> One impacted customer wanted me to put back their original pw back
> in. Boss can't learn a new one! Sheesh..
That makes me... cry.
Not mail-related: a user of our web app forgot his password today and
was having a ridiculously hard time using our password reset form
(basic enter-your-
Rory Nimmo wrote:
Hi folks.
My Sniffer rule base is updating every 6 or 7 minutes today. I have
not made any changes at my end. Can you shed any light on this please?
It should be fixed now.
A bug in smb (used internally to populate the delivery servers) causes
datestamp problems when
Hello Andy,
Saturday, October 4, 2008, 10:21:31 PM, you wrote:
>
Hi Pete,
Well, I eliminated WeightGate for the time being, just to do my “due diligence”.
Also, since there is a fix sized buffer, I assume actually LOWERING the 3rd number (the allocation for each non-interactive process)
cNeil [mailto:[EMAIL PROTECTED]
Sent: Saturday, October 04, 2008 10:07 PM
To: Andy Schmidt
Cc: [EMAIL PROTECTED]
Subject: Re: FW: [sniffer] Re: Sniffer 3.0 Froze Mail Server
Hello Andy,
Saturday, October 4, 2008, 9:22:39 PM, you wrote:
>
Hi Pete,
Here the log files.
I can't t
it more flexible to deal with different customer scenarios.
Best Regards,
Andy
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Pete McNeil
Sent: Saturday, October 04, 2008 3:52 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Sniffer 3.0 Installed
My best thin
Hello Andy,
Saturday, October 4, 2008, 12:28:44 PM, you wrote:
>
HI Pete,
Thanks for your feedback.
I had to create the UpdateReady.txt file before I was able to test my update script from the command line – but I didn’t realize that I would be created in the Workspace folder. Without th
Ouch - 3.0 didn't even last 12 hours. Imail was frozen up because it
apparently couldn't launch any more Sniffer client instances.
Event Log was full with:
Event Type:Information
Event Source:Application Popup
Event ID: 26
Description: Application popup: SNFClien
Hello Andy,
First, let me say thanks for sharing all of this. We don't often get detailed feedback on these things. Your valuable insights will be used to make later releases better.
With that said I will add a few comments here and there to explain why things are the way they are and help ot
Hello Harry,
Monday, September 29, 2008, 8:11:09 AM, you wrote:
>
Hi Pete,
Please do send the new FreeBSD control script and doc at your convenience.
Our email are crossing in the ether.
Before posting the new distribution prototype I created a README-SETUP file to help pull the
Hi Pete,
Please do send the new FreeBSD control script and doc at your convenience.
Thank you,
Harry
Hello Harry,
Sunday, September 28, 2008, 10:39:42 PM, you wrote:
>
I have been using Sniffer for several years with Declude and SmarterMail on
Windows. I would like to move S
Hello Harry,
Sunday, September 28, 2008, 10:39:42 PM, you wrote:
>
I have been using Sniffer for several years with Declude and SmarterMail on Windows. I would like to move Sniffer to my IMGate Mail Gateway (Postfix / FreeBSD). Has anyone installed Version 3 of Sniffer on FreeBSD? The *n
Hello,
As an update, the developer (Alexander N. Telegin) spent a number of
hours on my server and seems to have sorted the bugs out in eWall. At
this time the program is running well and as advertised. It's a nice
little light gateway client that has some easy to use scripting
features an
iffer Community
Subject: [sniffer] Re: Sniffer Helper App?
I MOVED FROM Imail 8 to SmarterMail 4.3 and then 5.1, best thing I ever did
(> the cost of an Imail maintenance contract for Enterprise unlimited users
/ domains). SmarterMail has grey listing built in so 90-95% spam gets killed
at so
I MOVED FROM Imail 8 to SmarterMail 4.3 and then 5.1, best thing I ever did
(> the cost of an Imail maintenance contract for Enterprise unlimited users
/ domains). SmarterMail has grey listing built in so 90-95% spam gets killed
at source the other spam is handled out of the box by SpamAssassin. I
Steve,
Since this hasn't yet been mentioned, try Alligate (www.alligate.com).
