types on a variety of networks telnet on port 25 is usually getting this 451 Message temporarily deferred - 4.16.50 keep in mind that some of our servers are having no issues sending mail any one else having this issue
[sniffer] Re: Mdaemon plugin 'sleeping'
Hi Sven, My guess is that the plug-in is actually working but just not being logged when MD is minimized (or Windows logged-off). Check the MD Log Settings and enable Always log to screen. Setup|Logging|Options - Enable Always log to screen --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Sven De Troch Sent: Thursday, September 21, 2006 6:15 PM To: Message Sniffer Community Subject: [sniffer] Mdaemon plugin 'sleeping' Dear all, Configuration: mdaemon 9.0.6 / included spamassasin (from mdaemon) / mdaemon plug-in (latest version) Trial account. We configured the plugin (scanning of emails and add 5 extra score point to Mdaemon's Spam Assasin in case of spam) and it's working fine most of the time, but: The plugin is working fine when we are logged on on the server (Windows 2003 Server). But as soon as we logoff, the plugin stops working. Apparently the plugin falls into sleep (mdaemon plugin tab indicates no activity during these periods). When we (interactively via RDP) logon to the server again, the plugin starts working again (without intervention from us) ... And the 'mdaemon plugin' tabpage is showing activity again. FYI: The mailserver is receiving thousands of mail/hour, so it's sure that there was mail coming in at those moments. Any idea how to solve this problem? (I just changed the ACL's on the files to everyone/full access and will check if this changes anything) kind regards, Sven # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Another example of an empty email but looking at the source.
Hi David: There has been a rise in spam again and we just added some new rules to our system. Lets give it a few days to see if they stop. Have a great day. Phil David Moore wrote: *Received: from PC05.4ueleoz.org [202.215.167.25] by romtech.com.au with ESMTP* * (SMTPD-8.22) id A7AC0224; Thu, 24 Aug 2006 08:33:16 +1000* *Message-Id: [EMAIL PROTECTED]* *X-mxGuard-Info: Processed by romtech.com.au using mxGuard v2.4* *X-mxGuard-SpoolID: d7ab017912af* *X-mxGuard-Sender: [EMAIL PROTECTED] *X-mxGuard-Virus-Info: No viruses detected* *X-mxGuard-Spam-Score: 0* *X-mxGuard-Spam-Probability: CLEAN* *X-Note: This message has been scanned for spam and viruses by mxGuard for IMail (www.mxguard.com)* *Subject: * *From: [EMAIL PROTECTED] *Date: Thu, 24 Aug 2006 08:33:20 +1000* *X-RCPT-TO: [EMAIL PROTECTED]* *Status: U* *X-UIDL: 454950044* *X-IMail-ThreadID: d7ab017912af* * * * * *Body contents below* !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=iso-8859-1/HEAD BODY/BODY/HTML End of email Is there a rule to filter out empty emails ? Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. DELIVERY ADDRESS: 21 GLEN STREET BELROSE NSW 2085 AUSTRALIA. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] help needed
Hi All, We are migrating off of: iMail with MXguard to Smarter Mail with Declude Needless to say we run sniffer and will continue to, but we are having issues getting our filtering to work the way we want it to and would like to find someone to help out as a consultant on the setup to fine tune things Thanks Dodd
Re: [sniffer]A design question - how many DNS based tests?
Hi _M, Do you mean like reverse PTR records, or HELO lookups, etc..? --Paul R. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 9:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
Hi Darin, Thanks for your reply. Sure wish I understood what you're saying Michael SteinComputer House - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:10 PM Subject: Re: [sniffer]Numeric spam They do, but you have to both specify that email for your domains only comes from your mail servers AND use a test in your spam filtering that checks SPF and pushes fails over your hold limit. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:07 PM Subject: Re: [sniffer]Numeric spam I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Ebay Phishing Emails getting through
We have not noticed any today. Michael Stein Computer House - Original Message - From: Jim Matuska Jr. [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, May 17, 2006 2:46 PM Subject: [sniffer]Ebay Phishing Emails getting through Has anyone else been getting an excess amount of ebay phishing emails making it through sniffer today? I have personally received a couple of them and have multiple users reporting the same. I have forwarded them to the sniffer spam@ address if you can take a look Pete it would be much appreciated. Thank You, Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
RE: Re[2]: [sniffer] New Rulebot F001
I also have got a lot of false positives with code 063 which are HOLD now. Ik know it's not very nice to set email on HOLD when failing sniffer but I've got a major problem with spam and until a few days ago this was going well, at least a few false positives in a week. 03/07/2006 20:12:44.628 qdb2402d03b56.smd Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. l6l0ow6m20060307191244 Ddb2402d03b56.smd 31 31 Match 672578 63 142 176 65 l6l0ow6m20060307191244 Ddb2402d03b56.smd 31 31 Final 672578 63 0 281965 Could this please stop, sniffer was pretty reliable for us, but not at the moment. Regards, Marcel Sangers Traction IT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: dinsdag 7 maart 2006 0:18 To: Darin Cox Subject: Re[2]: [sniffer] New Rulebot F001 On Monday, March 6, 2006, 3:42:50 PM, Darin wrote: DC We just reviewed this morning's logs and had a few false positives. DC Not sure if these are due to the new rulebot, but it's more than DC we've had for the entire day for the past month. DC Rules DC -- DC 873261 DC 866398 DC 856734 DC 284831 DC 865663 Three of these are from F001 and have been removed. 865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182 856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200 873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227 I haven't yet processed the fps, only looked up the rules. There are currently 32820 rules authored by the F001 bot. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] False Positives
