Re: Re[4]: [sniffer] Bad Rule - 828931
Hi, I sort of tried something like that that as well but my cut command went wild. I ended up with a list of spoolfilenames (rulespool.log), without the D/Q, but each line ending with 0D0D0A (CRCRLF) sequence. :-( The ruleD.log file was ok. grep "rulenum" snf.log > rule.log grep "Final" rule.log > rulef.log cut -f 3 rulef.log > ruleD.log cut -b2- ruleD.log > rulespool.log After some manual editing I ran a smal batchfile to move all files into the spam old direcory and do a manual review. I had only a few dozen hits that were held. @echo off Set SpamDir=C:\IMail\Spool\Spam Set SpamHold=C:\IMail\Spool\Spam\Hold For /F %%a in (rulespool.log) do ( echo Testing %SpamDir%\D%%a if exist %SpamDir%\D%%a ( echo %%a move %SpamDir%\D%%a %SpamHold%\ move %SpamDir%\Q%%a %SpamHold%\ ) ) :end Groetjes, Bonno Bloksma - Original Message - From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 08, 2006 3:10 AM Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 OK to answer my own question. Run the following commands grep -U "Final.828931" snf.log >1.txt cut -b26-41 1.txt >2.txt grep -U -f2.txt d:\spool\dec0207.log >3.txt egrep -U "\smd Tests failed|\smd Subject" 3.txt >4.txt notepad 4.txt Now I have to read my 4.txt and figure out what I am going to do about it. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 8:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of David Sullivan > Sent: Tuesday, February 07, 2006 7:47 PM > To: Landry, William (MED US) > Subject: Re[4]: [sniffer] Bad Rule - 828931 > > Hello William, > > Tuesday, February 7, 2006, 7:39:05 PM, you wrote: > > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log > > That's what I tried. Just figured out I forgot to capitalize the "F". > It works. > > Confirmed - 22,055 > > I'm writing a program now to parse the sniffer log file, extract the > file ID, lookup the id in sql server, determine quarantine > location, extract q/d pair from quarantine and send to user. > > -- > Best regards, > Davidmailto:[EMAIL PROTECTED] > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [E-mail scanned at tio.nl for viruses by Declude Virus] --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
Goran, this is pretty much what I did to get to
re-queuing:gawk "$0 ~ /Final\t828931/ {print
substr($3,2,16)}" gxamq2kt.log.20060207* >msgids.txtThe
file msgids.txt will now contain just the GUID part of the D[guid].SMD from
column 3 in the tab delimited Message Sniffer log files.I then used a
batch file I had previously created called qm.cmd (for queue and move).
Note that the folders I specify are for Declude 1.x, which has an overflow
folder. I use the overflow folder so that Declude will re-analyze the
message:Rem this is the qm.cmd file
listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ >nulmove
d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ >nulI
then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd
%iThat takes of re-queuing all the held messages. I am using a
move instead of a copy because I want Declude to be able to move a message it
deems spam to the spam folder. If I used a copy, it would fail to do the
move because the file is already in the spam folder, and Declude would then pass
control back to Imail, which would then deliver the spam inbound.After
my queue went back to normal, I then set to work on my dec0207.log file to
determine if the entirety of the message was spam or ham based on whether it was
held or not (which is the simple scenario I have).I hope that
helps,Andrew 8)
p.s. Another re-posting in HTML so as to
preserve the line breaks. Sorry for the duplication,
folks.
> -Original
Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] On Behalf
Of Goran Jovanovic> Sent: Tuesday, February 07, 2006 5:39 PM> To:
sniffer@SortMonster.com> Subject: RE: Re[4]: [sniffer] Bad Rule -
828931>> I just ran the grep command on my log and I got 850
hits.>> Now is there a way to take the output of the grep command
and> use it pull out the total weight of corresponding message>
from the declude log file, or maybe the subject?>> Goran
Jovanovic> Omega Network Solutions>> >>
> -Original Message-> > From:
[EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]]>
> On Behalf Of David Sullivan> > Sent: Tuesday, February 07, 2006
7:47 PM> > To: Landry, William (MED US)> > Subject: Re[4]:
[sniffer] Bad Rule - 828931> >> > Hello William,>
>> > Tuesday, February 7, 2006, 7:39:05 PM, you wrote:>
>> > LWMU> grep -c "Final.*828931"
c:\imail\declude\sniffer\logfile.log> >> > That's what I
tried. Just figured out I forgot to> capitalize the "F".> > It
works.> >> > Confirmed - 22,055> >> >
I'm writing a program now to parse the sniffer log file,> extract
the> > file ID, lookup the id in sql server, determine
quarantine> location,> > extract q/d pair from quarantine and
send to user.> >> > --> > Best regards,>
>
David
mailto:[EMAIL PROTECTED]> >>
>> >> > This E-Mail came from the Message Sniffer mailing
list. For> information> > and (un)subscription instructions go
to> > http://www.sortmonster.com/MessageSniffer/Help/Help.html>>> This E-Mail came from the Message Sniffer mailing
list. For> information and (un)subscription instructions go to>
http://www.sortmonster.com/MessageSniffer/Help/Help.html>
RE: Re[4]: [sniffer] Bad Rule - 828931
Goran, this is pretty much what I did to get to re-queuing:
gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}"
gxamq2kt.log.20060207* >msgids.txt
The file msgids.txt will now contain just the GUID part of the
D[guid].SMD from column 3 in the tab delimited Message Sniffer log
files.