It does selective greylisting (only greylists things that look spammy),
and also will validate your users' addresses and do things like country
blocking/tarpitting/greylisting. Only one zombie spammer survives
gre
Steve,
If at all possible, I recommend blocking based on unknown user BEFORE
doing ANY content filtering of the message. But, if you must, it is also
a good strategy to block based on the sender's IP first. (I'm figuring
that you might need to do that since you are trying to reduce mail to
yo
If I move away from eWall I will be left with just iMail till I find
something else (purpose of my email). iMail has URL blacklists. eWall
has URI Blacklists but I'm still looking for that perfect client to
put in-front of my mail server (software based). So you probably have
some good sugg
Steve;
Declude works well, but any comprehensive set of filters will take some
horsepower to run. Declude will do the country filtering I think you
wanted.
Herb
Steve Guluk wrote:
On Jul 1, 2008, at 12:25 PM, Rob McEwen wrote:
Steve,
Do you have the ability to add into your current fil
Steve,
What I'm getting is this... the ultimate in low resource spam protection
is blocking based on the sending IP using a prolific DNSBL like
zen.spamhaus.org that, like zen, has extreme low FPs. Because the
message is blocked at the perimeter using just a single lookup on the
sender's ip.
On Jul 1, 2008, at 12:25 PM, Rob McEwen wrote:
Steve,
Do you have the ability to add into your current filtering
additional RBLs and/or URI blacklists? I have some good suggestions
there!
Rob McEwen
Rob,
If I move away from eWall I will be left with just iMail till I find
something
Steve Guluk wrote:
Any suggestions on what I should consider to help with spam and also
use Sniffer.
Steve,
Do you have the ability to add into your current filtering additional
RBLs and/or URI blacklists? I have some good suggestions there!
Rob McEwen
###
Pete,
That is exactly what I needed. You rock.
Thanks so much.
Shawn
On Jan 10, 2008 11:56 AM, Pete McNeil <[EMAIL PROTECTED]> wrote:
> Hello Shawn,
>
>
> Following up a bit...
>
>
> Most likely you're using a Process object to call the SNFClient.
>
>
> If I've read the MS docs correctly yo
Hello Shawn,
Following up a bit...
Most likely you're using a Process object to call the SNFClient.
If I've read the MS docs correctly you will want to get the "exit code" once SNFClient finishes.
http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.exitcode(VS.71).aspx
Hope
Hello Shawn,
Thursday, January 10, 2008, 2:16:24 PM, you wrote:
>
Hello,
I am evaluating Message Sniffer beta version but I am totally confused. :-)
>
But how do I get the result code for the spam message to output back to the command prompt? If I try to call SNFClient
Make a bat fil like this:
--
@echo off
echo syntax "batfilenavn.bat" "messagefil to test"
SNFclient.exe "%1"
echo %errorlevel%
pause
--
If it display zero the message is clean.
Hello,
I am evaluating Message Sniffer beta version but I am totally confused. :-)
If I am in
Hello Christopher,
Wednesday, December 12, 2007, 12:47:53 PM, you wrote:
> I'm seeing timeouts and very slow downloads from sniffer today.
> Is this just me?
We are having some router issues. They should be resolved today.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
Hello Andrew,
A few minor corrections if I may.
Friday, November 9, 2007, 8:31:01 PM, you wrote:
>
The Ugly value returned by the beta Message Sniffer you're using with the "Good, Bad and Ugly" database has a result code of 40, and this code is missing from your list.
That's not qu
The Ugly value returned by the beta Message Sniffer you're using with
the "Good, Bad and Ugly" database has a result code of 40, and this code
is missing from your list.
(The White value overlaps with result code 0, which internally to
Message Sniffer will mask any other "spam" result code on you
on a domain and then forwarding all the mail to a
remote system.
-Jay
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of John T (lists)
Sent: Thursday, March 08, 2007 11:44 PM
To: Message Sniffer Community
Subject: [sniffer] Re: Sniffer as passthrough f
Yes, it is called email gateway service and many of us do that and it is
fairly straightforward to setup but there are a number of steps.
John T
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
> Of K Mitchell
> Sent: Thursday, March 08, 2007 6:16
posted this before getting pete's post
please disregard
- Original Message -
From: "Serge" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Tuesday, December 12, 2006 8:11 PM
Subject: [sniffer] Re: Sniffer White List
> I'm using 000,
To: "Message Sniffer Community"
Sent: Tuesday, December 12, 2006 7:49 PM
Subject: [sniffer] Re: Sniffer White List
Serge, what return value are you using for this snifferwhitelist?
