Attachments - An attachment is typically a file or message that is added to an email message. Many viruses and spam are sent via attachments or by exploiting security problems associated with attachments. To prevent legitimate attachments from being blocked or scanned, we recommend that all attachments be compressed (for example with WinZip). Zipped files, for example, appear to sniffer as random data and therefore won't match any patterns.
Authentication String - The authentication string is an alphanumeric sequence that is used to validate Message Sniffer rulebase files. Each Message Sniffer license has both an ID and an Authentication String. Both must be correct and the rulebase file must be complete in order to use the Message Sniffer rulebase. It is best to keep the Authentication String secret like a password. Related Words: License.
Automated Updates - Rulebase files are typically downloaded automatically when SNFMulti (the Message Sniffer scanning engine) detects that a new rulebase is available. See Also: Rulebase Updates, Automated Updates
Berserkers - Blackhats sometimes send messages that are random and/or carry no payload. These "berserkers", sometimes sent by accident by broken bots or broken spam scripts, have the effect of improving the IP reputations of the systems that send them because there is no sufficient content to filter against. In addition these messages are often sent at such low rates that most adaptive filtering systems fail to respond to them -- if those systems were to be (conventionally) sensitized to the berserkers they would also significantly increase their false-positive rates. We call these berserkers based on the practice of old Norse warriors who, in an uncontrollable state (chaotic, berserk (in a fit of madness), and with the belief they are immune to weapons), would charge directly into the enemies ranks fearlessly attacking anything and everything (friend or foe).
Blocked Rule - A blocked rule is a reference to a black or white rule which prevents that rule from being propagated into the rulebase (at least at the level where the blocking rule is present). A local blocking rule ensures that the specified core rule will not be part of your local rule set. This is not the same as a white-rule because other rules may still capture the content. It simply means that this particular rule will not apply to your system. You might think of it as being a non-rule or perhaps half way to being a white rule. Related Words: Rule, White Rule.
Client - The client usually refers to the SNFClient software or any other software or system that makes requests of the SNFServer engine. See Also: SNFClient.
Drill Down Training - Drill down training refers to a feature in SNF Version 3.0 that allows SNF/GBUdb to automatically ignore certain trusted Received: headers thereby "drilling down" to the actual original source for a given message. The GBUdb is trained to recognize the IPs in the trusted Received headers as part of the messaging infrastructure so that they become transparent to the IP reputation system. See Also: GBUdb, Drill Down Training.
Edge - Edge refers to a mathematical point on a graph or in a network. In the case of SNF and GBUdb, it refers to a point on the edge of a particular statistical envelope that describes the behavior of the IPs that fall within that envelope.
Email Address - The email address is the subscriber unique identifier. The subscriber's license information is stored under the user's email address. The user can also set up aliases to identify themselves if they have more than one email address. Related Words: Alias.
Envelope - Envelope refers to boundary of a range of statistical values in the GBUdb that represent a particular class of IPs based on their observed behavior. A graph can be made using the probability figure (horizontal axis) and confidence figure (vertical axis) where each IP in the GBUdb can be plotted. Shapes can be drawn around regions of this graph representing IPs that behave a particular way. The outer boundaries of these shapes represent the "envelope" of the region defined by that shape. An IP that has a probability and confidence figure that would be plotted inside a given shape would be said to be within that envelope. If the shape represented IPs in the caution range, for example, an IP that can be plotted inside that envelope would be "in the caution range". See Also: GBUdb.
False Negative (SPAM) - A false negative is an email that has NOT been marked as spam that really is spam. Related Words: False Positive. See Also: Spam Submissions.
False Positive - A false positive is an email that has been marked as spam but isn't really spam. Related Words: False Negative. See Also: False Positives.
GBUdb - Good Bad Ugly data base. (Sometimes pronounced G-buddy) This is the name of the real-time IP reputation system integrated into SNF. The name is derived from the four basic types of records stored in the databse. Good records describe IPs that are administratively white-listed. Bad records describe IPs that are administratively black-listed. Ugly records describe IPs that must be examined each time they are encountered by the system so that their behavior can be monitored. These IPs are evaluated based on their statistics. There is one more type of record in GBUdb -- Ignore -- which marks the IP as part of the system's infrastructure and makes it transparent / invisible (since it's invisible it's also not in the name). See Also: GBUdb.
Header Directives - Header directives are GBUdb & SNF rules based on message headers. Messages containing headers that match these rules are treated differently. Typically Header Directives are used to fine-tune the training mechanisms in GBUdb & SNF. See Also: GBUdb, Training.
Ignore List - The ignore list is the set of records in GBUdb that have their Ignore flag set. Also, the GBUdbIgnoreList.txt file which is used as a safety net to ensure that certain IPs are always set to "Ignore" in the GBUdb even if the GBUdb data is lost. See Also: GBUdb, GBUdbIgnoreList.txt.
License - A Message Sniffer license represents a single specialized rulebase that can be used on a single email server. Rulebase files and log files for this license will all be named for the license ID. Each license ID has a single authentication string which is used to validate the rulebase files for that license. Related Words: Authentication String, License Name, Rule.
License Name - The license name is the 8 character string that identifies the license. This is found under an expanded subscriber email address. Related Words: License.