I second the motion. We have been submitting spam for over a year and I don't know if a single one was received. Thank you Jim, for the suggestion. Michael Stein Computer House www.computerhouse.com - Original Message - From: Jim Matuska Jr. [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Wednesday, February 15, 2006 4:40 PM Subject: RE: [sniffer] False Positives Pete, Is there anyway to get an automatic response similar to the one listed below for the FP address, but for submissions to your spam@ address? It would be nice to get some feedback when submitting spam. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, February 15, 2006 1:28 PM To: Kevin Rogers Subject: Re: [sniffer] False Positives On Wednesday, February 15, 2006, 3:54:50 PM, Kevin wrote: KR My users have been getting a lot of FPs by Sniffer lately. They send me KR the email with the FULL HEADERS displayed and I forward this email on to KR SortMonster. The program they use to analyze incoming submissions check KR MY email headers, determine that SNIFFER was not at fault and sends me KR back an email saying it didn't find any flags. Just to clarify a bit, here is the standard response you're probably talking about: [FPR:0] The message did not match any active black rules as submitted. The rules may have been modified or removed. If you provide matching log entries from your system then we can research this further. Note that sometimes our false processing system may not identify the rules that matched this message on your system due to changes in the submitted content that might occur during the forwarding process. Please also be sure you are running the latest version, that your rulebase file is up to date, and that you do not have any unresolved errors in your Sniffer log file. Bug fixes in newer versions may resolve false positive issues or reduce the risk of false positives through enhanced features and new technologies. Certain errors in your log file may indicate a corrupted rulebase. --- The software we use to scan false positive submissions is a version of SNF that includes every rule we have in our system. If the messages does not match any of these rules, MOST of the time it means that the rule has been removed already. If that is not the case, then the next step is to provide matching log entries. On some systems this is not necessary because the headers may already contain SNF x-header data that shows the rules involved. This process is not intended to make things difficult, but to save time. The majority of the time, our local scanner will identify the rule or rules in question and we will respond accordingly. When that is not the case we simply need more data to move forward with the investigation. Usually, when a rule is still in the system and it does not match a false positive submission it is because the original message was altered during the forwarding process or that some condition of being attached has prevented the scanner on this end from reproducing the result you had on your system. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Bad Rule - 828931
Dear Pete, In the future, please let us know immediately when you become aware of this. As it is, I will spend the next 3 hours picking out the fales positives from the mailbox and forwarding them to the clients. If I could have put the rulepanic in place an hour ago it would have saved me a lot of work and confused customers. Thank you, Michael Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Tuesday, February 07, 2006 4:07 PM Subject: [sniffer] Bad Rule - 828931 Hello Sniffer folks, I'm sorry to report that another bad rule got past us today. The rule has been removed (was in from about 1200-1500), but it may be in some of your rulebases. To avoid a problem with this rule you can enter a rule-panic entry in your .cfg file for rule id: 828931 If it is not already, the rule will be gone from your rulebase after your next update. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] Bad Rule - 828931
Dear Pete, Please excuse my previous E-mail if it seemed a bit harsh. I guess I am so used to your great service, that on the rare occasion when this happens, I panic. Thanks for being there to walk me through the procedure. Sincerely, Michael Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Computer House Support sniffer@SortMonster.com Sent: Tuesday, February 07, 2006 4:24 PM Subject: Re[2]: [sniffer] Bad Rule - 828931 I do most humbly apologize, It was my intention to do it immediately, however I became embroiled in related support issues and was delayed. I don't expect more of these, but I will make announcing their discovery the next event after removing them from the system. Thanks, _M On Tuesday, February 7, 2006, 4:19:24 PM, Computer wrote: CHS Dear Pete, CHS In the future, please let us know immediately when you become aware of this. CHS As it is, I will spend the next 3 hours picking out the fales positives from CHS the mailbox and forwarding them to the clients. If I could have put the CHS rulepanic in place an hour ago it would have saved me a lot of work and CHS confused customers. CHS Thank you, CHS Michael Stein CHS Computer House CHS - Original Message - CHS From: Pete McNeil [EMAIL PROTECTED] CHS To: sniffer@sortmonster.com CHS Sent: Tuesday, February 07, 2006 4:07 PM CHS Subject: [sniffer] Bad Rule - 828931 CHS Hello Sniffer folks, CHS I'm sorry to report that another bad rule got past us today. The CHS rule has been removed (was in from about 1200-1500), but it may be CHS in some of your rulebases. CHS To avoid a problem with this rule you can enter a rule-panic entry CHS in your .cfg file for rule id: 828931 CHS If it is not already, the rule will be gone from your rulebase after CHS your next update. CHS Thanks, CHS _M CHS Pete McNeil (Madscientist) CHS President, MicroNeil Research Corporation CHS Chief SortMonster (www.sortmonster.com) CHS Chief Scientist (www.armresearch.com) CHS This E-Mail came from the Message Sniffer mailing list. For information and CHS (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html CHS This E-Mail came from the Message Sniffer mailing list. For CHS information and (un)subscription instructions go to CHS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Last chance to renew at the old price!
You certainlycrossed a line of ethical integrity at the very least. Pete: If you don't already have a 'non-compete' agreement in your reseller agreement its time. I would never have believed someone would actually try to sell your reseller rates to your customer base. It's simply appalling. And should be grounds for termination. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 8:46 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Absolutely not. In fact, if you read my post after this, I am questioning whether or not it can be sold for a lower price. I am not here to undermine any one, as after all where do you think the license that I sell comes from? After all, we are all here to help one another. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer (Support)Sent: Wednesday, December 28, 2005 5:41 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! John T:Did you just solicit the ENTIRE sniffer community with pricing that will undermine Pete? Never bit the hand that feeds you my friend. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of John T (Lists)Sent: Wednesday, December 28, 2005 8:17 PMTo: sniffer@SortMonster.comSubject: RE: Re[2]: [sniffer] Last chance to renew at the old price! Although I am a registered reseller, I normally only sell hardware and software to clients as part of my services. However, if any one is interested in a price, contact me off list. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KevinSent: Wednesday, December 28, 2005 5:00 PMTo: sniffer@SortMonster.comSubject: Re: Re[2]: [sniffer] Last chance to renew at the old price! After posting this, another reseller pm me their renewal rate of $269. I didn't know Sniffer had another reseller besides Declude.Anyways, for those who are interested and want to save money, it's https://www.computerhouse.com/ccsecure.html At 01:21 PM 12/28/2005, you wrote: Can we renew at declude.com since their pricing is $292.50? I assume their prices will increase on Jan 1, 2006 too.This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] About Resellers, and the best laid plans of mice men...