The official and current list of return codes is here:
http://kb.armresearch.com/index.php?title
Hello Serge,
Tuesday, December 12, 2006, 2:22:27 PM, you wrote:
> We started using tests for the different sniffer categories recently and are
> finding that snifferwhitelist is very innacurate
> ot is substracting wheight from more real spam than it does of non-spam
> messages
> should we just d
Serge, what return value are you using for this snifferwhitelist?
The official and current list of return codes is here:
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai
ls.ResultCodes
If you're using "0", then don't do that, because zero is also used for
"no result". Ac
Hello Fox,Thomas,
I might ad that for a long while it has been a common recommendation
for SNF to be weighted at 70-80% of your "hold" weight. Quite often,
some result categories are weighted to hold on their own.
These days blackhats are using a burst-mode delivery tactic that makes
it virtually
Hello Steve,
This is an important point. Most of the image spam rules and in
particular "abstract heuristics" are coded to the experimental rule
group. The name implies only that these rules are not direct matches
for components of the message (singly or in combination) as are most
other rules - R
Hello Rick,
Wednesday, September 20, 2006, 8:34:55 AM, you wrote:
> I just signed my annual renewal for Sniffer but it seems that it used to
> catch lots of the email and now is only catching about 50% of the email Why
> when we are sending in our information does this continue to happen? We are
Hi Rick,
I've found that tuning for spam is a constant process. I am always
tweaking settings, changing weights, etc., in response to spam
leakage.
Just yesterday I spent about 2 hours on it.
I (very reluctantly) implemented some phrase filtering, using the
filter function in Declude. I've been
On Sep 20, 2006, at 5:34 AM, Rick Hogue wrote:I just signed my annual renewal for Sniffer but it seems that it used to catch lots of the email and now is only catching about 50% of the email Why when we are sending in our information does this continue to happen? We are getting lots of you won, Pha
We've been very happy putting invURIBL into the mix :)
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Darin Cox
Sent: Wednesday, September 20, 2006 9:11 AM
To: Message Sniffer Community
Subject: [sniffer] Re: Sniffer does not catch as mu
Community
Subject: [sniffer] Re: Sniffer does not catch as much as it used to.
Hi Rick,
It's a constant battle, with spammers getting more sophisticated, and
filtering tools trying to catch up and anticipate the next move.
That said, we do not see the kind of leakage you see, probably due to
Hi Rick,
It's a constant battle, with spammers getting more sophisticated, and
filtering tools trying to catch up and anticipate the next move.
That said, we do not see the kind of leakage you see, probably due to other
tests we run on our systems. I would recommend you supplement with BLs and
o
Hello Jonathan,
There's nothing tied to IP or domain that would stop SNF from running.
Most likely mxGuard is not calling SNF for some reason. Recheck that
config and any logs that are left behind, and also run SNF from the
command line to make sure it's doing what you expect it to.
Hope this hel
Pete,
My understanding was that Declude treats different arguments to an
executable as just being other forms of that executable so it only
processes it once. I'm not positive one way or another. It's worth
testing though.
Matt
Pete McNeil wrote:
Hello Matt,
Wednesday, June 7, 2006,
Hello Andrew,
Thursday, June 8, 2006, 11:32:47 AM, you wrote:
> Ditto.
> I advise people to use Insert, Item. Far easier than explaining how to
> drag and drop (or tie shoelaces).
It might be nice to have a SnagIt of that process to share w/ users.
> I've noticed that whether the headers surv
Darin,
Thunderbird allows you to choose the default forwarding method as
either inline or as attachment. It might actually default to inline, I
can't remember, but whenever it does message/rfc822 attachments, it is
as a whole unlike some other clients that edit it down to the bare
minimum of
TED] On Behalf Of Darin Cox
> Sent: Thursday, June 08, 2006 6:45 AM
> To: Message Sniffer Community
> Subject: [sniffer] Re: [sniffer][Fwd: Re: [sniffer]FP suggestions]
>
> >Thunderbird and Netscape just takes the full original source and
> >attaches it as a message/rfc82
>Thunderbird and Netscape just takes the full original source and
>attaches it as a message/rfc822 attachment. I forwarded this message
>back to the list by just pressing "Forward".