Local Blocking Rule - A local blocking rule means that the rule in question would not be part of your local rule set. This does not necessarily whitelist the content because other rules may still capture the message. It simply means that this particular rule will not apply to your system. You might think of it as being a non-rule or perhaps half way to being a white rule. Related Words: Rule.
Log File - The Message Sniffer utility produces a log file containing information about each rule that matched each message, the relative positions of the matching patterns, and a number of important performance statistics. These log files can be analyzed to refine the rulebase and monitor important performance metrics. Related Words: License. See Also: Log Files.
Morph Ready Rule (Adaptive Rule) - Adaptive Rules synchronize on the static portions of the pattern they are using and then use run-loop sequences in between the static elements for pattern matching. For example, an adaptive rule might match the correct sequence of keywords in the correct order anywhere in the message when anchored by one or two critical identifying marks. The pattern matching engine is able to apply these kinds of "abstract" pattern descriptions without an additional cost of cpu time. Related Words: Rule.
Range - In GBUdb, collections of IPs with similar statistics are said to be in a particular range. For example, IPs that have consistently delieverd messages that match spam rules and have been seen frequently are likely to end up in the "black" or "truncate" range. The statistics describing these IPs will have strongly positive probability figures and relatively high confidence figures. If these IPs were to be plotted on a graph with probability figures represented on the x axis and confidence figures on the y axis they would be grouped together inside an "envelope" that describes the "black" or "truncate" range. Related Words: Envelope, Edge. See Also: GBUdb.
Rule - A rule is a pattern definition used to identify and categorize an email message. Rules can be based on the contents of the header or body of an email including combinations of "features" that appear in both the header and body. Rules are organized into groups and associated with "symbols" to represent special categories of messages. Related Words: Blocked Rule, Rule Type, Rule Origin. See Also: Result Codes
Rulebase Tuning Engine - The rulebase tuning engine works to produce smaller, more efficient rulebase files. This engine works by monitoring feedback (telemetry) from your system to determine the relevance (strength) of each rule in the system. Rules that have a low enough strength are moved out of the active list automatically. When the system detects that a rule is needed again by monitoring Spam traps and spam submissions, the rule is automatically placed back into service.
Rule ID - A rule ID is a number that is uniquely set to identify a specific rule. When a rule is created it is assigned a Rule ID. This can be viewed only once a rule has been created. Rule ID can be used in searches or for adding a specific rule that already exists in the system to your license. Related Words: Rule.
Rule Origin - A rule origin describes the source of the content from which rule was created. Rule origins can only be created by administrator. The primary rule origins are User Submission, Spam Trap, and Research Team. Related Words: Rule, Rule Type.
Rule Type - A rule type is a definition for how the rule pattern is encoded. A rule type can only be created by an administrator and typically references a specific "tool" for creating that rule type. Examples of rule types might be "Subject", "Received IP", "Domain", "Web Address", "Numbered Link", etc... The tools associated with these rule types simplify the encoding process and ensure that similar rules are coded consistently. For example, some rule types require header tags to be added to the source data, others require special character conversions, and others may combine special data from a number of fields to create complex pattern encodings. In addition to simplifying rule creation and ensuring some consistency, rule types also help to identify the intent and/or source of the rule. For example, "Web Address" type rules may include any significant portion of a URL. In contrast, a "Domain" type rule would only contain the domain part of the URL or in some cases a portion (stub) of a domain. Related Words: Rule Origin, Rule.
Rule(base) Updates - Rulebase files are typically downloaded automatically when SNFMulti (the Message Sniffer scanning engine) detects that a new rulebase is available. The core rulebase is constantly under development. Periodically, when sufficient changes have been made, the core rulebase and all related local rulebases (licenses) will be recompiled. As each individual rulebase file is compiled and update notificaiton is sent out to the system associated with that rulebase. Rulebase files can be downloaded via http protocol. See Also: Rulebase Updates.
Scan - Scan is to read through a message and examine it's contents and characteristics. As a noun a "scan" is the data resulting from the process of scanning a message.
Server - The server is a piece of software or a system that provides data processing services. In the case of SNF, the SNFServer engine is a server. In the case of an email processing system, the MTA (Mail Transfer Agent) software might be considered a "mail server". In the case of hardware, a server is a computer that is used to run this kind of "server" software. See Also: SNFServer
SNF - Nickname for Message Sniffer. Message Sniffer rulebase file names have a .snf extension
Subscriber - A subscriber is a person or entity that has purchased a license. The subscriber is identified in the system by their email address. Related Words: License.
Symbol (Result Code) - Symbols are numerical values assigned to specific rule groups. Rules within that group become associated with that group's symbol so that when the rule matches the symbol value will be returned by the Message Sniffer utility. For example, the "General Black Rules" group has a symbol value of 63. See Also: Result Codes
Training - The GBUdb and SNF systems "learn" about messages as they are processed. Another way to say that is that the systems are "trained" to respond to messages of different types. Training is the process that accomplishes that "learning". In this context, each message can be seen as training data and parts of the configuration can be seen as training directives. Training directives fine-tune what is learned from each message.See Also: GBUdb, Training.
Training Bypass - Training bypass is a mechanism that temporarily suspends some or all of the learning mechanisms in SNF and GBUdb. For example, when a message containing spam or malware is submitted to an abuse reporting address it is a good idea to activate a training bypass so that the system does not learn (erroneously) that the submitter is a spam source. See Also: GBUdb, Training.