Sorry papa _M Sorry John T Just want to see sniffer around in the future and got a little excited. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Wednesday, December 28, 2005 9:51 PM To: sniffer@sortmonster.com Subject: [sniffer] About Resellers, and the best laid plans of mice men... Hello Sniffer Folks, Before things get too out of hand I thought I'd post a few remarks just to make sure there are no misunderstandings. First of all, the price on the ComputerHouse site was an error and it has already been corrected. (That's the mice and men part... a simple mistake, now all taken care of.) Next, while it would bad form for one of our resellers to advertise directly on our list, THAT DID NOT HAPPEN here. Someone else pointed out the discount, and that's ok. Regarding our reseller programs in general and where we stand on this. As Mike is fond of saying, We like customers All customers :-) It's perfectly ok to us for you to buy from one of our resellers or from us directly. Pick the relationship that fits you best. -- Technically, our resellers are really considered VARs, and they all have special things to offer that you may need. Purchasing from us directly also has some benefits (the additional funds help speed up RD), but ultimately, if you use and support SNF, through us or through one of our partners, you are still supporting SNF and that's a good thing! :-) Our goal is to foster a broad, vibrant community of consultants, end users, VARs, OEMs, service providers, and even plain old interested parties that use and support SNF. After all, email security is a big concern for everyone and the best thing we can do is work together. Hope this helps, Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Last chance to renew at the old price!
We've already renewed this morning. From our point of view even at the $170 per year more would still be far less costly than the cost of finding, evaluating and implementing another solution. Not to mention the potential loss of business if our customers were not happy with the replacements results. Just 2 cents from a guy that rarely says anything :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Murdoch Sent: Tuesday, December 27, 2005 2:14 PM To: sniffer@SortMonster.com Cc: Pete McNeil Subject: RE: [sniffer] Last chance to renew at the old price! Importance: High Hi Folks, Actually, here is some more detail as to the reasons for the price increase. In addition, please bear in mind that that prices haven't been raised in approximately 2 years and even with this increase we are priced very competitively. The new feature/benefits and more to come are as follows: * In the past 6 months we have more than doubled the number of updates per day and we will continue to increase our bandwidth and the speed of our updates. * We have more than tripled our staff to improve our monitoring, support, and rule generation capabilities. Come January, we are again doubling this staff as the black-hats have gotten much more sophisticated and this has become a 24x7 battle. Even Pete needs to sleep sometimes. :-) * We are adding new RD programs for AFF/419 spam and Malware mitigation (many of the results from these projects have already been implemented). * During this next year as part of our continuous improvement policy we will continue to roll out new features and enhancements such as fully automated reporting, in-band real-time updates, an optimized message processing pipeline, image and file attachment tagging, advanced header structure analysis, enhanced adaptive heuristics, improved machine learning systems, real-time wave-front threat detection, and many more... It's important to recognize that many of our improvements don't require new software to be installed on the client side since they are delivered through rulebase enhancements. Though this often causes our work to go unnoticed, it is actually a design feature since it means that your installation requires very little maintenance. This translates to lowered administration costs and higher reliability. As a result of this reliability-first design strategy, it may not always be obvious that our service is constantly being improved and enhanced - we never stand still ;-) We'd hate to see any of you go, but please do compare us with other services. I'm sure that you'll find we're well worth the money, but it's always good to keep your options open. In fact, best practice these days for spam filtering is to use a blended approach that leverages many services. We personally encourage that for best results. Please let me know if you have any questions. Thank you for your feedback and business! Sincerely Michael Murdoch The Sniffer Team ARM Research Labs, LLC Tel. 850-932-5338 x303 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fox, Thomas Sent: Tuesday, December 27, 2005 1:03 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! I said the same thing, and the response was, basically, We haven't raised the price in a long time, we need the money, like it or lump it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Koontz Sent: Tuesday, December 27, 2005 1:57 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Last chance to renew at the old price! Pete, why over a 50% increase? That seems rather drastic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 27, 2005 12:42 PM To: sniffer@sortmonster.com Subject: [sniffer] Last chance to renew at the old price! Hello Sniffer folks, This is just a friendly reminder that prices will be going up January 1. You can add a year to your SNF subscription at the current price if you renew before January 1. Details are here: https://www.armresearch.com/message-sniffer/forms/form-renewal.asp Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list
[sniffer] Organized Blackhats Imail Question
Dear Pete, Thank you for the beautifully-written and very informative treatise on how the spammers operate. The time you put into the writing is greatly appreciated. We also appreciate the work and research you are doing to combat the Blackhats! On another subject, this weekend we are planning to upgrade to the new Imail Server 2006 version. (released yesterday) Can you think of any reason why we might run into compatibility issues with Sniffer or Declude? Thank you, Michael Stein Computer House www.computerhouse.com - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Thursday, December 01, 2005 12:18 PM Subject: [sniffer] Organized Blackhats Hello Sniffer Folks, Just before Thanksgiving, I was responding to a question about increased spam leakage and as Murphy would have it, my email client ate my homework. That is, most of the response didn't make it. The information was interesting enough that I have gone back and rewritten the missing pieces. The blackhats have made some substantial changes recently and I'm pretty sure I've spotted a bunch of the important ones. Please follow this link and tell me what you think. http://www.sortmonster.com/MessageSniffer/Help/Papers/OrganizedBlackHats/ Have a great day. Now back to work with me... Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer]