I then used a batch file I had previously created called qm.cmd (for
queue and move). Note that the folders I specify are for Declude 1.x,
which has an overflow folder. I use the overflow folder so that Declude
will re-analyze the message:
Rem this is the qm.cmd file listing
move d:\imail\spool\spam\d%1.smd u:\imail\spool\ >nul
move d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ >nul
I then issued from the command line:
for /F %i in (msgids.txt) do @qm.cmd %i
That takes of re-queuing all the held messages. I am using a move
instead of a copy because I want Declude to be able to move a message it
deems spam to the spam folder. If I used a copy, it would fail to do
the move because the file is already in the spam folder, and Declude
would then pass control back to Imail, which would then deliver the spam
inbound.
After my queue went back to normal, I then set to work on my dec0207.log
file to determine if the entirety of the message was spam or ham based
on whether it was held or not (which is the simple scenario I have).
I hope that helps,
Andrew 8)
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
> Sent: Tuesday, February 07, 2006 5:39 PM
> To: sniffer@SortMonster.com
> Subject: RE: Re[4]: [sniffer] Bad Rule - 828931
>
> I just ran the grep command on my log and I got 850 hits.
>
> Now is there a way to take the output of the grep command and
> use it pull out the total weight of corresponding message
> from the declude log file, or maybe the subject?
>
> Goran Jovanovic
> Omega Network Solutions
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of David Sullivan
> > Sent: Tuesday, February 07, 2006 7:47 PM
> > To: Landry, William (MED US)
> > Subject: Re[4]: [sniffer] Bad Rule - 828931
> >
> > Hello William,
> >
> > Tuesday, February 7, 2006, 7:39:05 PM, you wrote:
> >
> > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log
> >
> > That's what I tried. Just figured out I forgot to
> capitalize the "F".
> > It works.
> >
> > Confirmed - 22,055
> >
> > I'm writing a program now to parse the sniffer log file,
> extract the
> > file ID, lookup the id in sql server, determine quarantine
> location,
> > extract q/d pair from quarantine and send to user.
> >
> > --
> > Best regards,
> > Davidmailto:[EMAIL PROTECTED]
> >
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For
> information
> > and (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
>
> This E-Mail came from the Message Sniffer mailing list. For
> information and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
OK to answer my own question. Run the following commands grep -U "Final.828931" snf.log >1.txt cut -b26-41 1.txt >2.txt grep -U -f2.txt d:\spool\dec0207.log >3.txt egrep -U "\smd Tests failed|\smd Subject" 3.txt >4.txt notepad 4.txt Now I have to read my 4.txt and figure out what I am going to do about it. Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Goran Jovanovic > Sent: Tuesday, February 07, 2006 8:39 PM > To: sniffer@SortMonster.com > Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 > > I just ran the grep command on my log and I got 850 hits. > > Now is there a way to take the output of the grep command and use it > pull out the total weight of corresponding message from the declude log > file, or maybe the subject? > > Goran Jovanovic > Omega Network Solutions > > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of David Sullivan > > Sent: Tuesday, February 07, 2006 7:47 PM > > To: Landry, William (MED US) > > Subject: Re[4]: [sniffer] Bad Rule - 828931 > > > > Hello William, > > > > Tuesday, February 7, 2006, 7:39:05 PM, you wrote: > > > > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log > > > > That's what I tried. Just figured out I forgot to capitalize the "F". > > It works. > > > > Confirmed - 22,055 > > > > I'm writing a program now to parse the sniffer log file, extract the > > file ID, lookup the id in sql server, determine quarantine > > location, extract q/d pair from quarantine and send to user. > > > > -- > > Best regards, > > Davidmailto:[EMAIL PROTECTED] > > > > > > > > This E-Mail came from the Message Sniffer mailing list. For > information > > and (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of David Sullivan > Sent: Tuesday, February 07, 2006 7:47 PM > To: Landry, William (MED US) > Subject: Re[4]: [sniffer] Bad Rule - 828931 > > Hello William, > > Tuesday, February 7, 2006, 7:39:05 PM, you wrote: > > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log > > That's what I tried. Just figured out I forgot to capitalize the "F". > It works. > > Confirmed - 22,055 > > I'm writing a program now to parse the sniffer log file, extract the > file ID, lookup the id in sql server, determine quarantine > location, extract q/d pair from quarantine and send to user. > > -- > Best regards, > Davidmailto:[EMAIL PROTECTED] > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
David Drop the q/d files back into the \spool\proc directory. Declude will reprocess them. If you put them in just the \spool, queue manager will send them out in the next queue run, bypassing Declude. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 7:15 PM To: Pete McNeil Subject: Re[4]: [sniffer] Bad Rule - 828931 Hello Pete, Tuesday, February 7, 2006, 8:11:50 PM, you wrote: DS>> Not sure, can anyone think of a way to cross check this? What if I DS>> put all the released messages back through sniffer? PM> That would be good -- new rules were added to correctly capture the PM> bad stuff. I almost suggested something more complex. That said...anyone know specifics of reprocessing messages through Declude on Imail? I know that in 1.x Declude would drop some kind of marker so that q/d's copied into spool would not be reprocessed but I don't remember what it was and don't know if it works same in 3.x. Posted question on Declude JM list but no answer so far. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
