[sniffer] Re: New SPAM pain
If Pete doesn't mind I will post my observations in regards to the product. I run both products (CommTouch and Sniffer). Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: I'm dying to start a thread and talk about Sniffer's stance on CommTouch, but I can resist. Instead, I would like to point out that eight clearly spam messages have made it through to my Inbox [or Outlook Junk Folder] so far this week that appear to have skinned clear through Sniffer. First ones I've seen in > >Are we undergoing a new phase or campaign that I can make adjustments for? -- John # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: New SPAM pain
Pete surely won't mind after you post your observations :) Matt Darrell ([EMAIL PROTECTED]) wrote: If Pete doesn't mind I will post my observations in regards to the product. I run both products (CommTouch and Sniffer). Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: I'm dying to start a thread and talk about Sniffer's stance on CommTouch, but I can resist. Instead, I would like to point out that eight clearly spam messages have made it through to my Inbox [or Outlook Junk Folder] so far this week that appear to have skinned clear through Sniffer. First ones I've seen in > >Are we undergoing a new phase or campaign that I can make adjustments for? -- John # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: New SPAM pain
Hello John, Wednesday, July 26, 2006, 1:57:18 PM, you wrote: > I'm dying to start a thread and talk about Sniffer's stance on CommTouch, > but I can resist. Me too. > Instead, I would like to point out that eight clearly spam messages have > made it through to my Inbox [or Outlook Junk Folder] so far this week that > appear to have skinned clear through Sniffer. First ones I've seen in ages. > Are we undergoing a new phase or campaign that I can make adjustments for? There has been some impressive activity in new spam campaigns this week, but nothing is consistently getting past us that I am aware of. There have been a number of very broken spam campaigns that gave us some trouble, and a few image spam campaigns that were more complex than most. Is there anything special you notice about the ones you've mentioned? _M PS: I was recently asked where "image spam rules" go so that a customer could ramp up the weight on that rule group. The vast majority of image spam rules are abstracts of message structures and occasionally image file fragments. These rules go in group 61 (Experimental / Abstract). This group has very low false positive rates as a rule (judging from FP submissions which are low in general). -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: New SPAM pain
The more I think about it I am sorry about this post below - it kinda put's Pete on the spot - and I am sorry about that. Def. not my intention.. Darrell Darrell ([EMAIL PROTECTED]) writes: If Pete doesn't mind I will post my observations in regards to the product. I run both products (CommTouch and Sniffer). Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: I'm dying to start a thread and talk about Sniffer's stance on CommTouch, but I can resist. Instead, I would like to point out that eight clearly spam messages have made it through to my Inbox [or Outlook Junk Folder] so far this week that appear to have skinned clear through Sniffer. First ones I've seen in > >Are we undergoing a new phase or campaign that I can make adjustments for? -- John # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: New SPAM pain
Hello Darrell, That's fine. _M Wednesday, July 26, 2006, 2:43:27 PM, you wrote: > If Pete doesn't mind I will post my observations in regards to the product. > I run both products (CommTouch and Sniffer). > Darrell > --- > Check out http://www.invariantsystems.com for utilities for Declude, Imail, > mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration, MRTG Integration, and Log Parsers. > > John Shacklett writes: >> I'm dying to start a thread and talk about Sniffer's stance on CommTouch, >> but I can resist. >> >> Instead, I would like to point out that eight clearly spam messages have >> made it through to my Inbox [or Outlook Junk Folder] so far this week that >> appear to have skinned clear through Sniffer. First ones I've seen in > >Are >> we undergoing a new phase or campaign that I can make adjustments for? >> >> >> -- >> >> John >> >> >> >> # >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >> Send administrative queries to <[EMAIL PROTECTED]> >> > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: New SPAM pain