Pete, What do we need to do up increase our rulebase strength I dont know if its just a larger amount of spam messages in general or a larger % of them getting through but I have customers complaining Thanks Dodd
RE: Re[2]: [sniffer]
_M, _M said will create a default installation that emits headers and puts a .cf file in place for SA to interpret them. Not sure if this is relevant to your thought process, but we feel that SA (SpamAssassin) does more harm than good. Under moderate loads it bogs-down MDaemon so we always have SA disabled. Sniffer is by far superior in every category, (accuracy, speed, dependability etc...) so there's no need to use SpamAssassin. My point: Keep in mind that some of us use sniffer independently (not tied to SA). We're using sniffers .cfg plug-in for MD ver 8. I assume you will, and I probably misunderstood your post, but just wanted to mention this out-loud. Thanks, Paul R -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Thursday, November 10, 2005 10:43 AM To: Daniel Bayerdorffer Subject: Re[2]: [sniffer] On Thursday, November 10, 2005, 9:40:42 AM, Daniel wrote: DB Hi Pete, DB Thanks for the info. I actually already have the current version running. DB I'm very happy with it's performance. I just did not have a clear DB understanding on those issues. DB On another note, when you have the new version install, will it overwrite my DB current settings? And will it also install scripts for updating the rule DB base, and sending logs? Because I already have that setup now. In theory the installer will know if there is a previous version and will not adjust any of the config data. It's a bit of a complicated problem because there are so many way to configure the software.. so the installation process can be complex. I'd like to know how you have your updates set up - perhaps I can use that as a model for the installer. The basic idea is that the installer will create a default installation that emits headers and puts a .cf file in place for SA to interpret them. After that, the technically minded can manually adjust the installation. If the installer finds an installation in place then it will likely update the .DLL and leave everything else alone. Comments about these concepts are welcome, of course. The goal is to make a plug-and-play installation possible while leaving the more sophisticated options open to the technically minded. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rash of false positives
Dear Darin, Thanks for the heads up. It's going to take me about 45 minutes to check the 9000 messages that were blocked by Sniffer last night, but I'll let you know if we experienced the same thing. Michael SteinComputer House www.computerhouse.com - Original Message - From: Darin Cox To: sniffer@SortMonster.com Sent: Tuesday, November 08, 2005 8:45 AM Subject: [sniffer] Rash of false positives Hi Pete, What's going on over there? We had somewhere between 5 and 10 times the usual number of Sniffer false positives this morning. They are across the board, so it's not just one rule that's catching them, or a particular set of senders or receivers. Hopefully you can get it under control soon. It would also be extremely helpful if you could speed up the false positive processing. Lately it seems to take 2-4 days for the rules to be adjusted, which usually means more of the same are caught and submitted over that time. I believe speeding up that process would result in fewer to process all around. Thanks, Darin.
Re: Re[2]: [sniffer] Large amounts of spam still getting through
For what it's worth, we have not see a major increase in spam this week either. Things seem pretty normal. We did recently upgrade to the Pro version of Declude Junkmail, and now it is much easier to block mail from certain countries (like .cz .ru etc.) as well as header and subject content, etc. By the way, has anyone seen the spam that gets through that has the header info in the body of the mail message instead of where it's supposed to be? How is that possible? Michael Stein Computer House www.computerhouse.com - Original Message - From: Rick Hogue [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Saturday, October 15, 2005 12:33 PM Subject: RE: Re[2]: [sniffer] Large amounts of spam still getting through My only concern is that all of this was being caught by Sniffer before and all of a sudden very little of it is being caught. We are told that they are working on it to get it fixed but we are getting slammed by customers telling us we are not catching any spam. Any help in a solution other than greylisting would be really appreciated. Or is this a declude problem? Rick Hogue Intent.Net - Web Hosting 3802 Handley Avenue Louisville, KY 40218 1-502-459-3100 1-800-866-2983 Toll Free --- [This E-mail scanned for viruses by Declude on http://www.intent.net hosted Email] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] POP
Hi Pete, I don't believe that I received an answer to my question (below) Thank you. Dear Pete, Are we ready to switch to the POP method of submitting spam, or are we waiting for an official announcement/instructions from you? Mike Stein Computer House www.computerhouse.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] POP Approach
Dear Pete, Are we ready to switch to the POP method of submitting spam, or are we waiting for an official announcement/instructions from you? Mike Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Darin Cox sniffer@SortMonster.com Sent: Tuesday, October 11, 2005 9:16 AM Subject: Re[2]: [sniffer] Spam keeps getting through... For spam submissions, we are moving to a POP approach because it is more secure and more scalable. In general, spam can be redirected or forwarded to an account on your system and we can pop those messages from there. If you have any clean spamtraps that you would like to share with us then we would pull those messages from a different pop account. (We treat clean spamtraps differently than user submitted spam.) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer TMP files
Dear Pete, We had to reinstall Imail, and now I am not seeing any more TMP files in the spool folder. Everything seems to be working OK, but I miss those sweet little TMP files. Should I be concerned? What may have changed? Thank you, Michael Stein Computer House This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer and SmarterMail?
Sheldon, Saturday, June 4, 2005 you wrote: The SquirrelMail web interface is not bad although it is PHP 4. The web admin interface is pretty good, too, and can be php 5. SK Does this really matter for us non programmers? It does actually. Just make sure to install the PHP 4 version that works with both SquirrelMail and the web admin interface if you intend to use either or both of them. SquirrelMail works with IMAP too so if it is on a different server then you have to enable IMAP. --- Terry Fritts This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Sniffer and SmarterMail?
