2013-04-30 Rulebase Compiler Improvements
We have improved our rulebase compiler scheduling and efficiency. This has allowed us to increase the pace of rulebase updates by approximately 20%.
You should see a further reduction in leakage rates and slightly more frequent rulebase updates.
2013-04-10 Convert Your Declude OEM License Now and Get Full Credit!
It appears that Declude (the company) is failing. After many rumors of problems and some first hand experience, today the Declude web site has gone dark.
We have a long standing relationship with the Declude community, and we want to make sure we do what we can to support them even if Declude itself goes away.
Place an order for Message Sniffer (SNF) now and we will give you credit for any time you have left on your Declude OEM license subscription. Tell us your Declude OEM expiration date and we will add the time you have left to your new SNF license + the renewal year.
For the best pricing we recommend you purchase through one of our resellers.
Please let us know if there is more we can do!
2012-11-23 New GBUdb Tool
We have been playing with a new utility that some of you may enjoy.
GBUDB Tool allows you to create a list of IP addresses from your GBUdb snapshots (.gbx files). You can select IPs that are "blacker" or "whiter" than a provided probability figure and confidence figure. It outputs one IP per line, optionally with details about the statistics for the IP. This can be useful for feeding-forward blacklists to block at your firewall or for other research purposes.
Run GBUDBTool without any parameters and it will tell you about its command line options.
2012-06-26 Message Sniffer Rule #5,000,000 Coded!
Message Sniffer Rule #5,000,000 was coded by Andy (Worm Thunder) 20120626.1408 SortMonsters Rock!
2012-02-23 Message Sniffer System Upgrades
Here are some of the system upgrades that we have made recently:
- We have boosted our rulebase production system. New rulebase updates will arrive about 25% faster on average.
- We have optimize Rulebot productivity to respond to a wider range of spam / malware variants automatically.
- We have augmented our QC processes to seek out more potential false positive cases and stop them before they occur.
- We have added additional research channels to help identify more threats more quickly.
Note that over the next few weeks we will be making additional changes to our technical infrastructure. During service windows occurring at times of low-activity there may be short disruptions in SYNC server connections and/or rulebase delivery. We will do our best to avoid these, and those that do occur should go unnoticed.
Your Message Sniffer software installation is designed for high performance and high availability. It will continue to function normally even if we have a disruption during our upgrades, and it will automatically recover from any such disruption without any assistance.
2011-11-01 New Small Business Rates Offered!
We are now offering special pricing for small businesses. We are offering two rates: SMB Rate at $199/instance/year and SOHO Rate at $99/instance/year.
During your 30 day free trial, we will be monitoring your telemetry. We will be monitoring your HAM ratio (average number of good messages per day) that your system processes. Based on the numbers we see, we will notify you via email if you qualify for either of the special rates.
For current customers, you will be notified in your renewal notices if you qualify for these rates.
For questions about these rates, please contact sales at email@example.com.
2011-09-26 SNF Server/Client for *nix Updated - Important Bug Fixed
Tarball snf-server-3.0.13.tar.gz has been posted to the Products page.
This distribution contains some minor bug fixes and code improvements bringing the SNFMulti Engine up to 3.0.17.
IMPORTANT: This distribution also contains a "clean" SNFServer/main.cpp that fixes a random crash bug!
The previous distribution snf-server-3.0.12 contained testing code that would intentionally force a crash (seg fault) under specific load conditions. The testing code would make it appear that SNFServer was crashing at random with crashes being more likely under higher load conditions.
The testing code should not have escaped the lab and was not intended for use in production. We have reviewed adn revised our publishing procedures to ensure this does not happen again. This new distribution snf-server-3.0.13 does not contain the testing code.
This bug was not included in Win* distributions - only snf-server-3.0.11.tar.gz and snf-server-3.0.12.tar.gz included the errant testing code.
2011-04-06 4 Millionth Rule!
We have reached our 4 Millionth Rule! -- Our rule bots now have more than 4 Million heuristics available for activation at any moment. When new spam is spotted that matches an old rule, that rule is reactivated automatically.
The vast majority of our rules have been coded by hand over the years by our amazing Rule-Techs (The SortMonsters). These highly trained professionals work around the clock (24x7x365) and consistently produce the most accurate rules available anywhere. They are really a fantastic team and a great bunch of folks to boot. :-)
2011-01-18 CommuniGate Pro Plugin for MS Windows Updated
We've updated the MS Windows version of our Anti Spam / Anti Malware plugin for CommunigGate Pro.