(*) Please keep in mind this is for one of the systems I maintain - who has a very wide diverse set of mail. Your mileage may vary. Here are some stats gathered with DLAnalyzer on Zerohour. ***This is only a one day analysis. * Triggered on 42,013 messages out of 99,842 total messages * 40K of the 42K hits were on messages already considered spam and held. * Out of the 42K Zerohour detections 39K of those were also detected by Sniffer. * DLAnalyzer's test quality rates Zerohour as .95. (SEE EXPLANATION BELOW ON THIS) * Zerohour triggered on 1,020 hams. In my visual those hams a good portion were false positives on bulk solicited mail (Home Depot, Marta Stewart, USDA, GOP Senators, Democratic National Committee, etc). I can go into more detail on this if anyone wants more info offline. For those that do not use DLAnalyzer it has a built in test quality report. The test quality score is based on a -1 to 1 scale where -1 indicates HAM and 1 indicates spam. The closer to 1 the more likely the test is at detecting SPAM and the closer to -1 indicates HAM. Other Test's Test Quality Scores Message Sniffer - .99 invURIBL - .99 Zerohour - .95 Spamcop - .94 MxRate Black - .93 Fiveten - .92 Sorbs Spam - .71 At this point I have not evaluated CommTouch's false positive reporting. That portion of my testing will come very soon. Are any of my results scientific - no. Will I be dropping Message Sniffer - Absolutly not. Will I continue using CommTouch - yes - as I think it has a place on my system. Will your results and conclusions vary - absolutly. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Pete McNeil writes: Hello Darrell, That's fine. _M Wednesday, July 26, 2006, 2:43:27 PM, you wrote: If Pete doesn't mind I will post my observations in regards to the product. I run both products (CommTouch and Sniffer). Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Shacklett writes: I'm dying to start a thread and talk about Sniffer's stance on CommTouch, but I can resist. Instead, I would like to point out that eight clearly spam messages have made it through to my Inbox [or Outlook Junk Folder] so far this week that appear to have skinned clear through Sniffer. First ones I've seen in > >Are we undergoing a new phase or campaign that I can make adjustments for? -- John # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: New SPAM pain
Besides the one I sent to the list instead of to spam@, many of the ones getting through are simple, text-based things that REALLY look like regular emails. Probably one of the worst kinds to sniff out. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, 26 July 2006 2:52 PM To: Message Sniffer Community Subject: [sniffer] Re: New SPAM pain Hello John, Wednesday, July 26, 2006, 1:57:18 PM, you wrote: > I'm dying to start a thread and talk about Sniffer's stance on > CommTouch, but I can resist. Me too. > Instead, I would like to point out that eight clearly spam messages > have made it through to my Inbox [or Outlook Junk Folder] so far this > week that appear to have skinned clear through Sniffer. First ones I've seen in ages. > Are we undergoing a new phase or campaign that I can make adjustments for? There has been some impressive activity in new spam campaigns this week, but nothing is consistently getting past us that I am aware of. There have been a number of very broken spam campaigns that gave us some trouble, and a few image spam campaigns that were more complex than most. Is there anything special you notice about the ones you've mentioned? _M PS: I was recently asked where "image spam rules" go so that a customer could ramp up the weight on that rule group. The vast majority of image spam rules are abstracts of message structures and occasionally image file fragments. These rules go in group 61 (Experimental / Abstract). This group has very low false positive rates as a rule (judging from FP submissions which are low in general). -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: New SPAM pain
Thanks, Darrell, that's the first actual mileage data I've seen. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, 26 July 2006 3:32 PM To: Message Sniffer Community Subject: [sniffer] Re: New SPAM pain (*) Please keep in mind this is for one of the systems I maintain - who has a very wide diverse set of mail. Your mileage may vary. Here are some stats gathered with DLAnalyzer on Zerohour. ***This is only a one day analysis. * Triggered on 42,013 messages out of 99,842 total messages * 40K of the 42K hits were on messages already considered spam and held. * Out of the 42K Zerohour detections 39K of those were also detected by Sniffer. * DLAnalyzer's test quality rates Zerohour as .95. (SEE EXPLANATION BELOW ON THIS) * Zerohour triggered on 1,020 hams. In my visual those hams a good portion were false positives on bulk solicited mail (Home Depot, Marta Stewart, USDA, GOP Senators, Democratic National Committee, etc). I can go into more detail on this if anyone wants more info offline. For those that do not use DLAnalyzer