Hi Joe, Yeah, we had talked about buying the low cost Declude Virus/JM versions and then letting Sniffer hook into those as well as then hooking with SmarterMail... That's an option for you too. -jason - - - - - - - - - - - - - - - - - - Wednesday, June 1, 2005, 7:02:30 PM, you wrote: JW Mdaemon may be great, but it's out of my budget. I can't afford $2500 for JW the mail server and then another $1600 for the anti-virus. Especially when JW I compare it to SmarterMail at $600. JW I would love to continue to use Sniffer... I respect it more than Imail and JW Declude combined! But the fact is that it's time to move on. Ipswitch has JW completely lost their mind and just doesn't give a damn about their JW customers, failed to fix major problems, and raised their prices thru the JW roof. JW It may be very simple to plug in Sniffer to SmarterMail, but I'm not a JW developer. I don't really want to run a non-supported implementation. JW If there's a better option than SmarterMail I'd love to hear it, but I can't JW compare a $4000+ server to a $600 one. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Sniffer and SmarterMail?
Joe, Wednesday, June 1, 2005 you wrote: JW If there's a better option than SmarterMail I'd love to hear it, JW but I can't compare a $4000+ server to a $600 one. hMailServer is free and open source. Once I finish the script work for calling Sniffer and the work-around for ClamDscan and FPROT I'll post it. Clamdscan is the service (daemon) for ClamAV. No reason that the daemon version of Sniffer couldn't be used as well. The SquirrelMail web interface is not bad although it is PHP 4. The web admin interface is pretty good, too, and can be php 5. --- Terry Fritts This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Spam Question
Dear Pete, Does anyone look atthe mail that is forwarded to [EMAIL PROTECTED], or is it a 100% automatic process? Thank you, Michael SteinComputer House[EMAIL PROTECTED] www.computerhouse.com
[sniffer] FTP and web down?
What's going on over there? Our FTP process has been failing since yesterday afternoon, and when I go to the main website it prompts me for an ID and PW. Darin.
Re: [sniffer] FTP and web down?
Looks fine now. I couldn't get there earlier this morning through two different ISPs, though, and updates from 7pm last night through this morning failed. Maybe a temporary routing or DNS issue. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Hosting Support sniffer@SortMonster.com Sent: Friday, May 13, 2005 9:57 AM Subject: Re: [sniffer] FTP and web down? On Friday, May 13, 2005, 9:11:15 AM, Hosting wrote: HS What's going on over there? HS HS Our FTP process has been failing since yesterday afternoon, HS and when I go to the main website it prompts me for an ID and PW. I'm not seeing a problem - I'm on the site right now in fact, and the crew is doing work on new rules --- logs show normal activity --- I'll look closer, but it seems that everything is ok from here. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rule 353039 - .comcast.net
Whew! Just got done forwarding 90 false positives to mail clients. Sure glad you caught it! Michael Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: sniffer@sortmonster.com Sent: Tuesday, May 10, 2005 10:27 AM Subject: [sniffer] Rule 353039 - .comcast.net Hello Sniffer Folks, A rule was created today by one of the robots which targets .comcast.net -- This happened when a number of blacklists including SBL listed comcast IPs causing the robot to be convinced that a message in the spamtrap warranted tagging the domain. The rule has been removed and I am pushing out new rulebase compilation as quickly as possible. Please do not rush to download your rulebase file in response to this --- wait for the update notification or else your file is not updated. I believe we've caught this quickly enough that most of you will not be effected. However, if you suspect that you do have the bad rule in your rulebase you can temporarily eliminate the rule by adding 353039 to your Rule-panic entries in your configuration file. The rule cannot be recreated once removed. We are very sorry for the confusion. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rule 353039 - .comcast.net
Mail from Comcast is still getting caught, even with the panic rule in place. Any suggestions? Mike Stein This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Rule 353039 - .comcast.net
Matt, Restarting the sniffer service seems to have done the trick. Thank you for the suggestion! Michael Stein Computer House [EMAIL PROTECTED] - Original Message - From: Matt [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, May 10, 2005 12:46 PM Subject: Re: [sniffer] Rule 353039 - .comcast.net See my message below...restart your Sniffer service and it should work. Matt Computer House Support wrote: Mail from Comcast is still getting caught, even with the panic rule in place. Any suggestions? Mike Stein This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Fw: Undeliverable Mail
Shame on you for being on the road... you should know better than to leave your machines alone...you never know what trouble they might get into while you're gone grin. I was out for 2 hours over lunch today, and sure enough, IIS stops responding on one of our hosting servers right after I leave. Ah, the joy of being in IT... Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Frederick Samarelli sniffer@SortMonster.com Sent: Wednesday, April 27, 2005 4:31 PM Subject: Re: [sniffer] Fw: Undeliverable Mail On Tuesday, April 26, 2005, 6:25:38 PM, Frederick wrote: FS Look what I got. There has been some trouble with my mail server --- attacks and other technical issues while I was on the road. I'm back now and I'm working through it. Things _appear_ to be settling down. Sorry for any confusion. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo
Tip for MDaemon plug-in users. Sniffers .cfg file has an option 'not' to scan files larger than 'X'. If this option is set than no sniffer headers will be placed into the message (if the message is larger than 'X'). Beware, if you use MD's Content Filter to instruct where to send messages based on sniffer's 'results' as there will be no results if the file is never scanned ;) Paul R -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Wednesday, April 20, 2005 3:30 PM To: Jim Matuska Subject: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo On Wednesday, April 20, 2005, 2:30:25 PM, Jim wrote: JM Pete, JM Is there a difference between the normal .snf files I have been downloading JM and the one for the plugin? I have setup my script to download the .snf JM file and noticed it is a couple mb's smaller than the included demo .snf JM file. There is no significant difference. The mdaemon1 file contains some extra rules, but these are not normally needed in production. During the test we wanted to make sure we used the largest valid rulebase file we generate. After the test it will be best to use normal rulebase files. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE:Re: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo
_M i'll try this one, Jim, you will keep all of your Content Filter rules the same 'except' you will disable (or delete) the two Sniffer entries 'Run Message Sniffer' Add Headers'. Those two functions will be generated from the plug-in. Also, if you are using the results codes (in the Content Filter) you will need to change any instance of X-SPAM-Msg-Sniffer-Result TO X-SortMonster-MessageSniffer-Result as indicated in the readme.txt file. Paul R -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jim Matuska Sent: Wednesday, April 20, 2005 5:01 PM To: sniffer@SortMonster.com Subject: (DUMP)Re: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo I meant do I configure actions based on the headers that sniffer returns like in the non plug in version, or does the plugin do this automatically, the documentation for the plug in is kind of vague in comparison to the older version. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Jim Matuska sniffer@SortMonster.com Sent: Wednesday, April 20, 2005 1:51 PM Subject: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta Promo On Wednesday, April 20, 2005, 4:19:48 PM, Jim wrote: JM Do you configure rules similar to in the previous versions, or by using this JM as a plug in is there a GUI for configuration. We configure the rulebase the same way we have in the past. Using the plugin is not different from using the command line utility except that the performance is better (faster) and the installation and operation is simpler. The service/subscription part of Message Sniffer has not changed. --- We have a GUI web app for the rulebase (we use it every day), however we have discovered through trial and error that a lot of specialized training is required to keep the rulebase working correctly and that one GUI does not suit many users... each group seems to need their own! We are working on plans for some simpler web apps in the future to handle specialized tasks, however that too seems best handled in other ways for the time being. For example, every system that provides automation to their users for false positive handling and custom black-rules seems to do it in their own special way --- so rather than build a web app that doesn't really suit anyone we have adopted the strategy of providing automation tools (such as our XML based REmost SCripted Updater [RESCU] utility) and consulting to integrate each customer's existing or planned automation efforts with their back-end rulebase configuration. These efforts are usually reserved for larger systems such as small ISPs and filtering service providers. As always we want to support any third party efforts to provide automation tools also. So far we haven't seen much in the way of GUI automation, probably for the same reasons we haven't tackled it yet. I think I may have answered more than the base question here - but I'm hoping I've addressed some of the underlying questions. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Smartermail
Hi Steve, You wrote: We are going to be moving to another mail package (you know why)... I would very much like to hear your comments about Imail and any difficulties you've encountered and why you feel the need to switch. You can write to me offline if you'd prefer. Thank you, Michael Stein Computer House [EMAIL PROTECTED] www.computerhouse.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] RuleBase ktk82hrr
Dear Pete, Our rulebase file grew from 11 meg to 17.5 meg since the last download a few hours ago. Is this right? Michael Stein Computer House [EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] RuleBase ktk82hrr
Correction, make that 23 meg! Mike - Original Message - From: Computer House Support [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Wednesday, January 05, 2005 12:33 AM Subject: [sniffer] RuleBase ktk82hrr Dear Pete, Our rulebase file grew from 11 meg to 17.5 meg since the last download a few hours ago. Is this right? Michael Stein Computer House [EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer][sniffer]
Katie, Take a copy of the failed message and submit it to [EMAIL PROTECTED] with your lcinese base ID and they will tell you why it failed and setup a whiterule to prevent it from being tagged in the future. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers. Katie LaSalle-Lowery writes: Would anyone be able to help me determine why a message is caught by sniffer? Sniffer is catching mail from our sister company. I could send a test from that server... Thanks! Katie LaSalle-Lowery Centric Internet Services 1410 Reserve St. Missoula, MT 59801 Local Phone 549-3337 ext. 21 Toll Free (888)593-2776 ext. 21 Fax (406)721-3438 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] MDaemon Opinion OT