Interesting that they include the headers with a simple forward, without
specifying forward as attachment. I haven
Hello Pete,
Thursday, June 8, 2006, 9:42:42 AM, you wrote:
> Hello Pete,
> Thursday, June 8, 2006, 9:41:55 AM, you wrote:
>>> It does look a little weird. Sometimes it's normal though. I'll see if
>>> I can identify anything odd in the settings.
>>> _M
>> I've changed the settings. I hope th
Hello Pete,
Thursday, June 8, 2006, 9:41:55 AM, you wrote:
>> It does look a little weird. Sometimes it's normal though. I'll see if
>> I can identify anything odd in the settings.
>> _M
> I've changed the settings. I hope this response works ok.
> _M
Testing. Sorry for the extra trafic - on
> It does look a little weird. Sometimes it's normal though. I'll see if
> I can identify anything odd in the settings.
> _M
I've changed the settings. I hope this response works ok.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
###
> Please excuse me for wanting more detail about the Outlook
> attachment trick, but would you mind attaching this message
> to a response so that I could look at the headers and such?
The full headers are a usefull thing if a customer ask me why he has
received a certain message that he doesn'
, or, at the very least, within 24 hours.
Darin.
- Original Message -
From: Matt
To: Message Sniffer Community
Sent: Wednesday, June 07, 2006 11:46 PM
Subject: Re: [sniffer]FP suggestions
Darin,Outlook will strip many of the headers when
forwarding. Outlook Express needs to forward the m
from same
day, or, at the very least, within 24 hours.
Darin.
- Original Message -
From: Matt
To: Message Sniffer Community
Sent: Wednesday, June 07, 2006 11:46 PM
Subject: Re: [sniffer]FP suggestions
Darin,Outlook will strip many of the headers when
forwarding. Outlook Express nee
Pete,
Just two more cents for the masses...
If people use this for two different external tests in Declude, they
need to create two differently named executables because Declude will
assume the calling executable to be part of the same test and only run
it once (or possibly create an error de
Darin,
Outlook will strip many of the headers when forwarding. Outlook
Express needs to forward the messages using "Forward As Attachment" in
order to insert the full original headers. Thunderbird/Netscape Mail
will work just by forwarding. If you paste the full source in a
message, you sho
>It is unclear - we receive FPs that have traveled through all sorts of
>clients, quarantine systems, changed hands various numbers of times,
>or not (to all of those)... Right now I don't want to make that
>research project a high priority.
Understood.
>That's true it wouldn't change, but submit
>Unfortunately, by the time the message gets to us it is sometimes just
>different enough that the original pattern cannot be found. There are
>some folks who consistently have success, and some who occasionally
>have problems, and a few who always have a problem.
Different in what way? Is the ma
Awesome. Great job, Pete.
Darin.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Wednesday, June 07, 2006 6:49 PM
Subject: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP
suggestions
Hello Matt,
Wednesday, June 7, 2006,
Right. Anything forwarded would be either above our delete weight, or
reviewed and forwarded from within our hold range.
Darin.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Wednesday, June 07, 2006 6:59 PM
Subject: [sniffer]Re[2]:
(sniff) Aw, cut it out, Matt.
You're making me all weepy.
p.s. Pete, that's pretty darned
amazing!
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of MattSent:
Wednesday, June 07, 2006 3:58 PMTo: Message Sniffer
CommunitySubject: Re: [sn
Pete,
I think that you just broke Scott's record with his two hour feature
request with your own a two hour program :)
Anyone remember those days???
Thanks,
Matt
Pete McNeil wrote:
Hello Matt,
Wednesday, June 7, 2006, 4:22:05 PM, you wrote:
Pete,
Since the %WEIGHT%
That would be great if you could add message rewriting. With the complete
lack of response by Declude to support emails and the support list, they're
going to lost most of us as customers as soon as someone comes out with am
IMail/SmarterMail compatible product that has weighting and the array of
n the
report.
Darin.
- Original Message -
From: Scott
Fisher
To: Message Sniffer Community
Sent: Wednesday, June 07, 2006 10:08 AM
Subject: Re: [sniffer]FP suggestions
For me the pain of false positives submissions is
the research that happens when I get a "no rule found" return.