it has a built in test quality report. The test quality score is based on a -1 to 1 scale where -1 indicates HAM and 1 indicates spam. The closer to 1 the more likely the test is at detecting SPAM and the closer to -1 indicates HAM. Other Test's Test Quality Scores Message Sniffer - .99 invURIBL - .99 Zerohour - .95 Spamcop - .94 MxRate Black - .93 Fiveten - .92 Sorbs Spam - .71 At this point I have not evaluated CommTouch's false positive reporting. That portion of my testing will come very soon. Are any of my results scientific - no. Will I be dropping Message Sniffer - Absolutly not. Will I continue using CommTouch - yes - as I think it has a place on my system. Will your results and conclusions vary - absolutly. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Pete McNeil writes: > Hello Darrell, > > That's fine. > > _M > > Wednesday, July 26, 2006, 2:43:27 PM, you wrote: > >> If Pete doesn't mind I will post my observations in regards to the product. >> I run both products (CommTouch and Sniffer). > >> Darrell >> --- >> Check out http://www.invariantsystems.com for utilities for Declude, >> Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, >> SURBL/URI integration, MRTG Integration, and Log Parsers. > >> > >> John Shacklett writes: > >>> I'm dying to start a thread and talk about Sniffer's stance on >>> CommTouch, but I can resist. >>> >>> Instead, I would like to point out that eight clearly spam messages >>> have made it through to my Inbox [or Outlook Junk Folder] so far >>> this week that appear to have skinned clear through Sniffer. First ones I've seen in > >Are we undergoing a new phase or campaign that I can make adjustments for? >>> >>> >>> -- >>> >>> John >>> >>> >>> >>> # >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch >>> to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To >>> switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >>> Send administrative queries to <[EMAIL PROTECTED]> >>> > > >> # >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to >> the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch >> to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send >> administrative queries to <[EMAIL PROTECTED]> > > > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to > the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch > to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send > administrative queries to <[EMAIL PROTECTED]> > # This message
[sniffer] Re: New SPAM pain
Hello John, If they look too much like regular email and they arrive at usertraps then it's a good bet we might skip a few before recognizing they are spam... Rules for usertrap submissions are more strict -- so if there is any doubt we err on the side of safety. If we get some in our spamtraps they will be coded more quickly. If you see a "chronic" problem with any of them, please zip a few and send them to me at support@ as attachments. Include "Chronic Spam" in your subject line. I will look more closely to find a pattern and will review it with the rule-techs. Thanks! _M Wednesday, July 26, 2006, 4:35:52 PM, you wrote: > Besides the one I sent to the list instead of to spam@, many of the ones > getting through are simple, text-based things that REALLY look like regular > emails. Probably one of the worst kinds to sniff out. > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Pete McNeil > Sent: Wednesday, 26 July 2006 2:52 PM > To: Message Sniffer Community > Subject: [sniffer] Re: New SPAM pain > Hello John, > Wednesday, July 26, 2006, 1:57:18 PM, you wrote: >> I'm dying to start a thread and talk about Sniffer's stance on >> CommTouch, but I can resist. > Me too. >> Instead, I would like to point out that eight clearly spam messages >> have made it through to my Inbox [or Outlook Junk Folder] so far this >> week that appear to have skinned clear through Sniffer. First ones I've > seen in ages. >> Are we undergoing a new phase or campaign that I can make adjustments for? > There has been some impressive activity in new spam campaigns this week, but > nothing is consistently getting past us that I am aware of. > There have been a number of very broken spam campaigns that gave us some > trouble, and a few image spam campaigns that were more complex than most. > Is there anything special you notice about the ones you've mentioned? > _M > PS: I was recently asked where "image spam rules" go so that a customer > could ramp up the weight on that rule group. The vast majority of image spam > rules are abstracts of message structures and occasionally image file > fragments. These rules go in group 61 (Experimental / Abstract). This group > has very low false positive rates as a rule (judging from FP submissions > which are low in general). > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