We're testing mailEnable later this week for this very reason. They claim to have a utility to migrate from iMail, boxes intact http://www.mailenable.com/addons_Conversion.asp Dodd - Original Message - From: SniffMe To: [EMAIL PROTECTED] Sent: Thursday, November 11, 2004 3:38 AM Subject: Re: [sniffer] MDaemon Opinion OT One thing to consider before making the Imail - MDaemon jump (or similar mailservers)... When I evaluated MDaemon, I noticed that messages are stored in individual .msg files inside the user's mailbox directory. Imail stores the mail in a common mailbox.mbx file. If your users store their mail on the server (webmail/imap/pop3 on server), you would have to migrate these messages over.I've yet to see a utility built for parsing a mailbox.mbx file into multiple mail.txt files, thoughI'm sure one could be made relatively easily in java/perl/whatever. I asked MDaemon support about possible import tools, and they suggested using a pop retrieval program on the individual mailboxes. Unfortunately that solution falls short in a few areas for us. 1. For a large number of mailboxes, that can become time consuming. 2.It's limited to only being able to download a user's inbox.mbx, leaving their sent items, drafts, and otherimap folders behind. 3. MDaemon does not support direct mail to a user's submailbox (Imail's equivalent of a mailbox delimiter). I was hoping that I could directly query [EMAIL PROTECTED] (which I can) and have Bob's Sent.mbx redirected automatically to a Sent folder on the MDaemon server ([EMAIL PROTECTED]). No such luck. Please understand that this was something that we anticipated would cause issues withour migration. All of this may be a nonissue for you if your users are emptying their mailboxes regularly. This behavior was noted on General Download/Release 7.20. I've got no clue what later/beta versions can or cannot do. Good luck! John - Original Message - From: Jorge Asch To: [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 3:57 PM Subject: Re: [sniffer] MDaemon Opinion OT Also does anyone know if MDaemon has a way users can modify their spam settings independent of a global policy or administrator set rules. It would be nice to let our users that complain about false positive lower their spam setting and those that complain about anything getting through the spam filters.Not at the moment. This is on the Wishlist (per-user settings), and hopefully we will see it next year.The plugins is available as we speak, I've been using it for 16 hours with minimal problems (an inconsistency with the headers). Pete posted the link on the md-beta forum last night and asked for feedback. If you don't have access to the md-beta mailing list, then Pete might publish the link here as well later (he is working on some fixes right now). Be aware that you need to run the latest MD beta to run the plugin (7.50d). If you're not comfortable running beta software, the release date for MD 7.50 (final) is on February 1st, 2005. Until then, using the MD beta release is the only way to use the plugin.-- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION
[sniffer] Imail
Hello Sniffer folks, Want to know why I have not renewed my Ipswitch Support Agreement? Here is their response to a serious bug that I reported. (Which has yet to be fixed). Mike, Our Development Team has looked into this issue and has verified it as a defect that was introduced in Imail v8.1. Changes to this functionality would take an extended period of time; this is the reason we do not have any current plans to address this. Best Regards, Daniel J Whitaker Messaging Support Team Ipswitch, Inc. Michael Stein Computer House www.computerhouse.com (609) 652-3222 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Imail
John Tolmachoff wrote: What is the bug? The bug in Imail was that the Control Panel for the Mail-to-Fax feature stopped functioning properly. We are heavy users of Mail-to-Fax, and the loss of the ability to work with the fax spool files has made things difficult for us. Mike Stein This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] spam leakage up
Yes, I would also like to know how you generated that nice spam report. Michael SteinComputer Housewww.computerhouse.com - Original Message - From: Herb Guenther To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 11:46 AM Subject: Re: [sniffer] spam leakage up wow, that is even worse than we are seeing, we are at about 80%, but should really be at about 85% if all were tagged. Here is our last weeks stats, we did not see an increase in volume, so much as the amount gettig thru in the last couple days and continuing today.Herb SPAM Report Statistics are based on the last 6,150,612 email messages received. You are viewing Server 1 Stats View Server 2 stats Statistic 06/17 06/18 06/19 06/20 06/21 06/22 06/23 Weekly Total Daily Avg. Delivered Messages 34,291 30,762 22,331 22,484 31,245 33,588 33,582 208,283 25,311 Good Messages 6,493 5,101 1,595 1,721 6,209 6,772 6,170 34,061 5,221 Spam Messages 27,798 25,661 20,736 20,763 25,036 26,816 27,412 174,222 20,090 Spam Percent 81% 83% 92% 92% 80% 79% 81% 84% 79% Mal Formed Headers 3,845 4,277 3,193 3,555 4,094 4,286 4,459 27,709 4,949 Spam Headers 4,544 4,081 3,665 3,367 4,800 5,712 6,129 32,298 3,308 Spam Routing 6,351 5,697 5,200 5,613 5,718 6,072 5,616 40,267 3,375 No Reverse DNS 6,864 7,787 6,529 6,729 7,742 6,783 5,023 47,457 2,446 White Listed 1,157 968 116 162 1,237 1,245 1,229 6,114 785 General Spam 1,021 958 736 851 1,012 1,045 1,122 6,745 1,490 Experimental 1,543 1,190 951 970 1,284 1,342 1,472 8,752 900 Obfuscation 240 183 158 189 196 336 151 1,453 352 Grey Hosts 355 196 29 33 213 343 315 1,484 166 Gambling 272 202 263 261 215 303 161 1,677 124 Refinancing/Loans 2,293 2,216 1,809 1,659 2,167 2,013 1,975 14,132 1,765 Business opportunities 1,989 1,991 1,546 1,547 1,990 2,089 2,163 13,315 1,464 Ink and toner cartridges 159 124 41 91 100 89 63 667 121 Pornography 2,296 1,874 2,189 1,798 2,120 2,224 2,333 14,834 1,731 Send money scams 57 63 66 57 85 84 82 494 65 Online pharmacies 6,792 6,098 5,419 4,907 5,766 5,526 5,767 40,275 5,684 Cable/Satellite descramblers 1,250
Re: [sniffer] Message Sniffer Version 2-3 Official Release!