We have rewritten the documentation and distribution files to make the installation process simpler and clearer. We've also updated the main configuration file with CSS and XSL so that you can view a clear, human friendly version of your snf_engine.xml file simply by opening it in your web browser.
For more information, visit the SNF4CGP page in the products section.
To download the SNF4CGP plugin, visit the Products page.
2010-11-13 Rulebase Compiler Retuning Completed
Over the past few days we've finished a major re-tuning of our rulebase compiler system. The improved rulebase compiler bots are just a bit smarter and as a result many systems are receiving their updated rulebase files sooner than ever before. This means capturing more spam early on more systems and as a result more accurate data in GBUdb for new bot-nets. A win for everyone.
2010-06-22 GBUdb.com Website Launched!
We have launched the GBUdb.com website: http://www.gbudb.com.
We have also updated the generator for the truncate.gbudb.net list so that the TXT records include a link to the list descriptor at http://www.gbudb.com/truncate/ and the IP address in [square brackets].
Please tell us what you think.
2010-04-29 Opening truncate.gbudb.net
We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer).
We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test.
You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average.
UPDATE: RFC 5782 states:
"IPv4-based DNSxLs MUST NOT contain an entry for 127.0.0.1."and also states:
"The A record contents conventionally have the value 127.0.0.2"So we will be changing the result code for truncate.gbudb.net to 127.0.0.2 effective immediately.
Please keep us all posted about how it's working for you.
2010-03-30 SNF4SA Upgrade
We have posted two new files to our products page containing an upgrade to our Message Sniffer for Spam Assassin plugin:
The newest version of Message Sniffer for Spam Assassin (SNF4SA) contains minor bug fixes, but most importantly provides support for older implementations of SpamAssassin that do not support dynamic scores from plugins.
When SNF4SA detects a version of SpamAssassin prior to 3.2 it will automatically produce a static score based on reaching the configured threshold. This allows SNF4SA to work automatically in both old and new versions of SpamAssassin to dramatically increase spam filtering performance and accuracy without additional tuning or tweaking.
We implemented this feature because there are some systems out there using older versions of SpamAssassin and the administrators of those systems do not want to upgrade SpamAssassin to the latest version for some reason. Message Sniffer generally runs on these systems without a problem and now so does SNF4SA.
Previously if you were to install SNF4SA on an older version of SpamAssassin it would not work properly and no score would be added when Message Sniffer detected spam. If you have had this experience in the past you should try again with this new version and please let us know.
2010-02-05 Rulebase updates increased by 25%!
After more back-end improvements and some careful analysis we have increased our rulebase update rate by another 25%.
This will mean:
- Less time for new spam to get through between updates
- More accurate IP reputation information against new bots
- Faster removal of troublesome rules (fewer false positives)
2010-02-04 New Proactive False Positive Prevention Initiatives
Unqualified false positive candidates: Through this review process we are able to remove and modify pattern rules that cause occasional low-level false positives that would otherwise not be reported. This system is already allowing us to recode or remove dozens of rules per day to make them more accurate; and to update our rule coding practices and support systems to further improve our accuracy moving forward.
Real-time rule / IP conflict analysis: This system monitors conflicts between IP reputations and pattern rule matches across the entire fleet of Message Sniffer installations in real-time. Any time a pattern match is in disagreement with a source IP's reputation that information is analyzed and pumped through a sophisticated collection of filters and data-mining tools. The resulting analysis is displayed in real-time in our spam-weather center so that our staff can respond immediately (24x365) if there is any sign of a "bad rule".
2010-01-04 Message Sniffer DLL now used in Declude
The Declude folks have announced version 4.10.42. With this version Declude now integrates Message Sniffer via our DLL.
- Improved performance
- Not an external test, so no program must be launched
- Uses the message already in RAM thus saving disk IO
- SNFMulti engine runs inside of the Declude service (one less program / service)
- No XCI calls required to request scans (reduced communications overhead)
- Provides direct access to the GBUdb IP Reputation system for additional scoring options
Here is a link to their announcement as archived on "The Mail Archive".
2010-01-01 New Year's Message Sniffer Promotion
2009-11-21 Message Sniffer Antispam/Antimalware plugin for CommuniGate Pro Beta Released
Today we're releasing version 0.1.0 (a beta) of our spam filter plugin for CommuniGate Pro (CGP). You can find the distributions on our Products page.
We've been testing this for a while in the lab and in our spamtrap processing servers. It's very fast and very stable.