I the
Huh? No, not at all. Check it
again. It will work as specified.
Darin.
- Original Message -
From: Computer
House Support
To: Message Sniffer Community
Sent: Wednesday, June 07, 2006 10:00 AM
Subject: Re: [sniffer]SPF
Hi Darin,
FYI, I tried putting in v=spf1 mx
-all as
>> This also got me thinking of the flip side, spam reporting. There's a
>> significant untapped load of spam that sniffer doesn't fail that we
filter.
>> I was thinking about creating a filter to copy your spam@ address with
>> messages that get moved to our archive (we archive held spam for 30 d
>> Can I interpret this as email address and matching source IP are
sufficient
>> if the correct email address is used to submit?
>Yes.
Ok, so the answer to my original suggestion is yes. Great.
> If not, do you have any suggestions on how you would like to see us
> inserting the license ID in
7;m glad I stuck with it.
Andrew.
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of MattSent:
Wednesday, June 07, 2006 1:22 PMTo: Message Sniffer
CommunitySubject: Re: [sniffer]Re[2]: [sniffer]Re[2]: [sniffer]FP
suggestions
Pete,Since the %WEIGHT% v
Pete,
Since the %WEIGHT% variable is added by Declude, it might make sense to
have a qualifier instead of making the values space delimited. Errors
in Declude could cause values to not be inserted, and not everyone will
want to skip at a low weight. I haven't seen any bugs with %WEIGHT%
sinc
Pete,
An X-Header would be very, very nice to have. I understand the issues
related to waiting to see if something comes through, and because of
that, I would maybe suggest moving on your own.
Sniffer doesn't need to be run on every single message in a Declude
system. Through weight based s
For me the pain of false positives submissions is
the research that happens when I get a "no rule found" return.
I then need to find the queue-id of the original
message and then find the appropriate Sniffer log and pull out the log lines
from there and then submit it. Almost always in thes
f1 a -all"
Does this sound right to you?
Mike Stein
- Original Message -
From:
Darin Cox
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 9:54
PM
Subject: Re: [sniffer]SPF
What's your hold weight? If spam is only
failing SPF and nothing else,
.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Wednesday, June 07, 2006 8:30 AM
Subject: Re: [sniffer]AW: [sniffer]Numeric spam
> Hello Markus,
>
> Wednesday, June 7, 2006, 7:43:36 AM, you wrote:
&g
Hi Pete,
Can I interpret this as email address and matching source IP are sufficient
if the correct email address is used to submit?
If not, do you have any suggestions on how you would like to see us
inserting the license ID in the D file?
Darin.
- Original Message -
From: "Pete McNe
Hello Markus,
Wednesday, June 7, 2006, 7:43:36 AM, you wrote:
>
>
> Today I've noticed that there is a relation between the recipient
> adresses that was used in the past 36 hours in the numeric spam
> messages and the following wave of stock-spam messages containing
> this png-graphic. A
06 12:59 AM
Subject: Re: [sniffer]FP suggestions
Pete,Regarding suggestions for easing the
reporting process, I would recommend the following possible modifications:
1) An E-mail submission tool similar to the one now, but replies
would be automated2) Send back links or rather an HTML form
Pete,
Regarding suggestions for easing the reporting process, I would
recommend the following possible modifications:
1) An E-mail submission tool similar to the one now, but
replies would be automated
2) Send back links or rather an HTML form with checkboxes in an E-mail
auto-response allowin
House
- Original Message -
From:
Darin Cox
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 9:30
PM
Subject: Re: [sniffer]Numeric spam
What do you use for spam filtering? Declude
has the ability to test SPF, for example.
Also, what is your SPF record for the domain in
question?
Darin.
Subject: Re: [sniffer]Numeric spam
Hi Darin,
Thanks for your reply. Sure wish I understood what
you're saying
Michael SteinComputer House
- Original Message -
From:
Darin Cox
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 8:10
PM
Subject: Re: [sn
Hi Darin,
Thanks for your reply. Sure wish I understood what
you're saying
Michael SteinComputer House
- Original Message -
From:
Darin Cox
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 8:10
PM
Subject: Re: [sniffer]Numeric spam
Th
Community
Sent: Tuesday, June 06, 2006 8:07 PM
Subject: Re: [sniffer]Numeric spam
I thought that having an SPF record would prevent a
spammer from forging your domain name, but our SPF record did not seem to help
with these odd numeric E-mails which appear to be coming from our
own domain.