Are there step-by-step upgrade instructions posted anywhere? Our configuration is Windows 2000 server with Declude. I don't quite understand what needs to be done to enable the Persistent Instance option. Thank you, Michael Stein Computer House www.computerhouse.com 609 652-3222 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Scheduled Updates
I am not sure that I have received any emails today about any updates either. Is there something wrong with the emailing out of updates? Sincerely, Grant Griffith EI8HT LEGS Enhanced Web Management http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Tuesday, April 20, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Scheduled Updates I show the latest compile time as 20040420.1644 GMT. I'll check the logs to see if there has been trouble with your update email. Then I will follow up off list. _M At 12:11 PM 4/20/2004, you wrote: Not sure if this is a specific issue but the Sniffer update hasn't updated since Monday at 02:1 BST (British Summer time GMT+1). Are there any issues at the moment? We have this triggered by an email normally. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: 19 April 2004 14:24 To: [EMAIL PROTECTED] Subject: Re: [sniffer] Scheduled Updates At 03:33 AM 4/19/2004, you wrote: The following schedule is based on the first letter of your license ID. Schedules are separated by even and odd hours, and are further separated by 4 minutes for each letter within a given hour. Should we use this system also for uploading the log files? We do not appear to have a problem with uploads at this time, but in any case it would be a good idea to organize scheduled tasks in this way to minimize the possibility of a problem. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
We have also seen some slow downloads here, but we are currently on a 256k connection from CoreComm/Voyager, but we are updating to a full T1 in the next couple of weeks thru someone different. 03/26/04 10:20:37 Fast traceroute sortmonster.com Trace sortmonster.com (216.88.37.62) ... 1 208.15.190.65 0ms0ms0ms TTL: 0 (No rDNS) 2 64.77.152.137 210ms 80ms 150ms TTL: 0 (se1-3-17.rtr0.wb2023.smor.in.voyager.net bogus rDNS: host not found [authoritative]) 3 64.77.152.9 50ms 190ms 150ms TTL: 0 (se3-1-0.rtr0.clmb.in.voyager.net ok) 4 209.212.206.26 421ms 180ms 91ms TTL: 0 (s60.rtr0.ipls.in.voyager.net bogus rDNS: host not found [authoritative]) 5 169.207.224.93 441ms 80ms 130ms TTL: 0 (483.at-0-1-0.rtr0.chcg1.il.voyager.net ok) 6 63.208.138.173 431ms 331ms 290ms TTL: 0 (ge-8-0-513.ipcolo1.Chicago1.Level3.net ok) 7 4.68.112.201220ms 231ms 210ms TTL: 0 (so-7-0-0.bbr1.Chicago1.Level3.net ok) 8 4.68.112.190 90ms 130ms 110ms TTL: 0 (so-8-0.core1.Chicago1.Level3.net ok) 9 209.0.225.2 60ms 50ms 221ms TTL: 0 (uschcg-j20c.savvis.net bogus rDNS: host not found [authoritative]) 10 209.83.222.49 111ms 310ms 281ms TTL: 0 (at-1-2-802.uswash2-01.j20c.savvis.net bogus rDNS: host not found [authoritative]) 11 216.88.33.46440ms 260ms 471ms TTL: 0 (microneil-1.uswash.savvis.net fraudulent rDNS) 12 No Response * * * 13 No Response * * * 14 No Response * * * 15 No Response * * * 16 No Response * * * 17 No Response * * * 18 No Response * * * 19 No Response * * * 20 No Response * * * 21 No Response * * * 22 No Response * * * 23 No Response * * * 24 No Response * * * 25 No Response * * * 26 No Response * * * 27 No Response * * * 28 No Response * * * 29 No Response * * * Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Stanford Sent: Friday, March 26, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? I have notices this week that the download is also slow over here. I am getting around 2.8 to 3 K/s. We also use Wget, and have with no problems,...just slow download speed. Here is my tracert if it helps... U:\tracert www.sortmonster.net Tracing route to www.sortmonster.net [216.88.37.61] over a maximum of 30 hops: 1 3 ms 2 ms 2 ms 10.100.1.1 2 5 ms 3 ms 2 ms 63.145.109.65 3 7 ms 8 ms 9 ms dal-edge-08.inet.qwest.net [63.145.96.117] 4 8 ms 8 ms 8 ms dal-core-01.inet.qwest.net [205.171.25.117] 517 ms 9 ms 8 ms dal-brdr-02.inet.qwest.net [205.171.25.46] 6 9 ms 8 ms 8 ms POS5-2.BR2.DFW9.ALTER.NET [204.255.168.229] 710 ms 8 ms 8 ms 0.so-1-3-0.xl2.dfw9.alter.net [152.63.99.214] 8 8 ms11 ms11 ms 0.so-0-0-0.tl2.dfw9.alter.net [152.63.2.181] 950 ms51 ms52 ms 0.so-5-0-0.tl2.nyc9.alter.net [152.63.0.110] 1053 ms50 ms51 ms 0.so-3-0-0.xl2.nyc1.alter.net [152.63.29.113] 1151 ms51 ms51 ms 0.so-0-0-0.xr2.nyc1.alter.net [152.63.19.97] 1252 ms51 ms51 ms 508.atm7-0.gw8.nyc1.alter.net [152.63.20.1] 1351 ms50 ms51 ms savvis-ny-gw.customer.ALTER.NET [65.194.72.54] 1450 ms51 ms51 ms so-2-0-0.usnycm2-02.j20c.savvis.net [206.129.9.1 ] 1557 ms56 ms56 ms fe2-3-2.uswash2-01.j20c.savvis.net [209.83.222.7 3] 1673 ms80 ms70 ms microneil-1.uswash.savvis.net [216.88.33.46] 17 *** Request timed out. 18 *** Request timed out. 19 *** Request timed out. 20 *** Request timed out. 21 *** Request timed out. 22 *** Request timed out. 23 *** Request timed out. 24 *** Request timed out. 25 *** Request timed out. 26 *** Request timed out. 27 *** Request timed out. 28 *** Request timed out. 29 *** Request timed out. 30 *** Request timed out. Trace complete. At 08:04 AM 03/26/2004, you wrote: At 08:13 AM 3/26/2004, you wrote: I have a Sprint T as well, and have had no download problems using wget on Win2000 aside from periodic slowdowns. Just ran a download this morning and speed never went over 5K. I also have had no bad_matrix instances. I am consistently getting 45K/sec or better
Re: [sniffer] Spam storm?
We've found that when we do a manual download, everything works fine. It's the automatic download on the Windows 2000 server that seems to corrupt things. M. Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 6:05 PM Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M At 10:08 PM 3/24/2004, you wrote: I've noticed that if I do a manual download of the rule base file, it works well, but if it is downloaded automatically via the Windows Task CMD, then sniffer fails and the log fills up with the BAD_MATRIX errors. Anyone else seeing this? Mike - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 8:43 PM Subject: RE: [sniffer] Spam storm? I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Config When Using Sniffer With Declude...
Hello All, I am running Sniffer with Declude and was wanting to get some ideas on how everyone has Declude setup. Currently I just have the basic setup as follows. SNIFFER external nonzero d:\imail\declude\sniffer2_2\winx\snifferprog.exe sniffer auth 10 0 I hold anything with a weight of 10m therefore anything failing sniffer gets held and reviewed. I was thinking that sniffer had a way to check and see why it failed, but I have not found much on that. I guess I am just not looking in the right place... Anyone give me some hints? Thanks! Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