More documentation is on it's way -- however each distribution also contains the documentation typical of CGP plugins.
SNF4CGP (CGPSNF) does everything a typical CommuniGate filter plugin does and a bit more. In addition to providing X- headers that can be used with filter rules, CGPSNF can also be configured to take any of these actions (configurable by result code, of course):
Allow - This is the typical CommuniGate plugin response. CGPSNF will provide X- headers as configured. The X- headers can be used to trigger CGP message processing rules.
Bypass - This action bypasses SNF4CGP -- the message has been scanned and logged, but CGP is not provided with headers and no additional action is taken.
Delete - This action tells CGP to discard the message.
Hold - This action takes the message as it was provided by CGP, injects the SNF headers, and then puts that message in a folder of your choice for later processing. This is a great hook to use if you are a service provider and you want to build sophisticated quarantine and/or policy review processes.
Reject - This action tells CGP to reject the message with the provided reason.
CGPSNF can also be configured to add its log entries to the CGP log for easy review -- even if the log is not stored as a file by SNF (use mode='api'). Also, just like SNFServer, the XCI interface is provided so you can use SNFClient for GBUdb manipulation or "out of band" message scanning. The full SNFServer engine is in place whenever the CGPSNF plugin is active.
As always - there is no need to restart SNF after making changes to the configuration -- so you can change these options on the fly as needed.
If you have any questions please let us know.
2009-09-11 SNFMilter 1.0.3 released -- bug fix
Those of you using SNFMilter should upgrade to the latest.
We have fixed a bug which would cause SNFMilter to exit with a SIGSEGV under some conditions -- Specifically the error would occur when mlfi_connect() was called with a NULL host address.
2009-08-30 Postfix with Milter, Out-of-Sync Issue Fixed
This week Postfix stable release 2.6.5 as well as Postfix legacy release 2.5.9, 2.4.13, and 2.3.19 have been posted. These versions fix the Milter out-of-sync problem. If you are using SNFMilter with postfix, you should consider upgrading to one of these version so that you can enable use of the quarantine method.
2009-08-26 Updates for SNFServer and SNFMilter
We have posted the following new *nix distributions for SNFServer and SNFMilter & Windows SNFServer:
These new versions fix a rare memory leak bug that occurs when corrupt rulebase files are presented to the SNF engine. The SNF engine would read and ultimately reject the bad rulebase file but would not release the memory associated with it.
Most systems never saw this bug because their update mechanism would validate the rulebase (.snf) file before swapping it into place.
As a result most folks don't technically _need_ this update--- but it is best if you update to this latest version when you can schedule it in.
Windows users can download the SNFServerV3.0.2-E3.0.11.exe file,
Stop SMTP (to prevent queuing)
Rename SNFServer.exe to SNFServer.exe.bak
Copy SNFServerV3.0.2-E3.0.11.exe over SNFServer.exe
2009-07-29 SNFMilter Released
2009-07-29 Updated Client/Server Distribution for Linux, BSD, and & *nix Systems
We've posted a new version of our Client/Server distribution for Linux, BSD, & other *nix systems. You can find snf-server-3.0.9.tar.gz on our products page.
This update contains a fix for a minor bug in the CodeDweller/Networking code: Under some (rare) circumstances SNFServer would exit with SIGPIPE. The new code includes an appropriate use of MSG_NOSIGNAL or SO_NOSIGPIPE depending on the platform used to build the software.
The SIGPIPE bug does not affect Windows systems. However, a new update to the Windows installer is due relatively soon just to keep all of the versions up to date and to update some documentation for some of the integrated platforms.
This update includes improved control scripts that provide for a special debug mode. The debug mode runs SNFServer with a number of debugging options enabled to capture detailed information about how SNFServer is running. Most folks will never need this ;-)
Other improvements to the source code have also been included.
2009-05-12 SNF4SA - Message Sniffer Anti-Spam Plugin for SpamAssassin Released
We have just released a MUCH improved plugin for SpamAssassin. Our new plugin makes full use of the SpamAssassin Plugin API to provide features like:
- Add weights for specific scan result codes.
- Add (or subtract) additional weight based on IP reputation statistics.
- Optionally skip other tests.
- Inject SNF headers.
The SNF4SA plugin is included in the latest *nix distribution of SNF on our Products page.
Also we have packaged the SNF4SA plugin separately for those of you running SpamAssassin on Windows machines -- or if you already have SNF up and running and just want to switch to the latest SpamAssassin plugin.
For more information visit our SNF4SA page.
We look forward to your feedback!