Does
this type of junkmail?
Michael SteinComputer House
- Original Message -
From:
Colbeck,
Andrew
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 7:37
PM
Subject: Re: [sniffer]Numeric spam
Both of which are reasonable, particularly given the
recent
> Can you recommend an alternate process, or changes to the existing
> process that would be an improvement and would continue to achieve
> these goals? We are always looking for ways to improve.
I've been thinking about this recently. I'm mostly concerned with FPs for
the best tests, like Sniffe
iffer CommunitySubject: Re: [sniffer]Numeric
spam
My thought is they
are either building a db of valid names or testing delivery
techniques.
John
T
eServices For
You
"Seek, and ye shall
find!"
-Original
Message-From: Message
Sniffer Co
t: Tuesday, June
06, 2006 3:46 PM
To: Message Sniffer Community
Subject: Re: [sniffer]Numeric spam
On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:
We're
getting the same and today it started hitting a different account (Domain).
What are these things? I thought
exp
es
>that the bad guys care about list scrubbing. The greatest supposition
>is that they would do this without commercial gain; after all, they
>could have done this without a special spam run.
>
>I think they just screwed up again.
>
>Andrew 8)
>
>
>
>
crewed up again.
Andrew
8)
From: Message Sniffer Community
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message
Sniffer CommunitySubject: Re: [sniffer]Numeric
spam
On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:
We
On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus wo
uration as well
now.
>
> > - Original Message -
> > From: "Nick Hayer" <[EMAIL PROTECTED]>
> > To: "Message Sniffer Community"
> > Sent: Tuesday, June 06, 2006 10:05 AM
> > Subject: Re: [sniffer]Numeric spam topic change to png stock
I have 46 RBL's configured, though 16 are configured to score
differently on last hop and prior hops. I would say that more than 35
of these are things that I would not like to lose.
I weight most RBL's at around half of my Hold weight in Declude. False
positives on my system typically hit a
I use just shy of 60 DNS based tests against the sender, both IP4R and
RHSBL.
Perhaps 10-12 matter.
Due to false positives, I rate most of them relatively low and have
built up their weights as a balancing act. That act is greatly assisted
by using a weighting system and not "reject on first hit
etley bypass Declude (but that's only a small fraction of the
total).
Regards
David
> -Original Message-
> From: Message Sniffer Community
> [mailto:[EMAIL PROTECTED] On Behalf Of David Waller
> Sent: Tuesday, June 06, 2006 5:46 AM
> To: Message Sniffer Community
> S
iguration?
> (please not publish your sniffer-id!)
>
> Markus
>
>
>
>
> > -Ursprüngliche Nachricht-
> > Von: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller
> > Gesendet: Dienstag, 6. Juni 2006 11:51
> &
We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are reall
I use about 100 dnsbl/rbl/rhsbl list of varying weights and reliabilities.
How many matter...
I'd have to say the shining star is CBL. Hits 45% of the spam with a very
low false positive rate.
The relay RBLs days are way behind them,
The proxy RBLs most useful days are behind them
The DUL RBLs
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS HH HS SH SA
SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
COMBO.STOCK_PNG 16
Nick, very good method. I have added that to my configuration as well now.
- Original Message -
From: "Nick Hayer" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Tuesday, June 06, 2006 10:05 AM
Subject: Re: [sniffer]Numeric spam topic change to pn
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGE
Hello Michiel,
Tuesday, June 6, 2006, 3:10:52 AM, you wrote:
>
> Crew,
>
>
>
> I'm a bit concerned about the amount of spam that Sniffer's not
> getting. It used to be a near 99% catch rate, but now it looks like it's
> down to 70%...?
>
>
>
> I opened my own mailbox this morni
Hi Pete,
Pete McNeil wrote:
How many DNS based tests do you use in your filter system?
approx 100
How many of them really matter?
depends :)
I generally weight them all very low; its the combination of several
that make each 'matter'. As I review held mail I remove ones that are
b
1 - 100 of 1781 matches
Mail list logo